The Department of Homeland Security is working with the Office of Management and Budget on policy initiatives to push federal civilian agencies toward setting up their own vulnerability disclosure programs (VDP), a top cyber security agency official said Thursday.

Chris Krebs, director of the Cybersecurity and Infrastructure Security Agency within DHS, told reporters the department is looking for agencies to install VDP programs that could utilize independent researchers to assist in finding flaws in their networks.

Christopher Krebs, Director of the Cybersecurity and Infrastructure Security Agency at DHS. Photo: DHS

“Obviously we think it’s a critical part of any defense-adept approach to have a mechanism where you can intake more ability and discovery from researchers to be able to triage in an appropriate way. And we think it would be useful for federal agencies to have such a thing,” Krebs said.

A Wednesday report from CyberScoop detailed that DHS is considering a new directive for federal civilian agencies to set up VDP programs that would include utilizing independent researchers.

Krebs said a Binding Operational Directive would be “a last resort,” while adding that such an order has been an effective method in the past with certain agencies even requesting DHS guidance to assist in their planning efforts. 

“We are working with OMB on overarching policy, and then sorting what the mechanisms are to get agencies where they need to be,” Krebs said. “More to come here, but any way you cut it, I think about this time next year we’ll be in a place where there are a lot more VDPs across the federal government.”