ACES — Automated Compliance Evidence Standard¶
An open protocol for automated compliance evidence collection, scoring, and reporting.
ACES defines a machine-readable standard for how compliance evidence is structured, collected, scored, and exchanged between security tools, GRC platforms, and auditors. It is community governed and designed to work natively with the Model Context Protocol (MCP).
Why ACES?¶
Compliance evidence today is fragmented. Every tool exports differently. Every auditor asks for different formats. MSPs and security teams spend enormous time manually collecting, normalizing, and presenting the same evidence over and over.
ACES solves this by defining:
- A common evidence schema — one way to describe what evidence is, where it came from, and what control it satisfies
- A scoring model — consistent, explainable compliance scores across any framework
- An MCP protocol — how tools expose and query compliance evidence via AI-native interfaces
- Framework mappings — pre-built mappings to CIS Controls, CMMC, SOC 2, NIST CSF, and more
Quick Start¶
# Install the ACES validator (coming soon)
pip install aces-validator
# Validate an evidence file
aces validate evidence.json --framework cmmc-level2
Key Concepts¶
| Concept | Description |
|---|---|
| Evidence Object | A single piece of compliance evidence with metadata, source, and control mappings |
| Evidence Package | A collection of evidence objects for a specific assessment scope |
| Control Mapping | Links between evidence and one or more framework controls |
| Scoring Model | Algorithm for calculating compliance scores from evidence packages |
| MCP Protocol | How AI systems query and reason about compliance evidence |
Supported Frameworks¶
- CIS Controls v8
- CMMC Level 1 & 2
- SOC 2 Type I & II
- NIST CSF 2.0
- FTC Safeguards Rule
- (More via community contribution)
Status¶
Early Draft
ACES is currently in early draft. The specification is not yet stable. Community feedback is actively sought.
| Component | Status |
|---|---|
| Core Evidence Schema | Draft |
| Scoring Model | Draft |
| MCP Protocol | Planning |
| Framework Mappings | In Progress |
| Reference Implementation | Planning |
| Validator Tool | Planning |
Community & Governance¶
ACES is an open standard. The specification is maintained by Compliance Scorecard and governed by the community.
- Contribute — how to propose changes
- GitHub Discussions — ask questions, share ideas
- GitHub Issues — report problems or request changes