I'm fairly sure your question refers to potential limitations in the Advanced Encryption Standard (AES), adopted by the U.S. government for protecting government classified information. However, just in case you're asking about limitations in the process used to choose this block cipher I shall cover this first.
Back in 1997, the National Institute of Standards and Technology (NIST) announced that it needed a successor to the aging Data Encryption Standard (DES), which was becoming vulnerable to brute-force attacks. This new, unclassified, publicly disclosed encryption algorithm would be known as the Advanced Encryption Standard – AES – and, according to the NIST specification, had to be "capable of protecting sensitive government information well into the next century."
After a period of enthusiastic feedback, debate and analysis, the Rijndael design was selected from 15 competing designs as the proposed AES in October 2000. The selection process for the algorithm was open and transparent, which has helped to create great confidence in its security. In fact, the process for choosing the new algorithm drew nothing but praise from the cryptographic community and it's the first publicly accessible and open cipher approved by the National Security Agency (NSA) for top secret information.
AES comprises three block ciphers, AES-128, AES-192 and AES-256, with both software and hardware implementations being considered fast. AES ciphers each have a 128-bit block size, with key sizes of 128, 192 and 256 bits, respectively. There are 10 rounds for 128-bit keys, 12 rounds for 192-bit keys, and 14 rounds for 256-bit keys -- a round consists of several processing steps that convert the input plaintext into the final output of ciphertext. All key lengths are deemed sufficient to protect classified information up to the SECRET level with TOP SECRET information requiring either 192 or 256-bit key lengths.
However, what constitutes strong encryption changes over time. Although no one has successfully cracked the full AES, various researchers have published attacks against reduced round versions of AES. Although these attacks are not deemed practical in the wild as they require laboratory-type conditions, it does show that the safety margin of AES is shrinking as times goes by. So at some point in the not-too-distant future, I would expect NIST to increase the number of rounds of all three AES variants.
For now the only successful published attacks against the full AES have been side-channel attacks on specific implementations. Side-channel attacks don't attack the actual AES cipher, rather its implementation. For example, in 2005 a cache-timing attack broke a custom server using OpenSSL's AES encryption. Encryption algorithms are usually not the weak point in an encryption product or service, but implementation or key management errors can be. This is why the implementation of AES in products intended to protect national security systems and information has to be reviewed and certified by the NSA prior to their use; a solid encryption mechanism used improperly can often lead to a compromise.
For more information:
This was first published in March 2010