National Institute of Standards and Technology (NIST)

The National Institute of Standards and Technology is the federal laboratory within the Department of Commerce responsible for advancing measurement science, standards, and technology. NIST's work touches nearly every sector of the economy — from defining the fundamental units of measurement to setting cybersecurity standards for federal systems, developing AI risk frameworks, running the Hollings Manufacturing Extension Partnership, and operating the Fire Research Center.

Current Law (2026)

Legal Authority

• 15 U.S.C. § 272 — Establishment, functions, and activities (establishes NIST as a science, engineering, technology, and measurement laboratory; functions include measurement research, standards development, industrial technology services, and fundamental research)
• 15 U.S.C. § 272a — Technology services (authorizes technology extension activities to help small and medium-sized firms improve their use of technology)
• 15 U.S.C. § 273a — Under Secretary of Commerce for Standards and Technology (establishes the position as NIST's head, appointed by the President with Senate confirmation)
• 15 U.S.C. § 278 — Visiting Committee on Advanced Technology (establishes an advisory committee of at least 9 members to review and make recommendations on NIST programs and policies)
• 15 U.S.C. § 278f — Fire Research Center (establishes a research center within NIST focused on all aspects of fire science, providing knowledge to reduce fire losses)
• 15 U.S.C. § 278g-3 — Computer standards program (NIST's mission to develop standards, guidelines, and minimum requirements for federal information systems — the statutory basis for NIST's cybersecurity work under FISMA)
• 15 U.S.C. § 278g-3b — IoT security standards (directs NIST to develop standards for federal agency use and management of Internet of Things devices)
• 15 U.S.C. § 278h-1 — AI standards (directs NIST to advance frameworks, standards, and guidelines for artificial intelligence, including risk-mitigation frameworks)
• 15 U.S.C. § 278k — Hollings Manufacturing Extension Partnership (establishes a nationwide network of manufacturing extension centers to assist small and medium manufacturers)

How It Works

NIST's work operates on two levels: fundamental measurement science that underpins all of science and technology, and applied standards that directly shape industries and government operations.

At the foundational level, NIST maintains the nation's measurement infrastructure — defining the units of measurement (length, mass, time, temperature, electrical current) and developing the measurement tools and techniques that industries need for precision manufacturing, quality control, and interoperability. Every calibrated instrument in America's laboratories, factories, and hospitals traces its accuracy back to NIST standards.

In cybersecurity, NIST's role is enormous — and closely connected to CISA's operational mission. The FISMA statute directs NIST to develop the standards, guidelines, and minimum requirements for federal information systems. The resulting publications — particularly the NIST Cybersecurity Framework and the Special Publication 800 series — have become the de facto standards not only for federal agencies but for private industry worldwide. Federal agencies are legally required to follow NIST cybersecurity guidelines; many private companies adopt them voluntarily or through regulatory requirements.

NIST's AI standards mandate is one of its newest and most consequential. Congress directed NIST to develop frameworks, standards, and risk-mitigation guidelines for artificial intelligence. The NIST AI Risk Management Framework, published in 2023, has become a key reference for organizations developing and deploying AI systems. The framework addresses trustworthiness, bias, transparency, and accountability in AI.

The IoT security mandate addresses the growing attack surface created by connected devices in federal agencies. NIST develops standards for how agencies should use and manage IoT devices — from security cameras to smart thermostats to industrial sensors — ensuring these devices don't become entry points for cyberattacks.

The Hollings Manufacturing Extension Partnership (MEP) operates a nationwide network of manufacturing extension centers that provide hands-on technical assistance to small and medium-sized manufacturers. MEP centers help with process improvement, workforce development, technology adoption, and supply chain optimization — serving as NIST's primary mechanism for reaching the manufacturing sector directly.

The Fire Research Center conducts research on fire behavior, fire detection and suppression, building fire safety, and wildland-urban interface fire. This research informs building codes, fire safety standards, and firefighter safety practices.

How It Affects You

If you're an everyday American: NIST standards are invisible but ubiquitous — the scale at your grocery store is accurate because it was calibrated against NIST standards; the GPS in your phone works because NIST cesium atomic clocks define the time standard; the dosage in your medication was measured using instruments traceable to NIST calibration. The accuracy of measurement infrastructure underlies every physical transaction in the economy. When NIST updates the definition of a kilogram (it did in 2019, redefining it in terms of fundamental physical constants), every scale and measurement device in the country is recalibrated in response.

If you're a technology company, CISO, or developer: NIST's Cybersecurity Framework (CSF) 2.0, released in February 2024, is the single most widely referenced cybersecurity guidance document in the world — used by federal agencies (mandatory under FISMA) and by private industry (referenced in contracts, cyber insurance applications, and investor questionnaires). CSF 2.0 added a new "Govern" function emphasizing organizational governance of cybersecurity risk, and expanded supply chain security guidance. If you're building AI systems, NIST's AI Risk Management Framework (AI RMF, January 2023) is becoming the baseline for responsible AI development in U.S. government contracts and is increasingly referenced by state AI regulations. The NIST AI RMF is organized around four core functions: Govern, Map, Measure, and Manage.

If you're a small or mid-sized manufacturer: The Hollings Manufacturing Extension Partnership (MEP) operates 51 centers — one in every state plus Puerto Rico — providing hands-on technical assistance at subsidized cost. MEP centers help with process improvement, lean manufacturing, cybersecurity for industrial systems, workforce training, and technology adoption. The federal government provides roughly 50% of MEP center funding; the rest comes from state/local contributions and fee-based services. To find your nearest center, go to nist.gov/mep and enter your location. For manufacturers, this is one of the most underutilized federal programs — the average MEP engagement costs a small manufacturer several hundred dollars in fees for services worth far more at market rates.

If you work in federal IT or are pursuing FedRAMP authorization: NIST SP 800-53 (security and privacy controls) is the foundational technical requirements document for federal information systems. FedRAMP — the cloud authorization program for federal agencies — requires compliance with a NIST SP 800-53 control baseline. NIST SP 800-171 (protecting controlled unclassified information in nonfederal systems) is required for defense contractors and suppliers working with DoD and other agencies. If you're pursuing CMMC (Cybersecurity Maturity Model Certification) for DoD contracting, the technical requirements map directly to NIST SP 800-171 Level 2 and 800-172 Level 3. NIST also publishes the Special Publication 800-37 (Risk Management Framework) — the process framework for authorizing federal information systems to operate.

State Variations

NIST is exclusively federal, but its influence extends to states:

• MEP centers operate in all 50 states and Puerto Rico, often in partnership with state economic development agencies
• State cybersecurity programs frequently adopt NIST frameworks
• State weights and measures programs calibrate against NIST standards
• Building codes referencing NIST fire research are adopted at the state and local level

Implementing Regulations

• 15 CFR Parts 280–299 — NIST regulations covering weights and measures, voluntary product standards, NVLAP laboratory accreditation, and administrative procedures for standards development and cybersecurity framework publication.

• 15 CFR Part 10 — Procedures for the Development of Voluntary Product Standards: the Commerce Department's program for publishing Voluntary Product Standards (PS) — consensus standards for commercial and industrial products where a single nationally recognized standard serves commerce, simplifies trade, and reduces confusion. Part 10 is one of the oldest federal standards programs, predating NIST's modern role; it operates under NIST's administration as the standards development coordinator but the standards themselves are created by industry with government facilitation. The classic example is PS 20-70 — the American Softwood Lumber Standard (framing lumber dimensions, grading rules, and moisture specifications), which NIST administers and NIST's National Forest Products Laboratory interprets:

  • § 10.0 — General: the Department recognizes that voluntary standards developed by industry consensus reduce barriers to trade, simplify procurement, enable comparison shopping, and allow manufacturers to produce to common specifications; the Department's role is coordinator — providing technical support, ensuring due process, and publishing the resulting standard with federal recognition, but not dictating technical content
  • § 10.1 — Initiating development: any group (producers, distributors, users, consumers, testing labs, or state/federal agencies) may request the Department to initiate development of a new standard; the requesting organization acts as the proponent and must fund the administrative costs of the standards development process
  • § 10.3 — Proposed standard development: a proposed standard must be based on adequate technical information; for dimensional standards (lumber sizes, pipe dimensions) it must reflect actual marketing and production practices; the proposed standard must contain an acceptance procedure explaining how compliance will be verified; NIST reviews the proposal for technical adequacy before proceeding
  • § 10.4 — Standard Review Committee: NIST appoints a balanced committee of producers, distributors, and users to review the proposed standard and make recommendations; committee composition must reflect the diversity of affected stakeholders; the SRC's approval or disapproval is advisory — NIST makes the final determination
  • § 10.7 — Publication: if a proposed standard achieves substantial consensus, NIST publishes it as a Voluntary Product Standard; the standard is identified by a PS number and year (e.g., PS 1-23 for structural plywood, PS 2-23 for performance-rated panels); publication does not mandate compliance — adoption occurs when the standard is incorporated into building codes, procurement specifications, or trade agreements
  • § 10.10 — Review: each published PS is reviewed regularly to determine whether its technical content remains current or whether sponsorship should be transferred to a private standards organization (ANSI, ASTM, APA); the preferred outcome is that the private sector assumes responsibility for maintaining the standard under ANSI's accredited process, with NIST withdrawing from the coordination role
  • § 10.15 — Interpretations: NIST provides binding interpretations of published Voluntary Product Standards on written request; for PS 20-70 (the American Softwood Lumber Standard), NIST coordinates interpretation requests with the American Lumber Standard Committee; this interpretation authority is significant in disputes about whether specific lumber shipments comply with grading rules

  The Voluntary Product Standards program has produced dozens of nationally recognized standards that underpin construction, packaging, and materials trade. PS 20-70 (softwood lumber) and PS 1-23/PS 2-23 (structural wood panels) are embedded in every residential building code in the United States — a 2x4 stud is a "2x4" because PS 20-70 defines those dimensions. The program is less active today than in the mid-20th century when many basic industrial dimensions needed standardization; most new standards development occurs through ANSI-accredited private organizations like ASTM, ASHRAE, and APA. NIST retains an active coordination role primarily for the lumber standard, where the complexity of species, grade, and moisture interactions creates ongoing need for authoritative federal interpretation.

• 15 CFR Part 285 — National Voluntary Laboratory Accreditation Program (NVLAP): NIST's rules governing how testing and calibration laboratories earn and maintain formal NVLAP accreditation — the government's third-party certification that a laboratory is technically competent to produce reliable test results. NVLAP accreditation is required or strongly preferred for laboratories testing products under many federal programs (energy efficiency testing for DOE, electromagnetic compatibility testing for FCC, asbestos bulk analysis for EPA). Key provisions:

  • § 285.1 — Purpose: NVLAP operates as an unbiased third-party accreditation body; accreditation is granted for specific Laboratory Accreditation Programs (LAPs) covering particular test methods or calibration services — a laboratory may hold accreditation in multiple LAPs (e.g., acoustics, construction materials, food testing)
  • § 285.4 — Establishment of LAPs: NIST creates a new LAP when there is sufficient government or private-sector need for independent assessment of laboratory competence in a test area; LAPs are documented in NVLAP handbooks specifying applicable standards, technical criteria, and proficiency testing requirements; active LAPs cover areas including energy, environmental, building materials, IT security, and calibration
  • § 285.5 — Termination of LAPs: NIST may terminate an LAP when program objectives have been met, demand has declined, or the private sector has developed adequate non-governmental accreditation infrastructure; before termination, NIST gives affected labs 90 days to transition to another accreditation body
  • § 285.10 — Renewal: accreditation runs one year; renewal requires resubmission of the application and fees before the expiration date; NVLAP may require an on-site reassessment annually or on a longer cycle depending on the LAP's risk profile; lapses in accreditation between renewal and reactivation require treatment as new applications
  • § 285.12 — Monitoring visits: NVLAP may conduct unannounced or announced monitoring visits at any time during the accreditation period; monitoring can be triggered by proficiency testing failures, customer complaints, or random selection; monitoring findings that reveal significant technical deficiencies may result in suspension of accreditation
  • § 285.13 — Denial, suspension, and revocation: NVLAP may deny, suspend, or revoke accreditation if a laboratory fails to meet the criteria in NIST Handbook 150 (the core technical requirements — competency of personnel, adequacy of equipment, quality management system, measurement uncertainty, and traceability of calibrations); before revocation, NVLAP provides written notice and an opportunity to correct deficiencies; laboratories may voluntarily terminate participation at any time by written notice
  • § 285.14 — Accreditation criteria: the technical requirements for NVLAP accreditation are in NIST Handbook 150 and the specific LAP handbooks (e.g., NIST Handbook 150-2E for electromagnetic compatibility testing); the core standard is ISO/IEC 17025 — the international standard for testing and calibration laboratory competence — supplemented by NIST-specific requirements for traceability to NIST measurement standards

  NVLAP accreditation signals to regulatory agencies and buyers that a laboratory's test results are technically sound and reproducible. Because NIST itself is the national measurement standards authority (maintaining physical standards for time, length, mass, temperature, etc.), NVLAP accreditation includes verification that the laboratory's measurement equipment is calibrated to traceable NIST standards — a link from the test result back to fundamental physical constants. In the energy efficiency context, DOE requires NVLAP-accredited laboratories for testing appliances under the Appliance Standards Program; in IT security, NVLAP-accredited labs are required for validating cryptographic modules under the Cryptographic Module Validation Program (CMVP). Over 1,500 laboratories in the U.S. and internationally hold NVLAP accreditation across more than 50 LAPs.

• 15 CFR Part 286 — National Voluntary Conformity Assessment System Evaluation (NVCASE): NIST's program for evaluating U.S.-based conformity assessment bodies — testing laboratories, product certifiers, and quality system registrars — so that their results will be accepted by foreign governments as meeting that country's import requirements. Implements 15 U.S.C. § 272(b)(3) (NIST's authority to develop and maintain conformity assessment programs that advance U.S. trade). The program is oriented toward export facilitation: a U.S. manufacturer that uses an NVCASE-evaluated certifier can demonstrate that its product testing was performed to standards comparable in rigor to what the importing country requires, avoiding retesting in the foreign country.

  • § 286.1–286.2 — Purpose and scope: NVCASE covers three conformity assessment activities: (1) product sample testing — laboratory testing of product samples against specified standards; (2) product certification — third-party determination that a product meets specified requirements; and (3) quality system registration — third-party evaluation of a manufacturer's quality management system (ISO 9001 or equivalent); a U.S. conformity assessment body that participates in NVCASE has its procedures evaluated by NIST (or a NIST-recognized evaluation body) against the requirements of the receiving foreign government or regional accreditation scheme
  • § 286.3–286.4 — Objective and implementation: NVCASE identifies U.S. conformity assessment bodies whose activities are evaluated as meeting the requirements established by foreign governments for accepting test and certification results; the program is operated on a cost-reimbursable basis — participants pay NIST's costs for program administration and evaluation; participation is voluntary and open to any U.S.-based body
  • § 286.5 — Program requirements: NIST maintains documented generic requirements used in evaluating conformity assessment bodies; requirements vary by type of body and the foreign acceptance criteria being evaluated (e.g., EU Notified Body requirements differ from ASEAN mutual recognition requirements); NIST provides documentation to prospective participants before application
  • § 286.8 — Evaluation: NIST conducts or oversees evaluation of participating bodies against the documented requirements; evaluations may assess management competence, technical procedures, personnel qualifications, equipment calibration, and quality system documentation; successful evaluations result in issuance of a NIST program certificate valid for the assessment areas covered
  • § 286.11 — Listings: NIST publicly maintains lists of bodies holding current NVCASE certificates, organized by assessment area; separate lists are maintained for bodies accredited by NIST-recognized accreditation organizations (e.g., ANAB — ANSI National Accreditation Board); the listings allow foreign importing authorities and U.S. manufacturers to identify which U.S. conformity assessment bodies have been evaluated against specific foreign requirements
  • § 286.12 — Termination: participants may voluntarily terminate at any time; NIST may involuntarily terminate participation if a body no longer meets program requirements or if NIST determines termination is in the public interest; terminated bodies must stop claiming NVCASE program status

  NVCASE is NIST's trade-facilitation analog to NVLAP (laboratory accreditation): while NVLAP accredits laboratories for domestic regulatory purposes, NVCASE evaluates conformity assessment bodies for international trade acceptance. The program is most relevant to manufacturers seeking to sell regulated products — electrical equipment, toys, personal protective equipment, medical devices — in export markets (EU, Japan, South Korea, ASEAN countries) where importing authorities accept results from NVCASE-evaluated bodies. NVCASE operates alongside bilateral Mutual Recognition Agreements (MRAs) negotiated by USTR and NIST with trading partners; NVCASE-evaluated bodies may qualify as U.S. testing entities under applicable MRAs, significantly reducing the cost and time of market entry in regulated product categories.

• 15 CFR Part 270 — National Construction Safety Teams: NIST's implementing regulations for the National Construction Safety Team Act (Pub. L. 107-231), which authorizes the NIST Director to establish investigative teams to assess building failures, fires, explosions, and other events that cause "substantial loss of life" or are of "national significance." The NCST Act was enacted specifically in response to the World Trade Center collapses on September 11, 2001 — the need for a formal federal investigation mechanism for catastrophic building failures that could improve building codes and save lives was directly spurred by that event:

  • § 270.100 — Deployment threshold: the Director may establish and deploy a Team after an event that caused the failure of a building or buildings resulting in substantial loss of life or the potential for substantial loss of life; the Director also considers whether the event is of national significance or is likely to result in important new information about the performance of buildings; no minimum casualty count is established — the Director exercises discretion in determining when an event warrants NCST deployment
  • § 270.101 — Preliminary reconnaissance: before establishing a formal Team, the Director may conduct a preliminary reconnaissance at the site to gather initial evidence and assess whether a full investigation is warranted; NIST investigators may visit the site within hours of an event to preserve evidence before it is lost through debris removal, fire suppression, or structural stabilization
  • § 270.102 — Conditions for establishment: a Team may be established for deployment after a building failure event that meets the threshold; NIST expects to deploy a Team approximately once per year on average based on prior experience, though actual deployments depend on events
  • § 270.104 — Team composition: team size depends on the scope and complexity of the investigation; teams typically include five or more members — NIST staff engineers, contractors, and technical experts; for events involving highly specialized technical issues (e.g., novel fire behavior, unusual structural failure modes), outside experts may be added; teams are led by a Lead Investigator who has final technical authority over the investigation
  • § 270.105 — Duties of a Team: the Team's Lead Investigator organizes, conducts, and controls all technical aspects of the investigation; Teams must preserve relevant evidence; the Lead Investigator may delegate specific investigation components to team members but retains oversight of final findings; Teams do not have law enforcement or regulatory enforcement authority — the investigation is for fact-finding and code improvement, not liability
  • § 270.200 — Technical conduct: Teams gather evidence through site inspection, materials analysis, structural analysis, computer simulation, interviews with survivors and first responders, and review of building plans and permits; Teams examine factors contributing to the building failure including structural design, construction quality, fire behavior, occupant evacuation, and emergency response; evidence collection must occur as soon as possible after the event to capture physical evidence before the site is remediated
  • § 270.300 — Reports: NIST publishes final investigation reports publicly, including findings, probable cause determinations, and recommendations for building codes, standards, and practices; reports from notable investigations — particularly the WTC investigation (NCSTAR 1 series, published 2005) and the Champlain Towers South collapse investigation (Surfside, FL, 2021) — have directly driven revisions to model building codes adopted by states and municipalities

  The NCST program produces investigations with lasting impact on U.S. building safety policy. The 9/11 WTC investigation (NIST's most extensive, involving 200+ researchers and 3 years of work) produced recommendations that were incorporated into the 2006 International Building Code, including strengthened progressive collapse provisions, improved compartmentalization requirements to limit fire spread, and enhanced egress design standards. The Champlain Towers South investigation documented multiple failure modes in the partially-collapsed condominium, producing recommendations that accelerated reform of condo inspection requirements in Florida and other coastal states. NIST investigations do not assign legal liability and are not used as evidence in litigation — they focus on technical causes and systemic improvements that can prevent future failures.

  Recent investigations: Champlain Towers South (Surfside, FL, 2021 collapse — final report published 2024); Honolulu Marco Polo high-rise fire (2017); NIST NCST investigations are relatively infrequent by design — each investigation requires substantial resources and typically takes 2–4 years to complete.

Pending Legislation

No standalone NIST authorization bills pending in the 119th Congress.

Recent Developments

• Cybersecurity Framework 2.0 (February 2024): The first major update to NIST's CSF since its 2014 introduction added a sixth core function — "Govern" — emphasizing organizational accountability and supply chain risk management. CSF 2.0 explicitly expanded scope beyond critical infrastructure to all organizations, and added an Implementation Examples layer for practical guidance. Federal agencies began updating their risk management plans to CSF 2.0 through 2025.
• Post-Quantum Cryptography standards finalized (August 2024): NIST finalized its first three post-quantum cryptography algorithms — FIPS 203 (ML-KEM/CRYSTALS-Kyber), FIPS 204 (ML-DSA/CRYSTALS-Dilithium), and FIPS 205 (SLH-DSA/SPHINCS+) — after a 6-year international competition and public review process. These algorithms are designed to resist attacks from future quantum computers that could break current RSA and elliptic curve cryptography. Federal agencies were directed to begin migration planning; the transition is expected to take 10-15 years across government and industry.
• AI Risk Management Framework adoption (2023-2025): The NIST AI RMF, published January 2023, has been adopted by dozens of federal agencies as their foundational AI governance framework and referenced in multiple state AI laws. NIST published Generative AI profiles (NIST AI 100-1 and related documents) in 2024 to address large language models specifically. The Biden administration's October 2023 AI Executive Order directed federal agencies to use the NIST AI RMF; the Trump administration maintained the AI RMF framework while rescinding the Biden EO.
• CHIPS Act science funding (2022-2026): The CHIPS and Science Act (2022) significantly expanded NIST's budget and mandate, including $1.5 billion over 10 years for NIST's Manufacturing USA program and additional funding for NIST's physical laboratory research. The CHIPS program directed NIST to support semiconductor manufacturing workforce development and metrology for advanced chip fabrication — an area where NIST measurement standards are essential for sub-nanometer chip production at 3nm and below.