Welcome to GovSlack, an instance of Slack designed for U.S. public sector use. Read on to learn more about how to build apps for GovSlack.
GovSlack enables agencies, contractors, citizens, and partners to work together in one centralized, secure tool. This instance of Slack is designed to comply with the most stringent security and operational requirements of public sector customers.
Running in AWS GovCloud certified data centers, GovSlack instances will comply with the following security standards:
FedRAMP*: High Federal Risk and Authorization Management Program. A compliance standard that ensures proper level of security for cloud services.
ITAR: International Traffic in Arms Regulations. A compliance standard related to export control. Primarily requires US citizens to operate services.
FIPS 140.2: Federal Information Processing Standard. A standard of security/cryptography for keeping government data safe. Includes requirements on encryption key length, key management, roles/access management, physical security of servers, etc.
DOD IL4*: Department of Defense Impact Level 4. Standards defining different levels of information sensitivity and requirements for systems that house that data.
*GovSlack is currently pursuing FedRAMP High and DoD SRG IL4 compliance certification.
Some of these standards may be inheritable/complied with by using compliant infrastructure such as AWS GovCloud, but itβs up to individual providers to determine the standards they want to comply with and whether they are certified or not.
GovSlack does not run on the slack.com
domain. Instead, it runs on the separate domain slack-gov.com
. For compliance reasons, data between commercial Slack and GovSlack will be completely isolated.
If you would like to make your app available in GovSlack, you will need to deploy your app in the GovSlack environment, then have it approved and published in the GovSlack App Directory. As part of this, you can expect to:
Best Practices
We recommend keeping the same codebase and using env
variables to distinguish between Commercial Slack and GovSlack instances. This can help streamline your app's review time.
https://slack-gov.com/oauth/v2/authorize
instead of http://slack.com/oauth/v2/authorize
when asking for scopes during installation.oauth.v2.access
calls to the slack-gov.com
domain instead of slack.com
domain.slack-gov.com
API endpoint instead of the slack.com
endpoint when you use Slack Web APIs for GovSlack installations.
response_url
, will also now point to slack-gov.com
.slack.com
will also need to change to slack-gov.com
.Using the SDK or Bolt?
You can override the API root in our web client or SDKs (e.g. Node SDK or Bolt for JavaScript).
To set compliance values, navigate to your App Manifest within your app config on slack-gov.com
.
Valid FedRAMP values are as follows:
None
Low
Moderate
High
Customer Responsibility
Valid ITAR values are as follows:
Yes
No
Customer Responsibility
Valid Department of Defense values are as follows:
None
Customer Responsibility
IL2
IL4
IL5
IL6
The following is an example manifest written in YAML format:
display_information:
name: My Gov App
settings:
org_deploy_enabled: false
socket_mode_enabled: false
token_rotation_enabled: false
compliance:
fedramp_authorization: High
dod_srg_ilx: None
itar_compliant: No
link_shared
event will not be dispatched when a user pastes a link in the message composer for a domain your app has registered. Instead, the event is only dispatched when a message is sent to the channel.
source
property in the link_shared
request payload (it will implicitly always be conversations_history
).preview
field (found within the unfurls
URL-encoded JSON string) when unfurling. Doing so will return the error cannot_parse_attachment
.Yes, only apps submitted to the GovSlack App Directory will be available to install in GovSlack workspaces.
This is not a requirement. Each compliance level can optionally be set to None
, meaning that your app does not meet any of the available standards. GovSlack customers will be able to see which compliance level each app follows and can decide which apps to install in their GovSlack workspaces based on that.
The app submission process in GovSlack will be the same as in Commercial Slack. You will need to submit to both app directories if you want configuration changes such as new scopes, descriptions, and features, in order to be reflected in both apps.
When developing your app for listing in the GovSlack App Directory, we recommend creating a second app to serve as your development app. This will also allow us to test the updates you submit to your app once published.
No, similar to Commercial Slack, apps in GovSlack can be installed by one or more workspaces when public distribution has been enabled in your app config. That said, it is during the directory submission process where you define your app's compliance level.
GovSlack customers will be enterprise customers, so at the very least your app should work for enterprise customers. Slack supports development of Org-wide apps to ease the install flow for admins and increase adoption of your app.
Any app that is created on a GovSlack workspace will be a Granular Bot Permissions (GBP) app with no ability to create a classic app. So if your existing app in commercial Slack is not GBP ready, then you have to upgrade before it can be configured and published in GovSlack and available in the App Directory.