# White House ONCD "Back to the Building Blocks" (February 2024)

## §1 Provenance
- White House Office of the National Cyber Director. **"Back to the Building Blocks: A Path Toward Secure and Measurable Software"**, February 2024. 19 pages. https://bidenwhitehouse.archives.gov/wp-content/uploads/2024/02/Final-ONCD-Technical-Report.pdf
- Press release: https://bidenwhitehouse.archives.gov/oncd/briefing-room/2024/02/26/press-release-technical-report/
- Anjana Rajan, Assistant National Cyber Director for Technology Security — primary spokesperson at release.
- Coverage: Tom's Hardware, **"White House urges developers to avoid C and C++, use 'memory-safe' programming languages"**. https://www.tomshardware.com/software/security-software/white-house-urges-developers-to-avoid-c-and-c-use-memory-safe-programming-languages
- The Record from Recorded Future News, **"After decades of memory-related software bugs, White House calls on industry to act"**. https://therecord.media/memory-related-software-bugs-white-house-code-report-oncd
- InfoWorld, **"White House urges developers to dump C and C++"**. https://www.infoworld.com/article/2336216/white-house-urges-developers-to-dump-c-and-c.html
- Stack Overflow Blog, **"In Rust we trust? White House Office urges memory safety"** (Dec 2024). https://stackoverflow.blog/2024/12/30/in-rust-we-trust-white-house-office-urges-memory-safety/
- ISO C++ Directions Group response (Feb 2024) pushing back on the framing.

## §2 Claim
The report's central claim is a **dual call to action**:

1. **Adopt memory-safe languages.** Memory-safe languages are the most effective single intervention for reducing memory-safety vulnerabilities at scale. The report explicitly names **C and C++** as examples of memory-unsafe languages and **Rust** as an example of a memory-safe language.
2. **Improve software measurability.** The research community should make progress on the hard problem of measuring software cybersecurity quality — so that procurement officers, regulators, and customers can compare products meaningfully.

The report frames memory-safety vulnerabilities as a **35-year problem**: from the Morris worm (1988) through Slammer (2003), Heartbleed (2014), Trident (2016), and BLASTPASS (2023) — all rooted in memory-safety bugs. It cites Microsoft and Google studies that "approximately 70 percent of all security vulnerabilities are caused by memory safety issues".

The report distinguishes **spatial** memory-safety bugs (out-of-bounds access) from **temporal** bugs (use-after-free, double-free, race-on-free) and notes that *both* must be addressed.

The report carves out a careful exception for **space systems**, noting three constraints (close-to-kernel, deterministic timing, no garbage collector) and acknowledging that "at this time, the most widely used languages that meet all three properties are C and C++". This is the report's only explicit concession to legacy C/C++ use.

## §3 Scope and Limits
**Scope.** Federal-government technology procurement, US software-industry direction-setting, research community framing. The report is technical and aspirational, not regulatory.

**Limits.** No enforcement, no procurement clauses, no funding attached. It is a *signal*, not a rule. The "C/C++-adverse" framing is real but rhetorical: the report does not ban C/C++ acquisition, and its space-systems carve-out shows the authors were aware of the impracticality of a hard ban. Critics — most notably the ISO C++ Directions Group — pointed out that memory safety is "a very small part of security" and argued for the in-progress C++ Profiles work as an alternative path.

## §4 May 2026 Status
**Has not been formally re-issued as of May 2026 by the current administration.** The original Biden-era report sits on the National Archives mirror; the document text has not been retracted, and the policy direction has been reinforced by subsequent NSA + CISA guidance (June 2025 CSI) and by the DoD SWFT framework (2025). The Biden-era ONCD also issued related letters / requests for information on open-source security and software measurability.

The 2025 NSA-CISA joint CSI explicitly cites the 2024 ONCD report as a baseline, treating it as the canonical White House position even after administration change. No new ONCD report has been issued that this research has surfaced.

C++ continues to evolve with **Profiles** (Stroustrup's proposed mechanism for selectively restricting unsafe C++ features at compile time), targeting C++26 and beyond. This is the C++ ecosystem's own response to the ONCD pressure. Whether it satisfies the ONCD criteria remains debated; the ONCD report's authors did not endorse Profiles as a substitute for memory-safe languages.

## §5 Cost
The cost of producing the report is negligible (a small ONCD technical-report effort). The *industry cost* is enormous and largely indirect: the report's signalling effect contributes to multi-billion-dollar memory-safe-language adoption efforts at major vendors. The exception carve-out for space systems means specialist domains face no direct conversion pressure, but the broader software market does.

For a small project like Mochi, the "cost" is zero — Mochi is memory-safe by construction. The cost to *anyone using Mochi* is the same as adopting any other memory-safe language.

## §6 Mochi Adaptation Note
The ONCD report is the **single most authoritative White House signal on memory safety**, and Mochi should explicitly align with it.

- **The C/C++-adverse stance is what MEP-41 should explicitly endorse.** Mochi is in part a response to the same observation: dynamic languages and Go-style languages are memory-safe by construction; C and C++ are not; the cost of bug-fixing in C/C++ is unbounded. MEP-41 can quote the report's framing.
- **The "spatial vs temporal" distinction is the right vocabulary.** MEP-41 should use this terminology when discussing Mochi's Cell design: the (base, slab_idx) component handles spatial safety; the generation tag handles temporal safety. Both are first-class concerns, both are explicitly addressed by the Cell design, and the ONCD report is the right citation.
- **The "memory safety is the dominant single CWE category" framing is the right rhetorical move.** MEP-41 can use the ONCD's 35-year vulnerability history as the motivating story for why a new language warrants a new runtime design.
- **The space-systems carve-out is irrelevant to Mochi.** Mochi is not aimed at hard-real-time embedded systems. MEP-41 need not engage with the carve-out except to note that Mochi targets the general-application space the report applies to.
- **The "software measurability" leg of the ONCD report is interesting for Mochi.** ONCD asked the research community to make progress on measurability. Mochi can contribute one tiny piece: publishing memory-safety-relevant data about Mochi-runtime issues over time. MEP-41 can commit to this as a contribution to the measurability agenda.

## §7 Open Questions for MEP-41
1. Should MEP-41 directly quote the ONCD report's "memory-safe languages are the most effective intervention" sentence as its motivating claim?
2. Should MEP-41 explicitly classify Mochi as *memory-safe-by-construction at the language layer, memory-safe-by-runtime-enforcement at the program-state layer*? This is more precise than the ONCD's binary safe/unsafe framing.
3. The ONCD's measurability ask is mostly unanswered by industry. Should Mochi commit to publishing per-release memory-safety metrics as a small contribution to this open problem?
4. C++ Profiles are positioned as the C++ alternative path. Should MEP-41 briefly contrast Mochi's runtime-enforced safety with the static-analysis-augmented-C++ direction Profiles represents?
5. The ONCD report does not name Go, Java, Python, or JavaScript — only Rust as the safe-language example. Should MEP-41 note that Mochi is more in the Go / Java / Python family (runtime-enforced) than in the Rust family (compile-time-enforced)? Honest framing matters here.