diff --git a/include/stdio.h b/include/stdio.h
--- a/include/stdio.h
+++ b/include/stdio.h
@@ -530,4 +530,7 @@
 __END_DECLS
 __NULLABILITY_PRAGMA_POP
 
+#if _FORTIFY_SOURCE
+#include <ssp/stdio.h>
+#endif
 #endif /* !_STDIO_H_ */
diff --git a/include/string.h b/include/string.h
--- a/include/string.h
+++ b/include/string.h
@@ -168,4 +168,7 @@
 #endif /* __EXT1_VISIBLE */
 __END_DECLS
 
+#if _FORTIFY_SOURCE
+#include <ssp/string.h>
+#endif
 #endif /* _STRING_H_ */
diff --git a/include/strings.h b/include/strings.h
--- a/include/strings.h
+++ b/include/strings.h
@@ -68,4 +68,7 @@
 #endif
 __END_DECLS
 
+#if _FORTIFY_SOURCE
+#include <ssp/strings.h>
+#endif
 #endif /* _STRINGS_H_ */
diff --git a/include/unistd.h b/include/unistd.h
--- a/include/unistd.h
+++ b/include/unistd.h
@@ -37,6 +37,10 @@
 #include <sys/_null.h>
 #include <sys/_types.h>
 
+#if _FORTIFY_SOURCE
+#include <ssp/unistd.h>
+#endif
+
 #ifndef _GID_T_DECLARED
 typedef	__gid_t		gid_t;
 #define	_GID_T_DECLARED
diff --git a/lib/libthr/Makefile b/lib/libthr/Makefile
--- a/lib/libthr/Makefile
+++ b/lib/libthr/Makefile
@@ -11,6 +11,9 @@
 
 .include <src.opts.mk>
 MK_SSP=	no
+# SSP forced off already implies FORTIFY_SOURCE=0, but we must make sure that
+# one cannot turn it back on.
+FORTIFY_SOURCE=	0
 
 LIB=thr
 SHLIB_MAJOR= 3
diff --git a/libexec/rtld-elf/Makefile b/libexec/rtld-elf/Makefile
--- a/libexec/rtld-elf/Makefile
+++ b/libexec/rtld-elf/Makefile
@@ -15,6 +15,10 @@
 
 .include <bsd.compat.pre.mk>
 
+# SSP forced off already implies FORTIFY_SOURCE=0, but we must make sure that
+# one cannot turn it back on.
+FORTIFY_SOURCE=	0
+
 .if !defined(NEED_COMPAT)
 CONFS=		libmap.conf
 .endif
diff --git a/share/mk/bsd.sys.mk b/share/mk/bsd.sys.mk
--- a/share/mk/bsd.sys.mk
+++ b/share/mk/bsd.sys.mk
@@ -295,10 +295,19 @@
 CXXFLAGS.clang+=	 -Wno-c++11-extensions
 
 .if ${MK_SSP} != "no"
+FORTIFY_SOURCE?=	2
 # Don't use -Wstack-protector as it breaks world with -Werror.
 SSP_CFLAGS?=	-fstack-protector-strong
 CFLAGS+=	${SSP_CFLAGS}
+.else
+FORTIFY_SOURCE?=	0
 .endif # SSP
+.if ${FORTIFY_SOURCE} > 0
+# We default FORTIFY_SOURCE=2 if SSP is enabled, or default it to 0 without.
+# The program or user can tweak it as needed.
+CFLAGS+=	-D_FORTIFY_SOURCE=${FORTIFY_SOURCE}
+CXXFLAGS+=	-D_FORTIFY_SOURCE=${FORTIFY_SOURCE}
+.endif
 
 # Additional flags passed in CFLAGS and CXXFLAGS when MK_DEBUG_FILES is
 # enabled.
diff --git a/tools/build/options/WITHOUT_SSP b/tools/build/options/WITHOUT_SSP
--- a/tools/build/options/WITHOUT_SSP
+++ b/tools/build/options/WITHOUT_SSP
@@ -1 +1,4 @@
 Do not build world with stack smashing protection.
+This option also sets
+.Ev FORTIFY_SOURCE
+to 0 by default.
diff --git a/tools/build/options/WITH_SSP b/tools/build/options/WITH_SSP
--- a/tools/build/options/WITH_SSP
+++ b/tools/build/options/WITH_SSP
@@ -1 +1,4 @@
 Build world with stack smashing protection.
+This option also sets
+.Ev FORTIFY_SOURCE
+to 2 by default.