FIPS is a double-edged sword in my experience. On one hand it does set a standard to keep total snake oil crypto out of government. On the other hand it often has the side effect of mandating worse and older crypto and slowing update cycles when there's a bug. When SSL bugs are discovered vulnerable SSL libraries tend to sit around for a lot longer on FIPS-controlled hosts because they have to wait for a FIPS-validated update.

FIPS also ,at least a decade ago, ruled out things like PFS because actually the federal goverent wanted to be able to audit past traffic.

Fair enough, the ones I was involved with implementing/complying with (FIPS 140-2) ruled out things like DH(E) key exchange.

We had to comply with that standard to sell to the federal government at the time.

Things may well have changed.

ECDHE is standard for FIPS these days.

This comment doesn't really say anything, does it? The point Geoff made stands.

No?

My point was that you are not actively blocked or "discouraged" from making your own crypto implementation and submitting it for FIPS validation.

Of course, that will be more expensive and time consuming than simply reusing a previously validated crypto module. So, you could perhaps call that "encouragement".... but the idea of FIPS is to provide some level of assurance to the consumer of said solutions.

But there are cases where you desire to control your own crypto.