Core Concepts¶

This page defines the vocabulary and mental model for ACES.

Evidence Object¶

The fundamental unit of ACES. An Evidence Object represents a single, verifiable piece of compliance evidence.

It answers four questions:

1. What — what was observed or measured?
2. Where — what system, tool, or source produced it?
3. When — when was it collected?
4. Why it matters — which controls does it satisfy, and to what degree?

Evidence Package¶

A collection of Evidence Objects scoped to a specific assessment — a company, a time period, a framework, or all three.

An Evidence Package is the unit of work for compliance scoring and reporting.

Control Mapping¶

A Control Mapping links one Evidence Object to one or more controls across one or more frameworks.

The same piece of evidence can satisfy controls in multiple frameworks simultaneously. ACES makes these cross-framework mappings explicit and machine-readable.

Scoring Model¶

The Scoring Model defines how Evidence Objects in a package are aggregated into a compliance score for each mapped control, domain, and framework.

Scores are: - Deterministic — same inputs always produce the same score - Explainable — every score can be traced back to its evidence - Weighted — controls can carry different weights within a framework

MCP Protocol¶

The MCP Protocol layer defines how AI systems (via the Model Context Protocol) can query, reason about, and surface compliance evidence.

This enables AI assistants to answer questions like: - "What is our current CMMC Level 2 score?" - "Which controls have no evidence this quarter?" - "What evidence exists for CIS Control 10?"

Key Terms¶