Key Takeaways
- NIST’s FY 2025 Annual Report highlights progress across cryptography, AI‑cybersecurity, education, hardware/software security, infrastructure, risk management, and digital identity.
- Post‑quantum cryptography (PQC) advanced with a fifth algorithm (HQC) added for standardization and a migration timeline targeting deprecation of quantum‑vulnerable algorithms by 2030 and mandatory quantum‑resistant use by 2035.
- The lightweight Ascon standard was published to secure billions of IoT and constrained devices, while the Cryptographic Module Validation Program streamlined testing for 262 products.
- AI‑focused work produced the Cybersecurity Framework Profile for AI, an Adversarial Machine Learning taxonomy, and the COSAiS project to overlay SP 800‑53 controls on AI systems.
- Education and workforce initiatives expanded through the NICE Community Coordinating Council, RAMPS grants, apprenticeship resources, and numerous conferences and webinars.
- Hardware security saw the launch of a dedicated Hardware Security Laboratory and workshops on semiconductor supply‑chain trust; software security advanced via the NCCoE Secure Software Development project and updated automated checklists.
- Infrastructure security delivered API protection guidelines, 5G/6G cybersecurity white papers, HPC security documents, and water‑sector best‑practice engagements.
- Risk‑management efforts promoted Cybersecurity Framework 2.0 adoption, released SP 800‑55 volumes, updated SP 800‑53 control catalogs, and advanced supply‑chain risk management practices.
- Digital identity guidelines were revised to Revision 4, supporting mobile driver’s licenses, ISO/IEC TS 18013‑7, and a new NICE OT cybersecurity engineering work role.
Cryptography Advances
NIST continued its long‑standing leadership in cryptographic standards by advancing post‑quantum cryptography (PQC). In FY 2025 the agency announced a fifth PQC algorithm for standardization—Hamming Quasi‑Cyclic (HQC)—and issued a migration timeline calling for the deprecation of quantum‑vulnerable algorithms after 2030 and the required adoption of quantum‑resistant algorithms by 2035. The lightweight Ascon algorithm, selected after a five‑year global competition, was published in SP 800‑232 to provide strong, side‑channel‑resistant protection for billions of IoT and other constrained devices. NIST also improved the Cryptographic Module Validation Program, reducing validation times for the 262 products tested during the year and expanding automated testing to deliver nearly one million test vectors and validate 1,598 implementations, including 170 validations for ML‑DSA and ML‑KEM from FIPS 204 and FIPS 203.
Cybersecurity and AI Initiatives
Recognizing the dual opportunities and risks posed by artificial intelligence, NIST’s AI‑cybersecurity portfolio produced several foundational resources. The agency released a concept paper and gathered extensive input for the Cybersecurity Framework Profile for AI through workshops involving thousands of stakeholders. It also published “Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations,” a widely cited work that clarifies threat landscapes. Through the National Cybersecurity Center of Excellence (NCCoE), NIST launched the Control Overlays for Securing AI Systems (COSAiS) project to map SP 800‑53, SP 800‑218A, Draft AI 800‑1, and AI 100‑2e2025 controls onto AI deployments. Additional contributions included a unified measurement framework for ML datasets, a model‑agnostic dataset reduction method using Combinatorial Frequency Differencing, threat‑modeling papers for ML security, a Best‑Paper‑award‑winning study on detecting hallucinations, and ongoing development of the Dioptra software‑testing platform for AI system evaluation.
Education and Workforce Development
NIST’s Education and Workforce focus area sought to grow a skilled cybersecurity labor force through public awareness, standards dissemination, and targeted programs. The NICE Community Coordinating Council issued three new resources aligned with the NICE Strategic Plan: a white paper on retaining cybersecurity talent, guidance on workforce pathways, and information on how National Centers of Academic Excellence are addressing educator demand. NIST also released materials on skills‑based talent management, apprenticeships, and AI’s impact on cybersecurity jobs. The Regional Alliances and Multistakeholder Partnerships to Stimulate Cybersecurity Education and Workforce Development (RAMPS) program awarded 17 cooperative agreements totaling over $3 million, bringing the total funded RAMPS communities to 47 across 25 states by September 2025. Throughout the year, NIST supported events such as the NICE Conference and Expo, K‑12 Cybersecurity Education Conference, Cybersecurity Career Week, webinars, and the U.S. Cyber Team Draft Day, while maintaining the Federal Information Security Educators forums.
Hardware and Software Security
To strengthen the trustworthiness of computing foundations, NIST established a dedicated Hardware Security Laboratory equipped with electrical probing stations, electromagnetic side‑channel analysis tools, and test artifacts for semiconductor security research. A workshop with industry, government, and academia identified priorities and challenges related to semiconductor supply‑chain trust and provenance, feeding into a draft IR 8546 that aligns semiconductor manufacturing guidelines with Cybersecurity Framework 2.0. NIST also led the development of advanced measurement techniques and analytical frameworks to evaluate hardware failure scenarios, quantify vulnerabilities, and assess mitigation strategies. On the software side, the NCCoE‑driven Secure Software Development, Security, and Operations Practices Project produced an industry consortium and a preliminary draft of SP 1800‑44A. The National Checklist Program added roughly 216 new or updated automated checklists for securely configuring and patching widely used applications and operating systems, thereby helping protect millions of organizational systems.
Infrastructure Security
NIST’s infrastructure security portfolio delivered practical guidelines for modern IT platforms. The agency published “Guidelines for API Protection for Cloud‑Native Systems” and “Service Mesh Proxy Models for Cloud‑Native Applications,” offering risk‑based controls for API security. Through the NCCoE, it released the Cybersecurity Framework 2.0 Manufacturing Profile, providing manufacturers a voluntary framework to manage cyber risk. Work on 5G and emerging 6G networks yielded white papers CSWP 36C, CSWP 36D, and CSWP 36E addressing potential threats and mitigations. The High‑Performance Computing Security Working Group issued SP 800‑223 and Draft SP 800‑234 to improve HPC security communication, compliance, and system design. NIST also updated Draft IR 8259 Revision 1 for manufacturers and continued participation in the 3GPP SA3 project to embed NIST cryptographic standards into cellular technologies. In the water sector, the Trusted IoT Device Network‑Layer Onboarding and Lifecycle Management project hosted an open house via the NCCoE, while bi‑monthly CRADA meetings reinforced best‑practice sharing.
Risk Management and Supply Chain
Risk‑management efforts centered on broadening adoption of Cybersecurity Framework 2.0. NIST released quick‑start guides, expanded the Online Informative References platform, launched a webinar series, published translated resources, and updated the NIST IR 8286 series. Seven community profiles and related resources were produced via the NCCoE for sectors such as energy, health, and finance. The agency also published SP 800‑55 Volumes 1 and 2, which focus on selecting security measures and building measurement programs. In response to Executive Order 14306, NIST updated the Security and Privacy Control Catalog (SP 800‑53 Release 5.2.0) and its assessment procedures (SP 800‑53A Release 5.2.0) to strengthen guidance on secure software updates and patch management. Supply‑chain risk management advanced through the Software and Supply Chain Assurance Forum, support for the Federal Acquisition Security Council, and the release of Draft Privacy Framework 1.1, which garnered over 250 comments and more than 25,000 downloads. The Open Security Controls Assessment Language (OSCAL) initiative continued with the CAPORDINO tool that converts reference datasets into OSCAL formats, facilitating automation.
Digital Identity and Authentication
NIST’s digital identity work culminated in Revision 4 of the Digital Identity Guidelines, which introduced updated provisions for mobile driver’s licenses used in account opening and high‑risk transactions. The agency contributed to the international protocol ISO/IEC TS 18013‑7:2025 for securely presenting identity documents and developed a reference implementation of an ISO standard through the NCCoE. Additionally, NIST issued NICE Workforce Framework Version 2.2.0, adding a new Operational Technology Cybersecurity Engineering work role to address the growing need for OT security expertise. Earlier in the reporting period, NIST released an initial public draft of SP 1800‑41, a practice guide from the NCCoE designed to help manufacturers detect, respond to, and recover from cyberattacks targeting industrial control systems (ICS) and operational technology (OT) environments—a timely resource amid rising ransomware and destructive malware threats.
Overall Outlook
The FY 2025 Annual Report underscores NIST’s multidisciplinary approach to cybersecurity and privacy, blending standards development, practical guidance, workforce cultivation, and cross‑sector collaboration. By advancing post‑quantum cryptography, shaping AI security frameworks, expanding education pipelines, fortifying hardware and software foundations, issuing infrastructure‑specific guidelines, refining risk‑management tools, and modernizing digital identity practices, NIST positions itself to address current threats while shaping future opportunities in an increasingly interconnected world. The report’s tone reflects confidence that the foundation laid this year will enable the agency and its partners to anticipate and mitigate emerging challenges in the years ahead.