People often ask us if CompleteFTP is FIPS-140 certified.
The answer is no, but from from version 6.3.0, CompleteFTP will run correctly when Use FIPS compliant algoritms for encryption, hashing, and signing, is enabled on the Windows machine it is installed on. Applications are permitted to disable FIPS compliance, and CompleteFTP does this so that it can still be run.
Karl Levinson at SecLists.Org outlines the reasons why we have chosen not to pursue FIPS-140 compliance.
This quote explains the main reason why our products are not FIPS-140 certified:
FIPS certification is probably expensive and time consuming for the vendor, so that the products that get it would tend to be older products from larger, more monolithic companies, which may not necessarily guarantee you're getting superlative security.
And here's an illustration of how FIPS-140 certification can actually result in a lower level of security:
With MS Windows, for example, you probably don't want to enable "FIPS-compliant encryption mode," because an older, weaker encryption algorithm will be used for EFS disk encryption, rather than newer, stronger but uncertified protocols.
- Hans Andersen (EnterpriseDT)