This study addresses the practical deployment challenges of the CHERI memory safety architecture in safety-critical defense software. Over 12 months, an empirical investigation was conducted involving 15 industry–academia–government teams porting representative defense applications to the Arm Morello platform. The study systematically identified six major technical adoption barriers (e.g., hardware platform instability, domain-specific knowledge premium), three critical enabling mechanisms, and—novelly—five classes of configuration-induced *reverse security risks*, including state leakage and insecure default settings that expand the attack surface. Based on these findings, the work proposes the “secure-by-default configuration” principle and a pathway for constructing domain-adapted knowledge frameworks, yielding a reusable CHERI migration methodology. The results provide empirically grounded evidence and actionable decision support for engineering the deployment of memory-safe hardware architectures in high-assurance operational environments.

There is growing interest in securing the hardware foundations software stacks build upon. However, before making any investment decision, software and hardware supply chain stakeholders require evidence from realistic, multiple long-term studies of adoption. We present results from a 12 month evaluation of one such secure hardware solution, CHERI, where 15 teams from industry and academia ported software relevant to Defence to Arm's experimental Morello board. We identified six types of blocker inhibiting adoption: dependencies, a knowledge premium, missing utilities, performance, platform instability, and technical debt. We also identified three types of enabler: tool assistance, improved quality, and trivial code porting. Finally, we identified five types of potential vulnerability that CHERI could, if not appropriately configured, expand a system's attack surface: state leaks, memory leaks, use after free vulnerabilities, unsafe defaults, and tool chain instability. Future work should remove potentially insecure defaults from CHERI tooling, and develop a CHERI body of knowledge to further adoption.