Security is top of mind for many of our customers, especially those in the public sector. As a growing number of government agencies, from the U.S. Department of Veterans Affairs (VA) to the General Services Administration’s (GSA) 18F Office, choose Slack, a channel-based messaging platform, we’ve introduced new measures to meet the highest security and compliance standards.
Even federal regulators who set the standards for security compliance look to Slack to get their work done. For them and all of our customers in regulated industries, we’ve leveled up our security program to become FedRAMP Moderate authorized.
The move comes as part of a larger push to provide enterprise-grade security for organizations of all sizes. That requires delivering a best-in-class collaboration experience while meeting our customers’ unique security and compliance needs.
Here’s what becoming FedRAMP Moderate authorized means for our customers and a look into how we achieved compliance.
Slack’s FedRAMP journey
What is FedRAMP?
The Federal Risk and Authorization Management Program, or FedRAMP, is a government-wide program that provides a standardized approach to cloud security. Cloud-based software systems must be FedRAMP authorized before any federal agency or organization can use them. This approach keeps all federal data secure—a practice that’s ultimately in the public’s best interest. Among industry experts, FedRAMP is considered the gold standard for cloud security.
How did Slack become FedRAMP Moderate authorized?
In April 2018, Slack met with the FedRAMP Program Management Office and, within six months, received FedRAMP Tailored authorization. While this certification was certainly a milestone, we were eager to reach the next level of security compliance.
With sponsorship from the VA, we set out to become FedRAMP Moderate authorized. Our regulatory partners put our product to the test—more than 300 rigorous security controls. On May 20, 2020, we achieved FedRAMP Agency Authority to Operate (ATO) at the Moderate impact level.
This means we comply with the U.S. government’s regulations on:
- Access control: effectively limiting and managing access to customer data
- Encryption methodologies: securing data in transit and at rest with FIPS 140-2 validated cryptography
- Network security and server hardening: implementing CIS benchmarks and vendor best practices to secure all network infrastructure
- Vulnerability management: efficiently identifying and resolving potential risks
- Incident management: responding swiftly and appropriately when incidents occur
- Business continuity and disaster recovery: providing seamless service without interruption
- System monitoring, logging and alerting: monitoring all company-owned servers and workstations to maintain system security
- Secure software development lifecycle: leveraging open-source tools and bug reporting to identify, triage and resolve potential security vulnerabilities
What does this next level of security compliance mean for my organization?
Slack’s FedRAMP Moderate authorization reflects our continued investment in and support for customers in the U.S. public sector. As more government agencies move to the cloud, IT administrators and security professionals can rest assured that Slack meets and exceeds some of the most broadly recognized security standards and offers solutions to help public-sector teams address compliance requirements.
This latest authorization translates to a more secure experience for Slack customers, including private-sector businesses that don’t require a FedRAMP-authorized environment. All customers using Slack’s commercial offerings can benefit from the heightened security measures required to achieve FedRAMP certification.
To maintain customers’ trust, we will continue to develop security and compliance features that support:
- Identity and device management, including single sign-on, domain claiming and support for enterprise mobility management
- Data protection, including Slack Enterprise Key Management (Slack EKM), audit logs, and integrations with top data loss prevention providers
- Information governance, including global retention policies, custom terms of service and support for e-discovery
Can I still use my third-party integrations?
You can still use third-party integrations, but you’ll need to review what data the integration will have access to and the application provider’s FedRAMP compliance for any app installed in your workspace. Slack apps typically use the APIs from the service providers of that integration. If the APIs connect to a FedRAMP-authorized service offering, then you will remain in compliance when using those third-party integrations. This is one of the primary customer responsibilities to ensure that your deployment of Slack remains compliant.
How the Department of Veterans Affairs keeps VA.gov running in Slack
Not only did the VA sponsor our authorization, the agency also relies on Slack to plan and execute large-scale initiatives, including an overhaul of its widely used website.
The VA is the nation’s second-largest federal agency, and its public-facing website (VA.gov) draws more than 800,000 users every week, including veterans, veterans advocates, veterans service organizations and other intermediaries. At the height of the Covid-19 crisis, that number nearly tripled in one week. Many of these visitors require regular access to the site for critical information, tools and services.
Behind the scenes, the VA’s web and development teams work together in Slack channels to ensure that the website stays up and running.
Development teams at the VA use Slack to:
- Connect apps and integrations, such as GitHub and Jenkins, so that teams have greater visibility into alerts and notifications
- Quickly identify incidents and issues, including mobile notifications that alert developers of problems
- Create communities of practice that exchange knowledge and create consistency across service offerings
In 2019 the VA’s web and development teams collaborated in Slack to re-launch VA.gov. The new website boasts an impressive 99.97% uptime over the past year, allowing the agency to deliver on its promise to connect thousands of veterans and advocates with the resources they need.
And the VA has continued to expand its usage of Slack. In early 2020, it purchased 20,000 Slack licenses to roll out the platform across all of its departments. By moving teams to Slack, the VA aims to drive transparency, expand collaboration, and bring new hires, contractors and partners into the fold. This new way of working not only benefits employees and partners but also U.S. veterans, who gain access to more seamless services.
Get in touch
If you have questions about Slack’s security features, operations or compliance certifications, please don’t hesitate to reach out to your account executive or get in touch.