The federal government is encouraging software makers to abandon C/C++ and take other steps that can “reduce risks to customers,” according to the Product Security Best Practices report. In particular, CISA and the FBI have set January 1, 2026 as the deadline for meeting memory security guidelines.

The report covers guidelines and recommendations rather than mandatory rules, particularly for software manufacturers working on critical infrastructure or national critical functions. Agencies specifically highlighted on-premises software, cloud services and software as a service.

Although it is not directly stated that the use of “dangerous” language could disqualify manufacturers from government work, and the report is “non-binding,” the message is simple: such practices are inappropriate for any classified work as relevant to national security.

“By following the recommendations in this guide, manufacturers will signal to customers that they take ownership of customer security outcomes, a key principle of Secure by Design,” the report states.

Memory-hazardous programming languages ​​introduce potential vulnerabilities

The report describes memory-damaging languages ​​as “dangerous and significantly increases the risk to national security.” Developing in memory-hazardous languages ​​is the first practice mentioned in the report.

Memory safety has been a topic of discussion since at least 2019. Languages ​​like C and C++ “offer a lot of freedom and flexibility in memory management while relying heavily on the programmer to perform necessary checks on memory references”. A 2023 NSA Memory Security Report declared. However, the report continues, these languages ​​do not have inherent memory protections that would prevent memory management problems. Threat actors can exploit memory problems that might arise in these languages.

What software makers should do by January 2026

By January 1, 2026, manufacturers should have:

• A memory security roadmap for existing products written in memory-insecure languages, which “should describe the manufacturer’s priority approach to eliminating memory security vulnerabilities in priority code components” .
• A demonstration of how the Memory Security Roadmap will reduce memory security vulnerabilities.
• A demonstration of a “reasonable effort” to follow the roadmap.
• Manufacturers must also use memory-safe language.

Memory-safe languages ​​approved by the NSA include:

• Python.
• Java.
• C#.
• Go.
• Delphi/Object Pascal.
• Fast.
• Ruby.
• Rust.
• Ada.

SEE: Benefits, risks and best practices of password managers (TechRepublic)

Other “bad practices” range from bad passwords to lack of disclosure.

Other practices labeled “exceptionally risky” by CISA and the FBI include:

• Allow user-supplied input directly into the raw content of an SQL database query string.
• Allow user-supplied input directly into the raw content of an operating system command string.
• Using default passwords. Instead, manufacturers must ensure that their product provides “random, instance-unique initial passwords” that they require users to create new passwords at the start of the installation process. , require physical access for initial setup, and move existing deployments away from default passwords.
• Releasing a Product Containing a CISA Vulnerability Catalog of Known Exploited Vulnerabilities (KEV).
• Use of open source software with known exploitable vulnerabilities.
• Do not take advantage of multi-factor authentication.
• Lack of ability to collect evidence of intrusion in the event of an attack.
• Failing to timely publish CVEs, including the Common Weakness Enumeration (CWE), which indicates the type of weakness underlying the CVE.
• Do not publish a vulnerability disclosure policy.

The full report includes recommended next steps that organizations can take to comply with agency guidance.