NIST loses key cyber experts in standards and research
Top cybersecurity staffers at the National Institutes of Standards and Technology (NIST) are leaving the agency as part of the Trump administration’s downsizing operation, Cybersecurity Dive has learned.
The departures are raising concerns over NIST’s work on emerging technology issues in quantum computing and artificial intelligence.
Among the departures, according to two people familiar with the matter, are: Matthew Scholl, chief of the Computer Security Division (CSD) inside NIST’s Information Technology Lab; Tim Hall, who led CSD’s Security Testing, Validation and Measurements Group; and David Ferraiolo, who led CSD’s Secure Systems and Applications Group. Roughly ten other CSD staffers also left the agency in this latest round of departures.
The staffing losses are causing alarm within the tech industry about NIST’s continued capacity to collaborate with businesses and academic experts to develop and update guidance on evolving cybersecurity challenges.
“The research that underpins NIST’s risk management and security work will suffer from a loss of critical institutional knowledge,” said Nick Reese, a former Department of Homeland Security policy staffer who worked on AI and other emerging technologies. “This will not be easy to replace so I anticipate a significant reduction in the number, scope and impact of NIST research that gets operationalized for industry use.”
One former NIST official, who requested anonymity to preserve their relationship with the agency, called the staff departures “massive.” “NIST’s greatest asset is its scientists. To lose this many all at the same time is going to be a massive hit,” said the former official. “The staff was already overworked and did not have all the resources to do all that they’ve been tasked to do in EOs and by Congress in law.”
CSD leads NIST’s research, standards-setting, and industry collaboration on a wide range of cybersecurity topics, including cryptography, access control, cloud security, and risk management. The division manages the National Vulnerability Database, oversees the Risk Management Framework, and is standardizing a set of post-quantum cryptographic algorithms. (NIST’s Cybersecurity Framework falls under the Applied Cybersecurity Division (ACD), although many CSD staff — none of whom have left — work on the document.)
The NIST division’s publications cover subjects like protecting government data, verifying user identities and analyzing cyber risk. CSD and ACD handle the bulk of NIST’s cybersecurity engagements with the private sector.
Reese said CSD employees “were significant collaborators to my team’s work” at DHS and called them “experts of the highest order [who] produced significant research, frameworks, and guidance widely used by industry.”
“With this kind of staff reduction and loss of institutional knowledge, these resources will fall away,” said Reese, the co-founder and chief operating officer of the AI firm Frontier Foundry. “The long-term impact will be to the overall security of companies, governments and academic institutions working to understand the complex security environments around these new technologies.”
Scholl, who left NIST on April 30, regularly represented the agency at cybersecurity conferences and spent years as the staff manager for NIST’s Information Security and Privacy Advisory Board, an independent advisory panel of tech experts. He joined the agency in 2004 after working as a technology contractor for six years and serving in the U.S. Army for eight years.
Jon Boyens, Scholl’s deputy, is now CSD’s acting chief.
Scholl declined to comment for this story. Hall and Ferraiolo did not respond to requests for comment. NIST did not provide a comment.
Post-quantum crypto efforts imperiled
As of February, CSD had 95 federal employees — the most of any NIST division — along with 65 contractors and guest researchers, according to a person familiar with the matter. Between the Office of Personnel Management’s late-January “Fork in the Road’ email and NIST’s more recent Voluntary Early Retirement Authority (VERA) and Voluntary Separation Incentive Payment (VSIP) offers, the division has lost more than 20% of its federal workers.
The recent departures will particularly hurt NIST’s high-profile work managing the government’s standardization of post-quantum cryptographic algorithms, multiple observers told Cybersecurity Dive.
CSD, and Scholl in particular, marshaled government resources for and leadership attention to the security risks of quantum computers, resulting in a set of algorithms that will protect systems around the world from the codebreaking power of quantum computers. “They were a driver of this issue when no one else was paying attention,” Reese said.
With the layoffs and retirements at NIST and its partner agency CISA, Reese said, “the quantum issue will need new champions or risk falling to the backburner” — an outcome that could jeopardize the security of companies and governments worldwide.
CSD’s cryptography team lost one person, David Cooper, but remains “very solid,” with a “huge” coalition of outside collaborators, according to one person familiar with the matter. “They’re well positioned to bring in the next set of algorithms and they’re working on it already.”
Risk to businesses
Cutbacks at NIST could affect businesses in other ways too. As the agency pulls back in certain areas, the tech industry will either have to “pay for this research itself or accept additional security and privacy risks,” Reese said. Many companies use NIST documents like the AI Risk Management Framework as the basis for their software design decisions, he said, and if those documents fall by the wayside, companies will have to spend more money on measures like red-teaming to fill the gap.
It is unclear whether the Trump administration or Congress will push to shore up NIST’s cybersecurity program. For reasons unrelated to that work, the agency is one of many currently in President Donald Trump’s crosshairs. In his Fiscal Year 2026 spending plan, he proposed cutting NIST’s $1.2 billion budget by $325 million, saying its environmental sustainability research grants “advance a radical climate agenda.”
NIST employees are anxiously awaiting the next steps in the agency’s downsizing process, a Reduction In Force plan and a reorganization. “Those two are going to really be significant to change what the agency is going to be doing and looking at,” said one person familiar with the matter. NIST employees “anticipate having to do less with less.”
Source link
