Security is a top priority for many of our customers, especially those in the public sector. As a growing number of government agencies, from the US Department of Veterans Affairs (VA) to the General Services Administration’s (GSA) 18F office, choose Slack, a channel-based messaging platform, we’ve introduced new measures to meet the highest security and compliance standards.
Even federal regulators who set the standards for security compliance look to Slack to get their work done. For them, and for all our customers in regulated industries, we’ve levelled up our security programme to become FedRAMP Moderate authorised.
The move comes as part of a larger push to provide enterprise-grade security for organisations of all sizes. That requires delivering a best-in-class collaboration experience while meeting our customers’ unique security and compliance needs.
Here’s what becoming FedRAMP Moderate authorised means for our customers, and a look at how we achieved compliance.
Slack’s FedRAMP journey
What is FedRAMP?
The Federal Risk and Authorization Management Program, or FedRAMP, is a US government-wide programme that provides a standardised approach to cloud security. Cloud-based software systems must be FedRAMP-authorised before any federal agency or organisation can use them. This approach keeps all federal data secure – a practice that’s ultimately in the public’s best interest. Among industry experts, FedRAMP is considered to be the gold standard for cloud security.
How did Slack become FedRAMP Moderate-authorised?
In April 2018, Slack met with the FedRAMP Program Management Office and, within six months, received FedRAMP Tailored authorisation. While this certification was certainly a milestone, we were eager to reach the next level of security compliance.
With sponsorship from the VA, we set out to become FedRAMP Moderate-authorised. Our regulatory partners put our product to the test – with more than 300 rigorous security controls. On 20th May 2020, we achieved FedRAMP Agency Authority to Operate (ATO) at the Moderate impact level.
This means that we comply with the US government’s regulations on:
- Access control: effectively limiting and managing access to customer data
- Encryption methodologies: securing data in transit and at rest with FIPS 140-2 validated cryptography
- Network security and server hardening: implementing CIS benchmarks and vendor best practices to secure all network infrastructure
- Vulnerability management: efficiently identifying and resolving potential risks
- Incident management: responding swiftly and appropriately when incidents occur
- Business continuity and disaster recovery: providing seamless service without interruption
- System monitoring, logging and alerting: monitoring all company-owned servers and workstations to maintain system security
- Secure software development life cycle: leveraging open-source tools and bug reporting to identify, assess and resolve potential security vulnerabilities
What does this next level of security compliance mean for my organisation?
Slack’s FedRAMP Moderate authorisation reflects our continued investment in and support for customers in the US public sector. As more government agencies move to the cloud, IT administrators and security professionals can rest assured that Slack meets and exceeds some of the most broadly recognised security standards and offers solutions to help public-sector teams to address compliance requirements.
This latest authorisation translates to a more secure experience for Slack customers, including private-sector businesses that don’t require a FedRAMP-authorised environment. All customers using Slack’s commercial offerings can benefit from the heightened security measures that are required to achieve FedRAMP certification.
To maintain customers’ trust, we will continue to develop security and compliance features that support:
- Identity and device management, including single sign-on, domain claiming and support for enterprise mobility management
- Data protection, including Slack Enterprise Key Management (Slack EKM), audit logs and integrations with top data loss prevention providers
- Information governance, including global retention policies, customised terms of service and support for e-discovery
Can I still use my third-party integrations?
You can still use third-party integrations, but you’ll need to review what data the integration will have access to and the application provider’s FedRAMP compliance for any app installed in your workspace. Slack apps typically use the APIs from the service providers of that integration. If the APIs connect to a FedRAMP-authorised service offering, then you will remain in compliance when using those third-party integrations. This is one of the primary responsibilities for customers to ensure that your deployment of Slack remains compliant.
How the US Department of Veterans Affairs keeps VA.gov running in Slack
Not only did the VA sponsor our authorisation, the agency also relies on Slack to plan and execute large-scale initiatives, including an overhaul of its widely used website.
The VA is the second-largest federal agency in the US, and its public-facing website (VA.gov) draws more than 800,000 users every week, including veterans, veterans’ advocates, veterans’ service organisations and other intermediaries. At the height of the Covid-19 crisis, that number nearly tripled in one week. Many of these visitors require regular access to the site for critical information, tools and services.
Behind the scenes, the VA’s web and development teams work together in Slack channels to ensure that the website stays up and running.
Development teams at the VA use Slack to:
- Connect apps and integrations, such as GitHub and Jenkins, so that teams have greater visibility into alerts and notifications
- Quickly identify incidents and issues, including mobile notifications that alert developers to problems
- Create communities of practice that exchange knowledge and create consistency across service offerings
In 2019, the VA’s web and development teams collaborated in Slack to relaunch VA.gov. The new website boasts an impressive 99.97% uptime over the past year, allowing the agency to deliver on its promise to connect thousands of veterans and advocates with the resources that they need.
And the VA has continued to expand its usage of Slack. In early 2020, it purchased 20,000 Slack licences to roll out the platform across all its departments. By moving teams to Slack, the VA aims to drive transparency, expand collaboration and bring new hires, contractors and partners into the fold. This new way of working not only benefits employees and partners, but also US veterans, who gain access to more seamless services.
Get in touch
If you have questions about Slack’s security features, operations or compliance certifications, please don’t hesitate to contact your account executive or get in touch.