CISA and Global Partners Press for Memory-Safe Roadmaps — November 14, 2023

Executive briefing: On 14 November 2023 CISA, the FBI, NSA, and 16 international cybersecurity authorities released guidance titled "The Case for Memory Safe Roadmaps".^AA23-319A The publication calls on software suppliers to adopt memory-safe programming languages, modern mitigations, and secure development lifecycle controls. CISA later used its Secure by Design pledge to require participating vendors to publish memory safety milestones and quarterly progress updates that regulators and customers can audit.^{Pledge launchPledge fact sheet}

Core recommendations

• Roadmap publication. Vendors should share timelines for migrating critical products from C and C++ code to languages with built-in memory safety or apply hardening techniques where rewrites are infeasible.
• Secure-by-design expectations. The guidance encourages default safety features—such as control-flow integrity and address space layout randomization—across product portfolios.
• Supply chain transparency. Agencies recommend providing customers with SBOMs and vulnerability reporting channels to track legacy components.

Control alignment guidance

• CISA Secure by Design Pledge. Align roadmap commitments with the voluntary product security principles announced at the 2024 RSA Conference.^{Pledge launchPledge fact sheet}
• ISO/IEC 27034. Integrate memory safety objectives into application security lifecycle governance and secure coding policies.
• OWASP SAMM. Update assurance programs to monitor language selection, compiler hardening, and dependency hygiene.

Operational recommendations

• Inventory products that rely on unmanaged memory and prioritize components exposed to the internet or critical infrastructure customers.
• Adopt modern toolchains—such as clang with memory sanitizers or Rust/C# rewrites—for high-risk modules.
• Communicate roadmap milestones to customers via product security portals and coordinate with CERTs on vulnerability disclosures.