18F is looking for crowdsourced penetration testing systems to hit

"The system is expected to be widely targeted by attackers," a GSA source sought notice says, and so 18F aims to identify pen-testers with proven ability.

The General Services Administration’s 18F digital team is making strides in developing the open-source, a single sign-on for government services, and is now looking to do some penetration testing.

GSA released a sources sought notice late last week in an attempt to “identify potential crowd sourced penetration testing providers who can support 18F’s product.”

“The system is expected to be widely targeted by attackers,” the statement of work document explains. “GSA requires Crowdsourced Security and Penetration Testing service that mimics attacks and detects the security flaws that real-world hackers use to breach the platform.”

Potential sources should have two years of experience doing penetration testing for major tech companies and adhere to a host of other requirements. To respond to the sources sought notice, potential contractors must describe their methodology, testing timeline and expected outcomes.


The initiative kicked off in May 2016 as a follow-on to, GSA’s prior identity management project. It was deployed in April 2017, and in May, according to the U.S. Digital Service’s recent report to Congress, the Customs and Border Protection at the Department of Homeland Security became the first agency to use on its recruitment website.

In the past has been criticized for needlessly duplicating private sector solutions, but 18F is forging ahead.

Latest Podcasts