As threats evolve rapidly and technologies like AI, quantum computing, and IoT expand, NIST continues to serve as a cornerstone for global cybersecurity standards. This year’s report highlights achievements across six core focus areas: Cryptography, Cybersecurity & AI, Education & Workforce, Hardware & Software Security, Infrastructure Security, and Risk Management.
NIST emphasized collaboration, practical implementation, and forward-looking standards to address emerging risks while supporting innovation across government, industry, and academia.
Reflecting on Progress and Future Readiness
In the foreword, Julie Chua (Chief, Applied Cybersecurity Division) and Jon Boyens (Acting Chief, Computer Security Division) reflect on the program’s 23rd annual report. They note that while the cybersecurity landscape has changed dramatically, NIST’s commitment to understanding complex challenges and pivoting research priorities has remained constant.
The report underscores the value of partnerships, including work through the National Cybersecurity Center of Excellence (NCCoE), and highlights how NIST’s efforts strengthen both U.S. federal systems and global cybersecurity resilience.
1. Cryptography: Advancing Post-Quantum and Lightweight Solutions
Cryptography remains a foundational pillar of NIST’s work. In FY 2025, the agency made notable strides in preparing the world for a post-quantum future.
Major Accomplishments:
- Announced a fifth Post-Quantum Cryptography (PQC) algorithm for standardization: Hamming Quasi-Cyclic (HQC).
- Released a detailed timeline for PQC migration, including deprecation of quantum-vulnerable algorithms after 2030 and mandatory use of quantum-resistant algorithms by 2035.
- Published the lightweight cryptography standard Ascon in SP 800-232 following a five-year international competition. This provides efficient, side-channel-resistant protection ideal for IoT and constrained devices.
- Validated 262 cryptographic products under the Cryptographic Module Validation Program (CMVP) with improved workflows.
- Advanced the Migration to PQC Project at NCCoE with over 50 organizations demonstrating inventory tools, interoperability, and migration practices.
- Delivered nearly 1 million test vectors and validated 1,598 implementations, including significant progress on ML-DSA and ML-KEM algorithms.
These efforts are critical as quantum computing capabilities advance, potentially rendering current encryption obsolete.
2. Cybersecurity & AI: Managing New Risks and Opportunities
With AI systems increasingly integrated into critical operations, NIST focused heavily on AI security and trustworthiness.
Key Highlights:
- Developed a Cybersecurity Framework (CSF) Profile for AI through extensive workshops and input from thousands of participants.
- Released “Adversarial Machine Learning: Attacks and Mitigations – A Taxonomy and Terminology,” a widely referenced resource.
- Conducted experiments on a “smart road” to create benchmark datasets for improving robustness of AI in autonomous vehicles.
- Launched the Control Overlays for Securing AI Systems (COSAiS) project to integrate security controls for AI technologies.
- Published multiple research papers on topics including dataset reduction, threat modeling for ML systems, hallucination detection (Best Paper Award), and automated program repair.
- Continued development of Dioptra, a test platform for evaluating AI system characteristics.
This work addresses both the opportunities and unique vulnerabilities introduced by AI adoption.
3. Education & Workforce: Building a Resilient Talent Pipeline
Addressing the persistent cybersecurity skills gap was another priority.
Notable Achievements:
- The NICE Cybersecurity Workforce Framework’s Community Coordinating Council released resources on talent retention, workforce entry options, and educator support.
- Published guidance on skills-based talent management, apprenticeships, and the impact of AI on the cybersecurity workforce.
- Awarded 17 new RAMPS cooperative agreements totaling over $3 million, bringing the total to 47 communities across 25 states.
- Hosted major events including the NICE Conference & Expo, K-12 Cybersecurity Education Conference, and Cybersecurity Career Week.
- Supported Federal Information Security Educators (FISSEA) forums.
These initiatives aim to create a diverse, skilled, and sustainable cybersecurity workforce.
4. Hardware & Software Security: Securing the Foundation
NIST strengthened protections at the hardware and software layers.
Accomplishments Include:
- Established a new Hardware Security Laboratory with advanced measurement capabilities.
- Held workshops on semiconductor supply chain trust and released Draft IR 8546 for a Cybersecurity Framework Profile for semiconductor manufacturing.
- Launched the Secure Software Development, Security, and Operations (DevSecOps) Practices Project and published a preliminary draft of SP 1800-44A.
- Added ~216 new/updated checklists through the National Checklist Program.
5. Infrastructure Security: Protecting Critical Systems
Focus areas included cloud-native systems, 5G, IoT, manufacturing, and high-performance computing.
Highlights:
- Published guidelines for API protection in cloud-native systems.
- Released the CSF 2.0 Manufacturing Profile and several 5G cybersecurity white papers.
- Updated guidance for IoT device onboarding and water sector cybersecurity.
- Contributed to 3GPP standards for 5G/6G security.
6. Risk Management: Foundational Frameworks and Tools
Risk management ties everything together.
Key Updates:
- Advanced CSF 2.0 adoption with quick-start guides, tools, and translations.
- Published SP 800-55 Vols. 1 & 2 on security measurement programs.
- Updated SP 800-53 and SP 800-53A for secure software updates in response to Executive Order 14306.
- Released Draft Privacy Framework 1.1 and continued OSCAL development for automation.
- Updated Digital Identity Guidelines (Revision 4) and supported mobile driver’s license standards.
Why This Report Matters
NIST SP 800-238 is more than a summary — it serves as a strategic roadmap for organizations worldwide. Whether you’re a federal agency, critical infrastructure operator, or private sector CISO, the report offers actionable insights and references to the latest standards and tools.
Broader Implications and Takeaways for Organizations
The FY 2025 report demonstrates NIST’s proactive approach to emerging technologies while reinforcing core security principles. Organizations should prioritize:
- Planning PQC migration timelines
- Integrating AI-specific security controls
- Investing in workforce development
- Adopting CSF 2.0 and updated SP 800-53 controls
- Enhancing supply chain and hardware security practices
As cyber threats grow more sophisticated, NIST’s emphasis on measurement, automation (via OSCAL), and collaboration will become increasingly valuable.
NIST’s Enduring Leadership
The release of NIST SP 800-238 reaffirms the institute’s critical role in shaping a secure digital future. By addressing cryptography, AI risks, workforce gaps, hardware/software integrity, infrastructure protection, and holistic risk management, NIST provides essential guidance for navigating an increasingly complex threat environment.
Download the full report: NIST SP 800-238 (PDF)
Organizations that align with these advancements will be better positioned to manage risks, protect assets, and build trust in an interconnected world.
