diff --git a/.changelog/39206.txt b/.changelog/39206.txt
new file mode 100644
index 00000000000..4e053c25a15
--- /dev/null
+++ b/.changelog/39206.txt
@@ -0,0 +1,7 @@
+```release-note:enhancement
+resource/aws_cloudhsm_v2_cluster: Support `hsm2m.medium` as a valid value for `hsm_type`
+```
+
+```release-note:enhancement
+resource/aws_cloudhsm_v2_cluster: Add `mode` argument
+```
\ No newline at end of file
diff --git a/internal/service/cloudhsmv2/cloudhsmv2_test.go b/internal/service/cloudhsmv2/cloudhsmv2_test.go
index 1a04a6f8fb5..879dd568672 100644
--- a/internal/service/cloudhsmv2/cloudhsmv2_test.go
+++ b/internal/service/cloudhsmv2/cloudhsmv2_test.go
@@ -17,6 +17,7 @@ func TestAccCloudHSMV2_serial(t *testing.T) {
 			acctest.CtBasic:      testAccCluster_basic,
 			acctest.CtDisappears: testAccCluster_disappears,
 			"tags":               testAccCluster_tags,
+			"hsmType":            testAccCluster_hsmType,
 		},
 		"Hsm": {
 			"availabilityZone":   testAccHSM_AvailabilityZone,
diff --git a/internal/service/cloudhsmv2/cluster.go b/internal/service/cloudhsmv2/cluster.go
index e8580dcae67..7f91b74ff53 100644
--- a/internal/service/cloudhsmv2/cluster.go
+++ b/internal/service/cloudhsmv2/cluster.go
@@ -88,7 +88,14 @@ func resourceCluster() *schema.Resource {
 				Type:         schema.TypeString,
 				Required:     true,
 				ForceNew:     true,
-				ValidateFunc: validation.StringInSlice([]string{"hsm1.medium"}, false),
+				ValidateFunc: validation.StringInSlice([]string{"hsm1.medium", "hsm2m.medium"}, false),
+			},
+			names.AttrMode: {
+				Type:             schema.TypeString,
+				Optional:         true,
+				Computed:         true,
+				ForceNew:         true,
+				ValidateDiagFunc: enum.Validate[types.ClusterMode](),
 			},
 			"security_group_id": {
 				Type:     schema.TypeString,
@@ -127,6 +134,10 @@ func resourceClusterCreate(ctx context.Context, d *schema.ResourceData, meta int
 		TagList:   getTagsIn(ctx),
 	}
 
+	if v, ok := d.GetOk(names.AttrMode); ok && v != "" {
+		input.Mode = types.ClusterMode(v.(string))
+	}
+
 	if v, ok := d.GetOk("source_backup_identifier"); ok {
 		input.SourceBackupId = aws.String(v.(string))
 	}
@@ -173,6 +184,7 @@ func resourceClusterRead(ctx context.Context, d *schema.ResourceData, meta inter
 	d.Set("cluster_id", cluster.ClusterId)
 	d.Set("cluster_state", cluster.State)
 	d.Set("hsm_type", cluster.HsmType)
+	d.Set(names.AttrMode, cluster.Mode)
 	d.Set("security_group_id", cluster.SecurityGroup)
 	d.Set("source_backup_identifier", cluster.SourceBackupId)
 	d.Set(names.AttrSubnetIDs, tfmaps.Values(cluster.SubnetMapping))
diff --git a/internal/service/cloudhsmv2/cluster_test.go b/internal/service/cloudhsmv2/cluster_test.go
index 7f65749aade..68165288282 100644
--- a/internal/service/cloudhsmv2/cluster_test.go
+++ b/internal/service/cloudhsmv2/cluster_test.go
@@ -38,6 +38,7 @@ func testAccCluster_basic(t *testing.T) {
 					resource.TestMatchResourceAttr(resourceName, "cluster_id", regexache.MustCompile(`^cluster-.+`)),
 					resource.TestCheckResourceAttr(resourceName, "cluster_state", string(types.ClusterStateUninitialized)),
 					resource.TestCheckResourceAttr(resourceName, "hsm_type", "hsm1.medium"),
+					resource.TestCheckResourceAttr(resourceName, names.AttrMode, "FIPS"),
 					resource.TestMatchResourceAttr(resourceName, "security_group_id", regexache.MustCompile(`^sg-.+`)),
 					resource.TestCheckResourceAttr(resourceName, "source_backup_identifier", ""),
 					resource.TestCheckResourceAttr(resourceName, "subnet_ids.#", acctest.Ct2),
@@ -126,6 +127,35 @@ func testAccCluster_tags(t *testing.T) {
 	})
 }
 
+func testAccCluster_hsmType(t *testing.T) {
+	ctx := acctest.Context(t)
+	resourceName := "aws_cloudhsm_v2_cluster.test"
+	rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:                 func() { acctest.PreCheck(ctx, t) },
+		ErrorCheck:               acctest.ErrorCheck(t, names.CloudHSMV2ServiceID),
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+		CheckDestroy:             testAccCheckClusterDestroy(ctx),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccClusterConfig_hsm2m_medium(rName),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					testAccCheckClusterExists(ctx, resourceName),
+					resource.TestCheckResourceAttr(resourceName, "hsm_type", "hsm2m.medium"),
+					resource.TestCheckResourceAttr(resourceName, names.AttrMode, "NON_FIPS"),
+				),
+			},
+			{
+				ResourceName:            resourceName,
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"cluster_certificates"},
+			},
+		},
+	})
+}
+
 func testAccCheckClusterDestroy(ctx context.Context) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
 		conn := acctest.Provider.Meta().(*conns.AWSClient).CloudHSMV2Client(ctx)
@@ -180,6 +210,16 @@ resource "aws_cloudhsm_v2_cluster" "test" {
 `)
 }
 
+func testAccClusterConfig_hsm2m_medium(rName string) string {
+	return acctest.ConfigCompose(testAccClusterConfig_base(rName), `
+resource "aws_cloudhsm_v2_cluster" "test" {
+  hsm_type   = "hsm2m.medium"
+  mode       = "NON_FIPS"
+  subnet_ids = aws_subnet.test[*].id
+}
+`)
+}
+
 func testAccClusterConfig_tags1(rName, tagKey1, tagValue1 string) string {
 	return acctest.ConfigCompose(testAccClusterConfig_base(rName), fmt.Sprintf(`
 resource "aws_cloudhsm_v2_cluster" "test" {
diff --git a/website/docs/cdktf/python/r/cloudhsm_v2_cluster.html.markdown b/website/docs/cdktf/python/r/cloudhsm_v2_cluster.html.markdown
index 23b6f64a5bb..582dd806e3e 100644
--- a/website/docs/cdktf/python/r/cloudhsm_v2_cluster.html.markdown
+++ b/website/docs/cdktf/python/r/cloudhsm_v2_cluster.html.markdown
@@ -83,7 +83,8 @@ class MyConvertedCode(TerraformStack):
 This resource supports the following arguments:
 
 * `source_backup_identifier` - (Optional) ID of Cloud HSM v2 cluster backup to be restored.
-* `hsm_type` - (Required) The type of HSM module in the cluster. Currently, only `hsm1.medium` is supported.
+* `hsm_type` - (Required) The type of HSM module in the cluster. Currently, `hsm1.medium` and `hsm2m.medium` are supported.
+* `mode` - (Optional) The mode to use in the cluster. The allowed values are `FIPS` and `NON_FIPS`. This field is required if `hsm_type` is `hsm2m.medium`.
 * `subnet_ids` - (Required) The IDs of subnets in which cluster will operate.
 * `tags` - (Optional) A map of tags to assign to the resource. If configured with a provider [`default_tags` configuration block](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#default_tags-configuration-block) present, tags with matching keys will overwrite those defined at the provider-level.
 
diff --git a/website/docs/cdktf/typescript/r/cloudhsm_v2_cluster.html.markdown b/website/docs/cdktf/typescript/r/cloudhsm_v2_cluster.html.markdown
index 368aaadcff3..ab23521670d 100644
--- a/website/docs/cdktf/typescript/r/cloudhsm_v2_cluster.html.markdown
+++ b/website/docs/cdktf/typescript/r/cloudhsm_v2_cluster.html.markdown
@@ -90,7 +90,8 @@ class MyConvertedCode extends TerraformStack {
 This resource supports the following arguments:
 
 * `sourceBackupIdentifier` - (Optional) ID of Cloud HSM v2 cluster backup to be restored.
-* `hsmType` - (Required) The type of HSM module in the cluster. Currently, only `hsm1.medium` is supported.
+* `hsmType` - (Required) The type of HSM module in the cluster. Currently, `hsm1.medium` and `hsm2m.medium` are supported.
+* `mode` - (Optional) The mode to use in the cluster. The allowed values are `FIPS` and `NON_FIPS`. This field is required if `hsm_type` is `hsm2m.medium`.
 * `subnetIds` - (Required) The IDs of subnets in which cluster will operate.
 * `tags` - (Optional) A map of tags to assign to the resource. If configured with a provider [`defaultTags` configuration block](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#default_tags-configuration-block) present, tags with matching keys will overwrite those defined at the provider-level.
 
diff --git a/website/docs/r/cloudhsm_v2_cluster.html.markdown b/website/docs/r/cloudhsm_v2_cluster.html.markdown
index 474356eb477..0d952775e65 100644
--- a/website/docs/r/cloudhsm_v2_cluster.html.markdown
+++ b/website/docs/r/cloudhsm_v2_cluster.html.markdown
@@ -65,8 +65,9 @@ resource "aws_cloudhsm_v2_cluster" "cloudhsm_v2_cluster" {
 This resource supports the following arguments:
 
 * `source_backup_identifier` - (Optional) ID of Cloud HSM v2 cluster backup to be restored.
-* `hsm_type` - (Required) The type of HSM module in the cluster. Currently, only `hsm1.medium` is supported.
+* `hsm_type` - (Required) The type of HSM module in the cluster. Currently, `hsm1.medium` and `hsm2m.medium` are supported.
 * `subnet_ids` - (Required) The IDs of subnets in which cluster will operate.
+* `mode` - (Optional) The mode to use in the cluster. The allowed values are `FIPS` and `NON_FIPS`. This field is required if `hsm_type` is `hsm2m.medium`.
 * `tags` - (Optional) A map of tags to assign to the resource. If configured with a provider [`default_tags` configuration block](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#default_tags-configuration-block) present, tags with matching keys will overwrite those defined at the provider-level.
 
 ## Attribute Reference