Federal agencies are urging software manufacturers to phase out the use of C, C++, and other memory-unsafe programming languages by January 2026, marking a decisive stance against programming practices deemed potentially threatening to national security. The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have jointly issued this guidance through their Product Security Best Practices report, emphasizing the critical nature of memory safety in software development.
While the recommendations remain non-binding, they carry considerable weight, particularly for companies involved in critical infrastructure or national security functions. The federal agencies’ message is clear: the continued use of memory-unsafe languages represents an unacceptable risk to national security in today’s increasingly complex cybersecurity landscape.
The push against C and C++ stems from these languages’ fundamental approach to memory management. Despite offering developers significant flexibility and control over memory operations, these languages lack built-in protections against common memory-related vulnerabilities. According to a 2023 National Security Agency (NSA) report, this reliance on programmer vigilance for memory safety creates opportunities for threat actors to exploit potential oversights and vulnerabilities.
The federal guidance provides software manufacturers with a clear timeline and specific expectations. By the start of 2026, companies are expected to either transition to memory-safe languages or develop comprehensive memory safety roadmaps for their existing products. These roadmaps must detail prioritized approaches to eliminating memory safety vulnerabilities in critical code components and demonstrate reasonable progress in implementation.
As alternatives to C and C++, the NSA has endorsed several programming languages that incorporate built-in memory safety features. These include widely-used languages such as Python, Java, and C#, as well as newer options like Rust and Go. The endorsement of these languages reflects a growing consensus in the cybersecurity community about the importance of built-in memory protections in modern software development.
The implications of this guidance extend beyond just programming language choices. The federal agencies’ report addresses a broader spectrum of security concerns, identifying several practices they consider “exceptionally risky.” These include common vulnerabilities such as SQL injection risks through unfiltered user input, the use of default passwords, and the deployment of software containing known exploitable vulnerabilities.
The timing of this guidance is particularly significant, coming amid increasing concerns about cybersecurity threats to critical infrastructure and national security systems. By focusing on memory safety, the federal agencies are addressing a fundamental aspect of software security that has been a persistent source of vulnerabilities. According to security researchers, memory safety issues have historically been responsible for a substantial portion of critical software vulnerabilities.
This push for memory safety represents a broader shift in how the federal government approaches software security. Rather than focusing solely on post-development security measures, the guidance emphasizes the importance of “Secure by Design” principles, where security is built into software from the ground up. The agencies argue that manufacturers who follow these recommendations will demonstrate their commitment to customer security outcomes, a crucial consideration for organizations working on critical infrastructure or national security projects.
The guidance also emphasizes the importance of transparency and accountability in software security. Manufacturers are expected to maintain clear vulnerability disclosure policies and publish timely Common Vulnerabilities and Exposures (CVE) reports, including Common Weakness Enumeration (CWE) information. This focus on disclosure helps create a more informed and secure software ecosystem, where vulnerabilities can be quickly identified and addressed.
While the 2026 deadline might seem ambitious, particularly for organizations with large codebases written in C or C++, the federal agencies’ approach provides flexibility in implementation. Organizations can either transition to memory-safe languages or demonstrate meaningful progress in addressing memory safety issues in their existing code. This pragmatic approach acknowledges the challenges of transitioning legacy systems while maintaining a firm stance on the importance of memory safety.
The impact of this guidance is likely to reverberate throughout the software industry, potentially influencing development practices well beyond the government sector. As organizations increasingly recognize the security implications of their programming language choices, we may see a broader industry shift toward memory-safe languages, particularly in critical applications and infrastructure.
For software manufacturers, particularly those working with government systems or critical infrastructure, the message is clear: the era of accepting memory-unsafe languages as a necessary risk is coming to an end. The future of secure software development lies in embracing languages and practices that prioritize memory safety by design, rather than relying on perfect implementation by developers.
Add Comment