NIST Budget Reductions: Long-Term Risks for U.S. Cybersecurity and Technology Leadership

Recent information about budget reductions and staffing cuts at NIST raises serious concerns about the future of cybersecurity, cryptography, and emerging technology governance in the United States.

For many years, NIST, alongside CISA, has been a global point of reference for cybersecurity standards, good practices, and technical guidance used not only in the U.S., but worldwide. Today, both institutions are facing significant cost-cutting measures that may have long-term consequences.

Obraz autorstwa DC Studio na Freepik

According to publicly available reporting, NIST has:

➡️ lost over 700 staff positions since 2025,

➡️ including nearly one-third of staff in its Information Technology Laboratory,

➡️ faced additional budget cuts to laboratory programs, affecting testing, validation, and standards development.

These reductions directly impact NIST’s ability to:

➡️ test and validate cryptographic modules,

➡️ support federal and industry adoption of PQC,

➡️ maintain and update core cybersecurity standards.

One of the most concerning areas affected by staffing reductions is cryptographic validation and encryption testing.

This comes at a time when:

➡️ quantum risk is accelerating,

➡️ governments are urging organizations not to delay PQC testing and migration.

This situation echoes what we saw recently with CISA, where budget and staffing constraints raised concerns about:

➡️ vulnerability management programs,

➡️ continuity of critical cybersecurity services.

From a long-term perspective, these cuts may lead to:

➡️ gradual erosion of U.S. leadership in cybersecurity standards,

➡️ reduced ability to respond to emerging threats,

➡️ increased reliance on private-sector.

This erosion may not be immediately visible, but over time, it will weaken:

➡️ national cyber resilience,

➡️ and global influence in setting norms and standards.

At the same time, the EU is moving in the opposite direction:

➡️ strengthening its cybersecurity regulatory framework,

➡️ expanding the role of ENISA,

➡️ harmonising cybersecurity requirements across Member States,

➡️ placing strong emphasis on ICT supply chain security and resilience

Author: Sebastian Burgemejster