Skip to content

Scoring Model

Draft

The scoring model is under active discussion. Open an issue to contribute.

Overview

ACES scores are deterministic and explainable. Given the same set of Evidence Objects, the same score is always produced.

Scores exist at three levels:

  1. Evidence Score — score for a single Evidence Object
  2. Control Score — aggregated score for a single framework control
  3. Framework Score — overall compliance score for a framework

Evidence Score

Each Evidence Object carries its own score:

"score": {
  "value": 98,
  "max": 100,
  "method": "percentage_coverage"
}

The normalized score is value / max, yielding a 0.0–1.0 float.

Control Score

When multiple Evidence Objects map to the same control, their scores are aggregated:

control_score = weighted_mean(evidence_scores for this control)

Default: equal weighting. Custom weights can be set per mapping.

Framework Score

framework_score = weighted_mean(control_scores for all controls in framework)

Controls with no evidence receive a score of 0. Controls marked unknown are excluded from the denominator (they do not penalize the score but are flagged separately).

Score Display

Range Label Color
90–100 Compliant Green
75–89 Mostly Compliant Yellow
50–74 Partially Compliant Orange
0–49 Non-Compliant Red
N/A No Evidence Grey

Gap Identification

Controls with a score below a configurable threshold (default: 75) are flagged as gaps. Gaps feed directly into remediation workflows.