Notifications
Clear all
Topic starter
25/06/2026 10:35 pm
TL;DR: Federal agencies required FBCA cross-certified certificates for non-federal organizations exchanging EHRs through Directed Exchange, and DigiCert said three out of four accredited HISPs already had full access through its partnership. The policy shows how interoperability now depends on certificate lifecycle governance, not just transport security, especially where identity assurance must span healthcare boundaries.
NHIMG editorial — based on content published by DigiCert: FBCA Cross-Signing Authority Now Required for Directed Exchange
Questions worth separating out
Q: How should organisations govern certificates used for cross-domain healthcare exchange?
A: They should treat certificates as governed identities, not just technical credentials.
Q: Why do cross-certified certificates matter in federated environments?
A: They matter because federated exchange depends on a trust chain that both sides accept.
Q: What breaks when certificate lifecycle management is weak?
A: Expiry, renewal delays, and missed revocation events can interrupt service, create trust drift, or leave obsolete credentials in place.
Practitioner guidance
- Map every exchange partner to a certificate owner Record who owns issuance, renewal, revocation, and escalation for each HISP or federated partner.
- Verify trust-chain acceptance before production exchange Test whether the relying party accepts the full FBCA cross-certified path, not just the local certificate.
- Monitor certificate expiry as an availability risk Treat certificate expiry as a service continuity issue and alert well before renewal windows close.
What's in the full article
DigiCert's full blog covers the operational detail this post intentionally leaves for the source:
- The certificate trust model behind FBCA cross-signing and how it affects Directed Exchange eligibility
- The DirectTrust accreditation path for HISPs, CAs, and registration authorities
- How DigiCert's Direct Cert Portal supports lifecycle management for Direct accounts
- The interoperability conditions for organisations exchanging EHRs with federal agencies
👉 Read DigiCert's analysis of FBCA cross-signing for Directed Exchange →
FBCA cross-signing for Directed Exchange: what IAM teams need to know?
Explore further
25/06/2026 11:11 pm
FBCA cross-signing is a trust boundary problem, not a certificate feature. The article frames cross-certification as the condition for federal interoperability, which means the real issue is whether the relying party can accept the identity chain end to end. That is a governance question as much as a PKI question. Practitioners should read this as a reminder that external exchange breaks when trust policy and certificate assurance are not aligned.
A few things that frame the scale:
- 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
- 69% of organisations now have more machine identities than human ones, according to The Critical Gaps in Machine Identity Management report.
A question worth separating out:
Q: Who is accountable when a federated exchange certificate no longer meets trust requirements?
A: Accountability should sit with the organisation that owns the certificate and the partner relationship, not with the network or application team alone. The certificate is part of the identity boundary, so governance teams, PKI operators, and business owners all need a defined review and escalation path.
👉 Read our full editorial: FBCA cross-signing and what it changes for certificate lifecycle governance
