Skip to content

ComplianceScorecard/aces

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
.claude/context
.claude/context
 
 
.github
.github
 
 
docs
docs
 
 
.gitignore
.gitignore
 
 
CLAUDE.md
CLAUDE.md
 
 
CNAME
CNAME
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
mkdocs.yml
mkdocs.yml
 
 
requirements.txt
requirements.txt
 
 

Repository files navigation

ACES — Automated Compliance Evidence Standard

An open protocol for automated compliance evidence collection, scoring, and reporting.

Docs: aces.compliancescorecard.com · Discussions: GitHub Discussions · Issues: GitHub Issues

What is ACES?

ACES defines a machine-readable standard for how compliance evidence is structured, collected, scored, and exchanged between security tools, GRC platforms, and auditors.

It solves the fragmentation problem: every tool exports differently, every auditor asks for different formats, and MSPs spend enormous time manually collecting and normalizing the same evidence repeatedly.

ACES defines:

  • Evidence Schema — a common JSON structure for compliance evidence objects
  • Control Mapping — how evidence links to controls across CIS, CMMC, SOC 2, NIST CSF, and more
  • Scoring Model — deterministic, explainable compliance scores
  • MCP Protocol — how AI systems query compliance evidence via the Model Context Protocol

Status

Early Draft. Not yet stable. Community feedback actively sought.

Component Status
Evidence Schema Draft
Entity Dictionary Draft
Metric Types Draft
Framework Key Registry Draft
Control Mapping Draft
Scoring Model Draft
Connector Contribution Guide Draft
Connector: Huntress (reference) Stable
MCP Protocol Planning
Reference Implementation Planning

Quick Example

{
  "aces_version": "0.1",
  "id": "ev_01JNKXAMPLE",
  "collected_at": "2026-03-22T00:00:00Z",
  "tenant": { "company_id": "msp-acme", "client_id": "client-acme-corp" },
  "connector": { "connector_type_id": "sentinelone", "last_sync_status": "success" },
  "evidence_type": "endpoint_protection",
  "description": "EDR agent active on 98% of endpoints",
  "control_mappings": [
    { "framework": "cis-v8",      "control_id": "10.1" },
    { "framework": "cmmc-level2", "control_id": "SI.1.210" }
  ],
  "metrics": [
    { "category": "endpoint_protection", "metric_key": "agents_total",           "metric_value": "100", "metric_type": "count",      "unit": "devices" },
    { "category": "endpoint_protection", "metric_key": "agents_online",          "metric_value": "98",  "metric_type": "count",      "unit": "devices" },
    { "category": "endpoint_protection", "metric_key": "agents_online_percentage","metric_value": "98.0","metric_type": "percentage", "unit": "%" }
  ]
}

Getting Started

Read the full documentation or start with:

  1. Core Concepts
  2. Evidence Schema
  3. Examples

Contributing

ACES is community governed. All contributions welcome — from typo fixes to schema proposals.

See CONTRIBUTING for the RFC process.

License

Apache 2.0 — see LICENSE

© 2026 ComplianceRisk.io Inc. dba Compliance Scorecard

About

ACES

Resources

Readme

License

View license

Contributing

Contributing
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors