The National Institute for Standards and Technology (NIST) faces 2026 with reduced staffing and a tighter budget, yet retains significant responsibilities in national security and cybersecurity.
During a recent Information Security Privacy Advisory Board meeting, NIST representatives discussed their efforts to manage various Trump administration directives concerning AI, cybersecurity, and post-quantum encryption.
Kevin Stine, Director of NIST’s Information Technology Laboratory (ITL), reported that the agency has lost over 700 positions since the previous administration took office, through resignations and voluntary deferments. The ITL, responsible for IT measurements, testing, and standards, currently has 289 employees, having seen a reduction of approximately 89 staff members in the past year.
Further financial limitations are anticipated, with a recent congressional “minibus” spending package proposing a $13 million cut to NIST’s labs program. Stine noted this figure was “relatively good” compared to other budget proposals he had reviewed.
Stine indicated that while he was not advocating for increased funding or personnel, the current constraints necessitate a reallocation of resources towards a more focused set of priorities within the office.
Stine explained that this situation “is forcing a very focused discussion on prioritization of activities.” He added that “certainly critical emerging technologies and anything aligned with the new NIST strategy, as well as administration priorities, are going to be top of the list” and would be adequately resourced.
NIST’s technical responsibilities, including the testing and validation of encryption for federal government use, are also affected by these staffing reductions.
A key aspect of ITL’s mission involves collaborating with the Canadian Centre for Cybersecurity to validate the cryptography in commercial IT hardware and software procured by both governments.
David Hawes, program manager within NIST’s computer security division, described this validation process as “associatingly complex.” He noted that testers must consider numerous implementations and technologies, but fundamentally, the goal is to establish a foundational level of trust between vendors and the federal agencies acquiring their products.
Hawes articulated the office’s function: “We’ve got a standard, we’ve got testing, we validate it.” He emphasized the core question: “Can…federal government purchasers and users of these products, can they trust the cryptography? That’s what this is all about. Does it meet the standard? Can it be trusted with the information that’s there?”
Previously, a significant portion of the trust in NIST’s validation process relied on human-led reviews conducted after products were tested in labs. This method “heavily required manpower” to analyze extensive technical documents, certifications, and other unstructured data, often involving non-machine-searchable PDF files. Hawes mentioned that this task was historically handled by junior NIST staff.
An analysis of NIST’s last 30 cryptographic validations revealed an average completion time of 348 days per project. Despite this, Hawes reported that the agency has successfully decreased its backlog from nearly two years in 2020 to approximately six months currently.
The long-term objective is to shorten the validation process to mere “days.” While automation and streamlined workflows could contribute to this, Hawes indicated that achieving this goal might be challenging with the current staffing levels.
Hawes commented that the progress made thus far was “in spite of the loss” of personnel. He added, “We’d be a lot better off in terms of the queue lane now had we not lost the people recently that we did.”
The federal government is transitioning its IT infrastructure from traditional encryption methods to advanced quantum-resistant algorithms. This shift aims to safeguard federal systems and devices against potential cyberattacks from future quantum computers. Agencies are tasked with identifying and replacing encryption on sensitive assets, with a deadline looming: older encryption applications, such as RSA, are scheduled for formal deprecation by 2030.
Hawes confirmed that NIST is preparing to assist with this transition, having recently tested its initial post-quantum cryptographic module. He suggested that addressing the existing backlog would be the most efficient way to offer support.
Hawes stated, “I would say collectively our approach is…getting post-quantum modules validated sooner. So get the queue down, get them in, get them through.”
