It is a total joke.
FIPS 140-2 ensures your algorithm is part of a standard set - big deal. It does no investigation at all as to how you use that algorithm or why you use it. If you are using AES with a FIPS-certified library, you get the checkbox. Nevermind the fact that the private key you are using is sitting in plain text on the disk.
Its the same as all federal standards - FedRAMP, FIPS, FISMA, ISO 27K. They all do *SOME* things, but none of these standards, or any intersection of them, actually do anything with regards to real secure engineering. Note, I am not even sure it would be close to practical to do this. I am just raising awareness that saying that an application is "FIPS certified" is next to useless.
Source: I have dealt with getting applications certified in all of these umbrellas, and more. It is an extremely time consuming and expensive process for all involved to get certified - but in the end does very little in terms of real application security. But it sure makes the auditors a lot of money!