Assessment & Questionnaire System
Infracast's Assessment & Questionnaire System lets you capture evidence for compliance controls that cannot be evaluated by automated infrastructure scanning alone โ things like security awareness training, physical access procedures, incident response drills, and personnel security reviews.
Overviewโ
Not every compliance control maps to a scannable infrastructure property. Many NIST 800-171, CMMC, and FedRAMP controls require human attestation backed by documented evidence. The Questionnaire System bridges that gap:
Automated Rules Questionnaire System
โโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Scan infrastructure + Assign questions to responsible
Check properties parties โ Collect answers โ
Evaluate rules Upload evidence โ Review & approve
โ โ
โโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโ
โผ
Combined Compliance Score
(Automated + Attested controls)
Key Capabilitiesโ
| Capability | Description |
|---|---|
| Template Library | 20+ pre-built questionnaire templates across 4 languages |
| Flexible Assignment | Assign questionnaires to specific users or user groups |
| Draft Saving | Respondents can save partial answers and return later |
| Evidence Uploads | Attach PDFs, screenshots, and policy documents per question |
| Multi-stage Review | Submit for review โ Reviewer approves or requests changes |
| Expiration & Renewal | Set attestation expiry; system notifies before lapse |
| Framework Mapping | Each question maps to specific NIST/CMMC/FedRAMP controls |
| Multi-language | Templates available in EN, DE, FR, PT |
How It Worksโ
Step 1: Create a Questionnaireโ
Create from a pre-built template or build a custom questionnaire:
# Create from template
POST /api/v1/tenants/{tenantID}/questionnaires/from-template
{
"template_id": "cmmc-l2-at",
"title": "CMMC L2 Awareness & Training Assessment โ Q2 2026",
"description": "Annual security awareness training attestation",
"assignees": ["training-lead@company.com", "hr-manager@company.com"],
"due_date": "2026-05-31",
"framework": "cmmc-l2"
}
# Or create a custom questionnaire
POST /api/v1/tenants/{tenantID}/questionnaires
{
"title": "Custom Physical Security Review",
"questions": [
{
"id": "q1",
"text": "Describe your data center physical access controls.",
"type": "text_long",
"required": true,
"control_mappings": ["NIST-PE-1", "CMMC-PE.1.131"]
},
{
"id": "q2",
"text": "Upload your most recent physical security audit report.",
"type": "file_upload",
"required": true,
"accepted_types": ["pdf", "docx"]
}
],
"assignees": ["facilities-lead@company.com"],
"due_date": "2026-05-15"
}
Step 2: Respondent Answers Questionsโ
Assigned users receive a notification and access the questionnaire through the Infracast UI or API.
Save a draft (partial answers):
PUT /api/v1/tenants/{tenantID}/questionnaires/{questionnaireID}/responses/draft
{
"answers": {
"q1": "Access is controlled via badge readers and security guards...",
"q2": null // not yet answered
}
}
Submit completed questionnaire for review:
POST /api/v1/tenants/{tenantID}/questionnaires/{questionnaireID}/responses/submit
{
"answers": {
"q1": "Access is controlled via badge readers and 24/7 security guards. All visitors are escorted.",
"q2": "attachment:evidence-upload-abc123"
},
"attestation_statement": "I certify that the above information is accurate to the best of my knowledge.",
"attested_by": "facilities-lead@company.com"
}
Step 3: Reviewer Approves or Requests Changesโ
Compliance officers or security administrators review submitted responses:
# Approve
POST /api/v1/tenants/{tenantID}/questionnaires/{questionnaireID}/review
{
"action": "approve",
"reviewer_notes": "Documentation reviewed and found sufficient.",
"expiry_date": "2027-05-15"
}
# Request changes
POST /api/v1/tenants/{tenantID}/questionnaires/{questionnaireID}/review
{
"action": "request_changes",
"reviewer_notes": "Please upload the signed physical access log from Q1 2026."
}
Step 4: Controls Marked Attestedโ
Once approved, the mapped compliance controls are marked as Attested with an expiry date. Attested controls contribute to your overall compliance score alongside automated findings.
Control Status Flow:
Not Assessed โ Questionnaire Assigned โ In Progress โ Submitted โ Attested โ
โ
Changes Requested โ In Progress
Lifecycle Diagramโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Questionnaire Lifecycle โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ โ
โ Template Library โ
โ โ โ
โ โผ โ
โ Create Questionnaire โโโโ Assign to Users โ
โ โ โ
โ โผ โ
โ Respondent Opens โโโโ Save Draft โโโบ (Return Later) โ
โ โ โ
โ โผ โ
โ Answer Questions + Upload Evidence โ
โ โ โ
โ โผ โ
โ Submit for Review โ
โ โ โ
โ โโโโ Approved โโโบ Controls Attested (with expiry) โ
โ โ โ โ
โ โ โผ โ
โ โ Near Expiry Alert โ
โ โ โ โ
โ โ โผ โ
โ โ Renewal Questionnaire โ
โ โ โ
โ โโโโ Changes Requested โโโบ Back to Respondent โ
โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Pre-Built Templatesโ
Infracast ships 20 questionnaire templates covering the most common attestation requirements:
| Template ID | Framework | Domain | Practices Covered |
|---|---|---|---|
cmmc-l2-at | CMMC L2 | Awareness & Training | AT.2.056, AT.2.057, AT.3.058 |
cmmc-l2-pe | CMMC L2 | Physical Protection | PE.1.131, PE.1.132, PE.2.135 |
cmmc-l2-ps | CMMC L2 | Personnel Security | PS.2.127, PS.3.131 |
cmmc-l2-ir | CMMC L2 | Incident Response | IR.2.092, IR.2.093, IR.2.097 |
cmmc-l2-ma | CMMC L2 | Maintenance | MA.2.111, MA.2.112 |
nist171-at | NIST 800-171 | Awareness & Training | 3.2.1, 3.2.2, 3.2.3 |
nist171-pe | NIST 800-171 | Physical Protection | 3.10.1โ3.10.6 |
nist171-ps | NIST 800-171 | Personnel Security | 3.9.1, 3.9.2 |
nist171-dfars | DFARS 252.204-7012 | CDI Safeguarding | Incident reporting, flow-down, cloud |
fedramp-ir | FedRAMP Moderate | Incident Response | IR-1 through IR-8 |
fedramp-at | FedRAMP Moderate | Awareness & Training | AT-2, AT-3, AT-4 |
fedramp-pe | FedRAMP Moderate | Physical Protection | PE-1 through PE-20 |
vendor-risk | SOC 2 | Vendor Risk | CC9.2 |
bcp-test | SOC 2 / ISO 27001 | Business Continuity | A.17.1.3 |
hipaa-training | HIPAA | Workforce Training | ยง164.530(b) |
hipaa-sanctions | HIPAA | Sanctions Policy | ยง164.530(e) |
gdpr-dpia | GDPR | Data Protection Impact | Article 35 |
iso-supplier | ISO 27001 | Supplier Relationships | A.15.1.1โA.15.2.2 |
nerc-ops | NERC CIP | Operational Procedures | CIP-007, CIP-010 |
sox-change | SOX IT | Change Management | CC8.1 |
Templates are available in English (EN), German (DE), French (FR), and Portuguese (PT).
API Referenceโ
Templatesโ
# List all templates
GET /api/v1/tenants/{tenantID}/questionnaires/templates
# Filter by framework
GET /api/v1/tenants/{tenantID}/questionnaires/templates?framework=cmmc-l2
# Get template details
GET /api/v1/tenants/{tenantID}/questionnaires/templates/{templateID}
Questionnairesโ
# Create from template
POST /api/v1/tenants/{tenantID}/questionnaires/from-template
# Create custom
POST /api/v1/tenants/{tenantID}/questionnaires
# List all questionnaires
GET /api/v1/tenants/{tenantID}/questionnaires
# Get questionnaire status
GET /api/v1/tenants/{tenantID}/questionnaires/{questionnaireID}
# Get assigned questionnaires (respondent view)
GET /api/v1/tenants/{tenantID}/questionnaires/assigned?assignee=user@company.com
Responsesโ
# Save draft
PUT /api/v1/tenants/{tenantID}/questionnaires/{questionnaireID}/responses/draft
# Submit for review
POST /api/v1/tenants/{tenantID}/questionnaires/{questionnaireID}/responses/submit
# Upload evidence file
POST /api/v1/tenants/{tenantID}/questionnaires/{questionnaireID}/evidence
Content-Type: multipart/form-data
file=@training-completion-report-2026.pdf&question_id=q2
Reviewโ
# Approve or request changes
POST /api/v1/tenants/{tenantID}/questionnaires/{questionnaireID}/review
# List pending reviews
GET /api/v1/tenants/{tenantID}/questionnaires?status=submitted&reviewer=compliance-officer@company.com
Attestationsโ
# List all attested controls
GET /api/v1/tenants/{tenantID}/attestations
# Filter by framework and expiry
GET /api/v1/tenants/{tenantID}/attestations?framework=cmmc-l2&expires_before=2026-12-31
# Get attestation with evidence chain
GET /api/v1/tenants/{tenantID}/attestations/{attestationID}?include_evidence=true
Integration with Compliance Scoringโ
Attested controls are weighted equally to automated controls in your compliance score:
Overall Score = (Passing Automated + Attested Approved) / Total Applicable ร 100
In the compliance dashboard, attested controls are displayed with a distinct badge:
โ
NIST-AT-2 โ Attested by training-lead@company.com on 2026-04-01 (expires 2027-04-01)
๐ด NIST-PE-2 โ Questionnaire assigned, awaiting response (due 2026-05-31)
โณ NIST-IR-4 โ Submitted, pending reviewer approval
Expiry & Renewalโ
Infracast tracks attestation expiry and sends proactive notifications:
| Timeframe | Action |
|---|---|
| 60 days before expiry | Email reminder to attestation owner |
| 30 days before expiry | Second reminder + dashboard warning |
| 7 days before expiry | Urgent alert; compliance score shows "expiring soon" |
| Expired | Control reverts to "Not Assessed" โ score drops |
Renewal creates a new questionnaire pre-populated with prior answers to speed completion.
Next Stepsโ
- CMMC Guide โ CMMC L2 assessment workflow with questionnaires
- NIST 800-171 Guide โ NIST practices that require attestation
- Evidence Engine โ Automated evidence collection for automatable controls
- Compliance Overview โ Full framework list and scoring methodology