Remember when HN was losing its collective mind over Dual_EC_DRBG? That was delivered to customers with a FIPS validated software stack.

Both of these things can be true at the same time:

- "Don't use unproven cryptography" is a reasonable policy.

- Policymaking can be subverted by bad actors.

Yes, but neither of those things have anything to do with FIPS 140-3.

FIPS validation address the compliance problem of needing validation. Beyond that, the benefits are ambiguous at best.

Good thing FIPS 140 does virtually nothing to prevent cryptographic vulnerabilities, then.