In a bold move towards safer software ecosystems, CISA and the FBI recommend phasing out memory-unsafe languages, highlighting C and C++ as risky choices for critical infrastructure projects.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued guidance calling for software manufacturers to transition away from languages like C and C++ by January 1, 2026. This recommendation is part of a broader set of guidelines aimed at reducing security vulnerabilities that are prevalent in products used within critical infrastructure and essential national functions.
The report from CISA and the FBI is clear: memory-unsafe languages introduce potential risks that, in the modern threat landscape, can no longer be ignored. By urging software manufacturers to move to safer programming alternatives, the agencies hope to mitigate the risk of serious vulnerabilities that cybercriminals can exploit. While the guidance is not legally binding, it carries significant weight, especially for manufacturers seeking to work with federal agencies.
Why Memory Safety Matters
C and C++ are widely known for their flexibility and performance benefits, but this flexibility comes at a cost. In contrast to memory-safe languages, C and C++ give programmers direct access to memory, increasing the risk of errors such as buffer overflows or memory leaks if not managed precisely. Such vulnerabilities can be exploited by attackers, leading to potential breaches, data corruption, or service disruption.
The federal agencies identify memory safety as a top priority, describing development in memory-unsafe languages as “exceptionally risky” for any product tied to national security, public safety, or essential infrastructure.
A Roadmap to Memory Safety
To guide this transition, the report sets forth specific actions that software manufacturers should complete by the start of 2026. For existing products that rely on memory-unsafe languages, manufacturers should establish a “memory safety roadmap.” This document should detail how each company plans to prioritize and mitigate memory vulnerabilities across critical code components, especially those involved in network communications or sensitive operations like encryption.
Additionally, manufacturers are urged to demonstrate a clear commitment to following these roadmaps, indicating tangible progress toward reducing memory safety vulnerabilities. Failure to implement such plans could be seen as ignoring a critical step in aligning with federal cybersecurity standards.
Safer Alternatives on the Horizon
To replace C and C++, CISA and the FBI recommend a suite of memory-safe programming languages, many of which are already trusted within the cybersecurity community. These languages include:
- Python
- Java
- C#
- Go
- Delphi/Object Pascal
- Swift
- Ruby
- Rust
- Ada
Each of these languages offers built-in memory protections, limiting the likelihood of vulnerabilities that attackers could exploit. Rust, for example, is particularly praised for its strict memory safety guarantees, which prevent several types of bugs common in traditional languages.
Additional Practices to Reduce Cyber Risk
Beyond memory safety, CISA and the FBI flagged several other “bad practices” that pose high security risks if left unaddressed. These practices include:
- Direct SQL Query Strings from User Inputs: Allowing user-generated data into SQL queries without sanitization or parameterization, which can lead to SQL injection attacks.
- Default Passwords: Products shipped with default passwords are prime targets for attackers, who can easily gain access. The report advises using instance-unique passwords and requiring new ones at setup.
- Known Exploitable Vulnerabilities: Products should not contain known vulnerabilities at the time of release. If vulnerabilities are discovered post-release, manufacturers should act quickly to patch them at no cost.
- Open-Source Software with Exploitable Vulnerabilities: While open-source components are widely used, they must be scrutinized and regularly updated to avoid security risks.
- Multifactor Authentication: Ensuring products support and enable multifactor authentication (MFA), especially for administrator accounts, is critical to mitigating unauthorized access.
Preparing for a Safer Software Ecosystem
By prioritizing memory-safe programming languages and following the recommended practices, manufacturers can play a vital role in improving the nation’s cybersecurity posture. Although the guidelines remain voluntary, it’s clear that CISA and the FBI are setting the stage for a future where memory safety is not optional.
For many developers, the transition may represent a shift in mindset, requiring new skills and an openness to alternative languages. Nevertheless, for those in critical infrastructure, the recommendation signals an opportunity to set a higher security standard. If manufacturers adopt these practices, the software landscape may see a significant decline in vulnerabilities, ushering in a new era of more secure and resilient code.
As the 2026 deadline approaches, the industry will be watching closely to see which organizations take the lead in adopting these practices—and which may risk falling behind.