The application must utilize FIPS-validated cryptographic modules when generating cryptographic hashes.

Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The application must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. If the application resides on a National Security System (NSS) it must not use a hashing algorithm weaker than SHA-384.