This questionnaire is designed for Lazarus Alliance, a FedRAMP-accredited Third-Party Assessment Organization (3PAO), to document and validate the in-scope boundary of a Cloud Service Offering (CSO) prior to conducting a full security assessment. It aligns with FedRAMP requirements for defining the authorization boundary, data flows, external dependencies, and other key scoping elements.

The questionnaire is structured into sections to ensure a comprehensive scope determination. It should be completed based on CSP-provided documentation, interviews, diagrams, and evidence.

About this Questionnaire

Table of Contents

Lazarus Alliance, an accredited FedRAMP Third-Party Assessment Organization (3PAO), will coordinate directly with your organization to prepare for and schedule your official FedRAMP assessment. Our experienced FedRAMP 3PAO assessors and advisors will help determine the appropriate impact level (Low, Moderate, or High) and authorization path based on your cloud service offering and target federal customer requirements. Upon successful completion of the independent 3PAO assessment and issuance of an Authority to Operate (ATO) or Provisional Authority to Operate (P-ATO), your cloud service will be listed on the FedRAMP Marketplace as 'FedRAMP Authorized' at the appropriate baseline.

Lazarus Alliance, an accredited FedRAMP Third-Party Assessment Organization (3PAO), is historically about 46% faster than traditional 3PAO firms meaning that your authorizations can be achieved in 5–9 months. — Michael Peters, CEO & Founder"

Source Information:

https://lazarusalliance.com/services/audit-compliance/fedramp/

Section 1: General Information

CSO Name (as listed in the System Security Plan): *

CSP Name: *

CSP Point of Contact Name: *

First

Last

CSP Point of Contact Email: *

CSP Point of Contact Phone: *

Service Type: *

IaaS
PaaS
SaaS
Other

Assessment Type: *

Readiness
Initial
Annual
Continuous Monitoring

Section 2: System Description and Authorization Boundary

Provide a high-level description of the CSO (purpose, primary functions, key features): *

Is the authorization boundary clearly defined and documented (e.g., via a diagram in the SSP Appendix A)? *

If No, please explain

Confirm the boundary includes all components necessary to provide the CSO (hardware, software, network, facilities, personnel, etc.): *

Are there any external services or components outside the boundary (e.g., leveraged IaaS/PaaS, third-party SaaS)? *

If Yes, list them and confirm they are FedRAMP-authorized at the appropriate baseline (or justify).

Section 3: Data Flows and External Connections

Describe all inbound and outbound data flows (including APIs, ports, protocols, and purpose): *

Are all external connections documented in the SSP Appendix D (Interconnections)? *

If No, please explain

Do any connections involve non-FedRAMP-authorized systems? *

If Yes, please describe risk mitigation.

Confirm that all border devices (firewalls, gateways, etc.) are configured to segregate the CSO from non-authorized systems: *

Section 4: Components and Assets

Total number of components in scope (servers, containers, databases, applications, etc.): *

Are all in-scope components inventoried (e.g., in SSP Appendix B)? *

Confirm that the CSP has implemented all required technical controls (e.g., logging, encryption, vulnerability scanning) across the boundary: *

If locations the

If No, please list gaps.

Are there any shared services (e.g., identity provider, monitoring tool) that are leveraged? *

If Yes, please confirm FedRAMP authorization status.

Section 5: Facilities and Physical Scope

List all physical locations (data centers, offices, etc.) that support the CSO: *

Are all physical locations documented and included in the boundary? *

If No, please explain.

Confirm that physical security controls are in place at all locations (e.g., access controls, cameras): *

Section 6: Personnel and Roles

List key CSP personnel roles involved in the CSO (e.g., System Owner, ISSO, developers): *

Confirm that personnel have appropriate background checks and training: *

Section 7: Documentation and Readiness Confirmation

Confirm that the CSP has provided the latest FedRAMP SSP template, with all appendices: *

If No, please explain.

Confirm that the CSP has implemented all federal mandates and technical capabilities required for the baseline: *

If No, please list gaps.

Overall, is the CSO in-scope for FedRAMP assessment? *

If No, please explain why (e.g., boundary not defined, missing controls).

Section 8: Next Steps

Thank you for completing this questionnaire. A Lazarus Alliance FedRAMP 3PAO Cybervisor will be in contact with you soon.

For the official FedRAMP templates (including the SSP and RAR), refer to the FedRAMP website (fedramp.gov) and the 3PAO Readiness Assessment Report Guide.