[__s]

I had to deal with FIPS compliance while at MS for FedRAMP compliance. It's not a technical problem, but a compliance problem

If you don't need FIPS for compliance you're better off investing in much more useful things for security (more effective linting, test coverage, keeping dependencies up to date, etc)

[greenavocado]

Is the juice worth the squeeze for FIPS compliance? It sounds absolutely miserable

[rdtsc]

Uncle Sam wouldn’t even consider purchasing your product if it doesn’t tick some boxes. Now there are ways to get exceptions if you go high enough up the chain.

But it is a miserable exercise all in all. As you’re implementing it, you think “this is making things worse, less robust or secure, but oh well, that’s the only way it will sell”.

[__s]

Depends on what you mean by juice. Is it worth the money? Yes