[thayne]

I wouldn't say nothing. It is intended to ensure some level of security. And in some ways it can lead to decreased security if you comply with it (for example, if a vulnerability is found in your crypto library, you have to wait for the fix to be "validated" before you can patch it).

But yeah, complying with FIPS doesn't necessarily mean you are secure, and it is definitely possible to be secure without being FIPS compliant.

[tptacek]

FIPS-140 doesn't even speak to most cryptographic vulnerabilities; it could prevent you from using, like, the PKZip cipher rather than AES, but not (really) from having code that could be induced into reusing a GCM nonce.

It is of no security value.

[tguvot]

fedramp as of last year allows to use not fips validated version in order to patch security vulnerabilities