Is it as simple as using FIPS 140 compliant crypto providers or is there more to it? Are there differences if it is a web app vs a windows app? What if it is a distributed app? Are there any special considerations for IIS, WCF, ASP.Net, Silverlight, AJAX, etc?
Thanks
It's a government standard for cryptographically secure systems. It defines the practices, policies, tests, and in some cases hardware that a system must comply with to be consider compliant. You can read more about it at http://en.wikipedia.org/wiki/FIPS_140.
http://csrc.nist.gov/publications/PubsFIPS.html is a good resource for the general FIPS specs and requirements.
FIPS is a series of standards followed by the U.S. government regarding information security. There are policies, practices etc. In order to qualify to be compliant you have to make sure that you only use certain algorithms, the hardware and software you use must be deemed compliant etc.
Is it as simple as using FIPS 140 compliant crypto providers or is there more to it?
It depends on each specific scenario, but yes it can be. For example, if certain routers you use are 140-2 compliant then your application behind them can get exemption of going through parts of the process, because the hardware you use accomplishes the same task the certification requires. For example, we use the F5 Big IP to handle a lot of our SSL etc., because they have gone through the certification process. Our other systems may be able to do the same thing, but it means we don't have to go through the approval process, which is long and painful.
http://en.wikipedia.org/wiki/FIPS_140
I think these are the links which talk about accreditation: