[justonepost]

I don't think "NIST" approved is that compelling of an argument.

If the author wishes to identify known vulnerabilities, that would be interesting.

FIPS has some various issues that actually increase vulnerability and not decrease it. Eg, FIPS approved OpenSSL was always an anchor that caused more problems than it solved.

[alaithea]

The OP seems to misunderstand the function of NIST, as well. NIST does not "approve" other agencies' software systems. NIST is a standards-setting organization only. They create and publish standards, but do not enforce them.

[sdrapkin]

The OP is referring to the OP-linked 18F writeup (you might want to read it), which says "Based on consultation with NIST we follow these steps..."

[mgkimsal]

If there's a legal requirement (FISMA is pointed to as a requirement) that would be rather compelling, no?

[grantwu]

A design that technically violates a law, but is not actually dangerous - suppose the law constrains designs in a way that requires them to be less effective or safe - is not necessarily a poor design, unless "complies with law" is a higher priority design objective than "functions safely as intended".

[rebuilder]

"Complies with law" absolutely does seem like a requirement for a government service.

[mgkimsal]

Not to be too flippant, but "complies with law" sort of seems like a requirement for non-government services too. But I may be reading this too broadly?