The Federal Risk and Authorization Management Program — a US government framework that standardizes how cloud products and services are security-assessed, authorized, and continuously monitored before federal agencies can use them. Think of it as a rigorous safety certification that cloud vendors must earn before the US government will trust them with sensitive workloads. FedRAMP defines three impact levels based on the potential harm of a data breach: Low (public data, minimal impact), Moderate (controlled unclassified information — the most common authorization, covering the vast majority of federal workloads), and High (data where a breach could cause severe harm — used for law enforcement, emergency services, and financial systems). AWS GovCloud and Azure Government regions hold FedRAMP High authorizations — the highest tier. Google Cloud Assured Workloads supports FedRAMP Moderate. Oracle Cloud Infrastructure (OCI) holds FedRAMP Moderate authorization for many core services. Firebase Cloud Messaging (FCM) is notably not FedRAMP authorized, meaning federal agencies cannot use it for regulated messaging workloads — AWS SNS or Azure Notification Hubs are the compliant alternatives.
A federal agency wants to migrate its case management system to the cloud. Before any vendor can be selected, the chosen cloud services must appear on the FedRAMP Marketplace with an active authorization at the Moderate or High impact level. The agency picks AWS GovCloud (FedRAMP High) to store Controlled Unclassified Information (CUI) about ongoing investigations.