New US Software Security Standards Target Critical Infrastructure Protection

New US Software Security Standards Target Critical Infrastructure Protection

Darryl K. Taft, writing in TheNewStack, reports that the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI are pushing for enhanced software security standards to protect critical infrastructure.

The agencies’ recent joint report warns against using memory-unsafe programming languages like C and C++, as these languages elevate risks in essential sectors.

This marks the government’s strongest push toward memory-safe software development practices. Software manufacturers have until January 1, 2026, to develop a “memory safety roadmap.” CISA highlights this as an imperative for national safety.

Historically, security flaws from memory-unsafe languages have threatened critical systems, and agencies like CISA have advocated for safer programming practices since 2022. The report identifies three areas of concern: product security properties, security features, and organizational processes.

Previous cybersecurity incidents greatly influenced CISA’s approach, and the report underscores that failure to modernize code for security may soon be viewed as negligence. Although a deadline is set, the report recognizes the challenge of shifting large codebases, given resource constraints and the technical risks of major migrations.

The report’s recommendations for software manufacturers cover avoiding “bad practices” and embracing secure-by-design principles. Key measures include eliminating default passwords, maintaining Software Bills of Materials (SBOMs), and caching dependencies instead of relying on public sources.

Open-source software plays a role, with calls for manufacturers to contribute responsibly and maintain transparency through security logs and published vulnerability disclosures.

The guidance spotlights the evolving regulatory landscape around software security. Lawyers advising tech clients should emphasize compliance readiness for 2026, particularly regarding memory safety and security transparency. Vendors must recognize the growing risk of negligence claims if they don’t follow CISA’s best practices.

Legal teams should monitor this regulatory shift, as the impending deadline may influence potential litigation, compliance challenges, and security-focused business strategies across industries reliant on critical infrastructure software.