Many government agencies are required by law to enable FIPS mode on their servers. However, it is not currently possible to run Episerver with FIPS mode enabled.
Episerver Support has identified two bugs where MD5 encryption is being used, and fixing these may address the FIPS concern, but because FIPS is not officially supported, no testing is being performed to ensure its requirements are met.
This is not a good experience for government agencies that find out after purchasing Episerver that they can't use it, which is the situation in which we unfortunately found ourselves.
It doesn't help that the Episerver Compliance page includes a link to Microsoft's FIPS validation compliance, leading users to believe that Episerver is compliant as well.
This feature request was addressed in https://nuget.episerver.com/package/?id=EPiServer.CMS.UI.Core&v=11.9.1
CMS is now FIPS compliant.