I don't know if there is such a thing, but I get asked from time to time if our products have been "GSA port scanned". Does the GSA have a document of recommendations or a framework or a toolset defined that I can run against my products to show 'compliance', or have some results? In the past we've had a few government facilities do their own scan and would/would not provide us results, depending. Is there a publicly available document that describes the requirements and "expected results"? Or is there really no such thing and it depends on the particular service or department (non-military)?