> Gah, just when you think you can trust time.nist.gov

You still can...

If you're that considered about 5 microseconds: Build your own Stratum 1 time server https://github.com/geerlingguy/time-pi

or just use ntppool https://www.ntppool.org/en/

Most places that need accurate time get it from GPS. That is 10-100 ns.

Also, you can use multiple NIST servers. They have ones in Fort Collins, CO and Gaithersburg, MD. Most places shouldn't use NIST directly but Stratum 1 name servers.

Finally, NTP isn't accurate enough, 10-100 ms, for microsecond error to matter.

Yes.

Use NTP with ≥4 diverse time sources, just as RFC 5905 suggests doing. And use GPS.

(If you're reliant upon only one source of a thing, and that thing is important to you in some valuable way, then you're doing it wrong. In other words: Backups, backups, backups.)

their handling it responsibly seems like more evidence for trusting them, not less?

Use the other servers as well: https://tf.nist.gov/tf-cgi/servers.cgi

For instance, time-a-wwv.nist.gov.

One should configure a number of different NTP sources instead of just a single host.

I'm more concerned about what you think they did to earn your trust in the first place