The National Institute for Standards and Technology (NIST) is facing significant operational challenges at the start of 2026 due to a reduced budget and staff. These constraints are impacting the agency’s ability to fulfill critical national security and cybersecurity mandates, including work on artificial intelligence, encryption standards, and the transition to post-quantum cryptography.
NIST officials recently shared updates on these impacts at a meeting of the Information Security Privacy Advisory Board. The agency has seen substantial personnel departures, and budget projections indicate further reductions. These factors are forcing NIST to prioritize its essential functions and strategically allocate its remaining resources to address the most pressing technological and policy issues.
NIST Grapples with Reduced Resources and Growing Responsibilities
Kevin Stine, Director of NIST’s Information Technology Laboratory (ITL), stated that the agency has experienced a loss of over 700 positions since the beginning of 2026. His own office, responsible for information technology measurements, testing, and standards, has a reduced headcount of 289 employees after losing approximately 89 staff members over the past year.
The situation is further compounded by upcoming budget allocations. A recent congressional spending package proposes a $13 million cut to NIST’s labs program. Stine described these numbers as “relatively good” compared to other budget proposals considered, indicating the broader financial pressures the agency is under.
Despite the financial and staffing limitations, Stine emphasized that these constraints are driving a more focused approach to the agency’s work. “It’s forcing a very focused discussion on prioritization of our activities,” Stine said. “Certainly critical emerging technologies and anything aligned with the new NIST strategy, as well as administration priorities, are going to be top of the list and we will adequately resource those.”
Impact on Cryptographic Validation
NIST’s vital role in testing and validating cryptographic standards for the federal government is also being affected by the staffing reductions. The ITL collaborates with the Canadian Centre for Cybersecurity to assess the cryptography used in IT hardware and software procured by both nations’ governments.
David Hawes, program manager for this initiative at NIST’s computer security division, described the validation process as “associatively complex” due to the diverse implementations and technologies involved. Essentially, the program aims to establish a baseline of trust between vendors and federal agencies purchasing their products, ensuring that the cryptography meets established standards.
“The way that we think of what our office does is: we’ve got a standard, we’ve got testing, we validate it,” Hawes explained. “Can…federal government purchasers and users of these products, can they trust the cryptography? That’s what this is all about. Does it meet the standard? Can it be trusted with the information that’s there?”
Historically, a significant portion of trust in NIST’s validation stemmed from manual, human-led reviews of technical documents and certifications. This process was labor-intensive, often falling to junior staff. However, Hawes noted that NIST has made progress in reducing its backlog of cryptographic validations.
A review of recent validations found that each project previously took an average of 348 days. The agency has since reduced this backlog from approximately two years in 2020 to about six months currently. Hawes expressed that further acceleration of the process to achieve completion in “days” is hindered by current staffing levels.
“I would say [our progress to date] was in spite of the loss,” Hawes stated. “We’d be a lot better off in terms of the queue lane now had we not lost the people recently that we did.”
Transitioning to Post-Quantum Cryptography
The federal government is in the midst of transitioning its IT infrastructure from older encryption methods to quantum-resistant algorithms. This shift is critical to protecting sensitive federal systems and data from future cyber threats posed by quantum computing. Agencies are working to identify and replace encryption systems, with older applications like RSA slated for deprecation by 2030.
Hawes indicated that NIST is preparing to support this transition, having recently tested its first post-quantum cryptographic module. He believes that resolving the existing validation backlog is the most effective way to accelerate this vital support for agencies. “I would say collectively our approach is…getting post-quantum modules validated sooner,” Hawes said. “So get the queue down, get them in, get them through.”
The agency’s ability to support the critical federal transition to post-quantum cryptography and reduce its validation backlog in the coming months will likely depend on future budget decisions and any potential shifts in staffing levels. The timeline for achieving daily validation turnaround remains uncertain under current resource constraints.