diff --git a/CHANGES.md b/CHANGES.md
index d946ab127..3075de8d8 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -6,6 +6,7 @@ Changelog
 
 - add script to parse worker logs for @@content-creator endpoint errors
 - add X-CASTLEMTA-PRIORITY header to 2fa emails
+- update md5 usage for FIPS compliance
 
 
 3.1.0b7 (2025-06-09)
diff --git a/castle/cms/_scripts/templates/watch-run.py b/castle/cms/_scripts/templates/watch-run.py
index 457c9f6f3..fa6d602e9 100644
--- a/castle/cms/_scripts/templates/watch-run.py
+++ b/castle/cms/_scripts/templates/watch-run.py
@@ -1,7 +1,7 @@
 import os
 import argparse
 import time
-import hashlib
+from castle.cms.utils import md5_fips  # noqa: E402
 
 parser = argparse.ArgumentParser(description='')
 parser.add_argument('--command', dest='command')
@@ -13,7 +13,7 @@
 
 
 def md5(fname):
-    hash_md5 = hashlib.md5()
+    hash_md5 = md5_fips()
     with open(fname, "rb") as f:
         for chunk in iter(lambda: f.read(4096), b""):
             hash_md5.update(chunk)
diff --git a/castle/cms/archival.py b/castle/cms/archival.py
index 48217b722..9a29269a9 100644
--- a/castle/cms/archival.py
+++ b/castle/cms/archival.py
@@ -7,7 +7,7 @@
 from castle.cms import theming  # noqa: E402
 from castle.cms.files import aws  # noqa: E402
 from castle.cms.interfaces import IArchiveContentTransformer, IArchiveManager  # noqa: E402
-from castle.cms.utils import normalize_url  # noqa: E402
+from castle.cms.utils import normalize_url, md5_fips  # noqa: E402
 from DateTime import DateTime  # noqa: E402
 from lxml.html import fromstring  # noqa: E402
 from lxml.html import tostring  # noqa: E402
@@ -440,7 +440,7 @@ def move_resource(self, url, keep_ext=False, use_vhm=True):
                     fidata = fidata.replace(sub_url, new_url)
 
         # upload to amazon and get url!
-        md5 = hashlib.md5(fidata).hexdigest()
+        md5 = md5_fips().hexdigest()
 
         content_path = '{0}{1}/{2}/{3}/{4}'.format(
             RESOURCES_KEY_PREFIX, md5[0], md5[1], md5[2], md5
diff --git a/castle/cms/utils/__init__.py b/castle/cms/utils/__init__.py
index eab7c601b..6896c5512 100644
--- a/castle/cms/utils/__init__.py
+++ b/castle/cms/utils/__init__.py
@@ -25,6 +25,7 @@
 from .misc import get_random_string  # noqa: F401
 from .misc import json_dumps  # noqa: F401
 from .misc import make_random_key  # noqa: F401
+from .misc import md5_fips # noqa: F401
 from .misc import normalize_url  # noqa: F401
 from .misc import retriable  # noqa: F401
 from .misc import strings_differ  # noqa: F401
diff --git a/castle/cms/utils/misc.py b/castle/cms/utils/misc.py
index 5dc80bb7f..837bdc302 100644
--- a/castle/cms/utils/misc.py
+++ b/castle/cms/utils/misc.py
@@ -140,3 +140,16 @@ def _customhandler(obj):
 
 def json_dumps(data):
     return json.dumps(data, default=_customhandler)
+
+
+def md5_fips(data=b''):
+    """FIPS-compatible MD5 constructor for non-security purposes."""
+    try:
+        md5_hash = hashlib.new('md5', usedforsecurity=False)
+    except TypeError:
+        # in case FIPS is not supported
+        md5_hash = hashlib.md5()
+    
+    if data:
+        md5_hash.update(data)
+    return md5_hash