People often ask us if CompleteFTP is FIPS-140 certified.
The answer is no, but from from version 6.3.0, CompleteFTP will run correctly when Use FIPS compliant algoritms for encryption, hashing, and signing, is enabled on the Windows machine it is installed on. Applications are permitted to disable FIPS compliance, and CompleteFTP does this so that it can still be run.
According to Karl Levinson, there are good reasons not to pursue FIPS-140 compliance.
Firstly, the cost.
FIPS certification is probably expensive and time consuming for the vendor, so that the products that get it would tend to be older products from larger, more monolithic companies, which may not necessarily guarantee you're getting superlative security.
Secondly, FIPS-140 certification can actually result in a lower level of security:
With MS Windows, for example, you probably don't want to enable "FIPS-compliant encryption mode," because an older, weaker encryption algorithm will be used for EFS disk encryption, rather than newer, stronger but uncertified protocols.
- Hans Andersen (EnterpriseDT)
