We often get tickets like SECURITY-769 or CSHARP-3729 (and similar tickets in other driver projects) where a user complains that their security scanner told them we use md5 and therefore our software has a security vulnerability or that they tried to use SCRAM-SHA-1 in a FIPS140-2 environment and failed because FIPS enforcement breaks md5 methods. The following docs pages must be updated to mention the usage of md5 in SCRAM-SHA-1, that md5 is necessary but not used in a cryptographic context and that FIPS users should use SCRAM-SHA-256, Kerberos, LDAP, x509, etc. in place of SCRAM-SHA-1.

https://docs.mongodb.com/upcoming/core/security-scram/
https://docs.mongodb.com/manual/tutorial/configure-fips/