[jcrites]

They could build in a requirement that the software has undergone penetration testing by a security firm, and that a copy of the penetration testing report along with any mitigations applied to the software be provided.

I've never even heard of the software the government is using. Why aren't they using Cisco AnyConnect like literally every other company I've worked for who has a VPN?

[Bluecobra]

Pulse Secure is pretty well regarded (or maybe was better regarded when it was a Juniper product). AnyConnect has had had will have its fair share of vulnerabilities as well. A few years ago I had to update the firmware our ASAs like four times in a year due to new vulnerabilities. Any commercial product you pick is going to have new vulnerabilities and you just need to stay on top of it.

[Jtsummers]

Not all agencies, but the US gov't does use Cisco AnyConnect and pretty much everything they use for IT is COTS these days.

[systematical]

Federal contractors as well.