The General Services Administration’s 18F digital team is making strides in developing the open-source login.gov, a single sign-on for government services, and is now looking to do some penetration testing.
GSA released a sources sought notice late last week in an attempt to “identify potential crowd sourced penetration testing providers who can support 18F’s login.gov product.”
“The system is expected to be widely targeted by attackers,” the statement of work document explains. “GSA requires Crowdsourced Security and Penetration Testing service that mimics attacks and detects the security flaws that real-world hackers use to breach the Login.gov platform.”
Potential sources should have two years of experience doing penetration testing for major tech companies and adhere to a host of other requirements. To respond to the sources sought notice, potential contractors must describe their methodology, testing timeline and expected outcomes.
The login.gov initiative kicked off in May 2016 as a follow-on to Connect.gov, GSA’s prior identity management project. It was deployed in April 2017, and in May, according to the U.S. Digital Service’s recent report to Congress, the Customs and Border Protection at the Department of Homeland Security became the first agency to use login.gov on its recruitment website.
In the past login.gov has been criticized for needlessly duplicating private sector solutions, but 18F is forging ahead.