The National Institute for Standards and Technology is starting 2026 with a smaller staff, a shrinking budget and some big responsibilities around supporting national security and cybersecurity.
At a meeting Wednesday of the Information Security Privacy Advisory Board, NIST officials provided updates on how they’re grappling with several Trump administration priorities, including mandates on AI, cybersecurity and post-quantum encryption.
Kevin Stine, Director of the Information Technology Laboratory (ITL) at NIST, said the agency has shed more than 700 positions since Trump assumed office last year through personnel initiatives like resignations, and voluntary deferments. His office, which focuses on IT measurements, testing, and standards, has a headcount of 289 and lost about 89 employees over the last year.
More constraints are on the way, as the latest “minibus” spending package from Congress would cut $13 million from NIST’s labs program, something Stine called “relatively good numbers” compared to other budget proposals he’d seen.
While Stine did not stump for more money or staff, he said the constraints have caused the office to reshuffle remaining resources on a narrower set of priorities.
“It’s forcing a very focused discussion on prioritization of our activities,” said Stine. “Certainly critical emerging technologies and anything aligned with the new NIST strategy, as well as administration priorities, are going to be top of the list and we will adequately resource those.”
NIST’s technical work testing and validating encryption for the federal government is also dealing with impacts from the staffing reductions.
Part of ITL’s mission involves jointly working with the Canadian Centre for Cybersecurity to validate the cryptography of commercial IT hardware and software purchased by their governments.
David Hawes, program manager for the program at NIST’s computer security division, called this process “associatingly complex” because of how many different implementations and technologies testers must account for when validating encryption, but said in essence it was about establishing a baseline level of trust between vendors and the federal agencies buying their products.
“The way that we think of what our office does is: we’ve got a standard, we’ve got testing, we validate it,” said Hawes. “Can…federal government purchasers and users of these products, can they trust the cryptography? That’s what this is all about. Does it meet the standard? Can it be trusted with the information that’s there?”
Until recently, “a lot of the trust” in NIST’s validation process came from back-end human-led reviews after labs tested products. This approach “heavily required manpower” to sift through hundreds of pages of technical documents, certifications, non machine-searchable PDF files and other unstructured data. Hawes said in years past, this work was typically assigned to junior NIST staffers.
A review of the past 30 cryptographic validations performed by NIST found that it took an average of 348 days to complete each project. However, Hawes said the agency has reduced its backlog from nearly two years in 2020 to about six months today.
The ultimate goal is to reduce the validation process to “days.” Some of that work can be picked up through automation and other streamlined workflows, but Hawes suggested that could be difficult under current staffing numbers.
“I would say [our progress to date] was in spite of the loss,” he said. “We’d be a lot better off in terms of the queue lane now had we not lost the people recently that we did.”
The federal government is shifting its IT from older, classical encryption to newer “quantum-resistant” algorithms meant to protect federal systems and devices from cyberattacks enabled by a quantum computer in the future. As agencies work to identify and replace encryption protecting their most sensitive assets, they also face a deadline: older encryption applications, like RSA, are set to be formally deprecated by 2030.
Hawes said NIST is preparing to support that effort and tested its first post-quantum cryptographic module in recent weeks. However, solving the backlog, he suggested, was the fastest way to provide that help.
“I would say collectively our approach is…getting post-quantum modules validated sooner,” said Hawes. “So get the queue down, get them in, get them through.”