C/C++’s Demise Looms as US Government Demands a Shiftto Memory-Safe Languages by 2026
Washington D.C. – In a significant move signaling the US government’s growing concern over software security, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a stark warning against the use of C and C++ in critical infrastructure software. The agencies’ latest report, released on November 1st, 2024, explicitly identifies these languages as a major risk factor, urging developers to transition to memory-safe alternatives.
The report categorizes the use of C and C++ as a product attribute that poses a significantthreat to national security, economic stability, and public health. The report states, The use of non-memory-safe languages, such as C or C++, in the development of new product lines supporting critical infrastructure or National Critical Functions (NCF)may introduce risks that significantly increase the risk to national security, national economic security, and the national public health and safety.
This latest directive builds upon previous warnings issued by the US government in 2022, which encouraged the adoption of memory-safe languages. However, the 2024 report takes a moreforceful stance, demanding a complete transition away from C and C++ for critical software by 2026. This deadline underscores the urgency of the situation and the government’s commitment to safeguarding critical infrastructure from vulnerabilities inherent in these languages.
The report recommends a comprehensive approach to software security, encompassing product attributes, securityfeatures, and organizational processes. It encourages developers to prioritize security from the initial design phase, emphasizing the importance of robust testing and code review practices.
This guidance is a continuation of the US government’s earlier statements on software security, which date back to 2022, aimed at reminding technology providers andenterprise users to use or migrate to memory-safe languages, explains Brad Shimmin, an analyst at Omdia. While the previous document and the US government’s position were relatively moderate, without immediately requiring a migration from C/C++ to Rust, the CISA’s design document also mentions that software maintainerssimply cannot complete such a large-scale codebase migration in a short period of time.
While the 2022 guidelines were voluntary, the latest report marks a significant shift, imposing a mandatory deadline for the transition. This move reflects the government’s growing awareness of the potential consequences of vulnerabilities in critical infrastructuresoftware.
The deadline of 2026 presents a significant challenge for developers, requiring them to adapt their coding practices and potentially rewrite existing codebases. However, the potential benefits of increased security and reduced risk of vulnerabilities outweigh the challenges.
This directive is likely to have a profound impact on the software developmentindustry, prompting a wider adoption of memory-safe languages like Rust and Go. As the deadline approaches, developers and organizations will need to prioritize the transition, ensuring the security and resilience of critical infrastructure.
References:
- CISA and FBI Report on Software Security Best Practices (2024)
*Omdia Analysis on Software Security Trends (2024) - Previous US Government Guidelines on Software Security (2022)
Views: 0