Every recommendation FrameworkMapper produces comes from one of two deterministic, vertical-aware scoring algorithms. UCPA prioritizes which controls to implement. TTI scores which tools to procure. They share no scoring state — and together they answer the only two questions a buyer actually needs answered.
FrameworkMapper's scoring stack is organized as discrete layers. Each layer operates on a different object, draws from different data sources, and answers a different question. Outputs combine at the recommendation surface — never in scoring.
Universal Control Prioritization Algorithm
Object scored: Controls
Answers: Which controls should we implement first?
A seven-factor weighted scoring model combining threat intelligence, dependency graphs, effort-to-value ratios, blast radius, regulatory weight, coverage breadth, and asset exposure. Operates on ATT&CK-mapped controls.
Explore UCPAVendor product trust scoring
Object scored: Tools (vendor products)
Answers: Which products should we actually procure?
A five-signal scoring model combining CISA KEV exposure (as a final multiplier), market analyst placement, FedRAMP/GovRAMP authorization, FIPS 140 validation, and CSA STAR assurance — calibrated per vertical.
Explore TTISoft organizational attestation
Object scored: Tools (final ranking only)
Answers: Of two similarly-scored tools, which one fits us better?
Soft signals — partner attestations, deployment footprint within a vertical, organizational fit — used only to break ties between tools that landed in the same TTI band. Never overrides UCPA or TTI scoring. Roadmapped for a future release.
Coming laterControls and tools are different objects. A control is a defensive requirement — "enforce multi-factor authentication." A tool is a vendor product — an identity provider. They obey different rules, draw from different data sources, and answer different questions.
Trying to score them with one algorithm flattens the distinction. You either end up with a control-shaped algorithm that treats tools as second-class objects, or a tool-shaped algorithm that mistakes vendor credentials for defensive priority. Neither works.
FrameworkMapper splits the problem. UCPA owns the control prioritization question. TTI owns the tool trust question. The recommendation surface combines their outputs, but neither algorithm influences the other's scoring.
"Implement MFA on privileged accounts first — it scores 92 in your vertical."
"Of these four MFA tools, three are Trusted and one is on KEV with no patch — we don't recommend it."
The two algorithms share family resemblance — both are deterministic, vertical-aware, and fully explainable — but the mechanics differ.
| UCPA | Tool Trust Index | |
|---|---|---|
| Object scored | Controls (framework requirements) | Tools (vendor products) |
| Mechanism | 7 weighted factors summed to a Priority Score | 4 additive signals + KEV multiplier, normalized to a 0–100 score |
| Primary data sources | CISA KEV, MITRE ATT&CK, DBIR, MS-ISAC, framework specs | CISA KEV, FedRAMP, GovRAMP, NIST CMVP, CSA STAR, Gartner/Forrester/IDC |
| Vertical-aware via | Factor weight profiles (24 verticals) | Signal default profiles + RAMP vertical weighting (24 verticals) |
| Output | Priority sequence (ordered control list) | Score (0–100) + band (Highly Trusted → Do Not Recommend) |
| Refresh discipline | KEV / ATT&CK quarterly, #StopRansomware weekly, DBIR annually | KEV weekly, RAMP / FIPS / CSA monthly |
| Customer-configurable | Asset exposure responses adjust Factor A per-org | Signal toggles within vertical bounds (KEV cannot be disabled) |
| Audit artifact | Per-control factor decomposition with cited sources | Per-tool signal breakdown with provenance and confidence tags |
UCPA and TTI are independent in their scoring math, but they share a common discipline. These are the rules that apply to every score FrameworkMapper produces, regardless of layer.
Given identical inputs, both algorithms always produce identical outputs. An auditor reviewing results at any point in time can reproduce the exact result from documented inputs.
Every UCPA Priority Score decomposes into its seven factor contributions. Every TTI score decomposes into its per-signal breakdown. No black boxes — the math is visible on every output.
Both algorithms run against 24 vertical default profiles. UCPA tunes factor weights per vertical. TTI tunes signal applicability per vertical. K-12 is scored differently than DIB — intentionally and transparently.
Every assessment snapshots its scoring inputs, outputs, and source data versions. Historical comparison and audit defensibility are first-class concerns — not afterthoughts.
Neither algorithm scores against vendor claims. UCPA factors derive from threat intelligence and framework specs. TTI signals derive from public registries (CISA, NIST, FedRAMP, etc.). Vendors cannot pay to improve their score.
Both algorithms refresh their source data on documented cadences. Every refresh is recorded as a versioned snapshot so score changes over time are traceable to specific upstream updates.
Each algorithm has a dedicated deep-dive page with the full formula, factor- or signal-level scoring rubrics, vertical configuration tables, and worked examples.
The Universal Control Prioritization Algorithm in full: seven factors, the weighted Priority Score formula, the 24-vertical weight matrix, tiebreaking cascade, and the audit-defensibility surface.
The TTI formula in full: five trust signals, the KEV multiplier mechanic, the 24-vertical signal default matrix, score bands, and the KEV disclosure language.
The FrameworkMapper scoring stack was developed by Midwest Cyber, LLC and Viosoph, LLC and is implemented as the FrameworkMapper platform.
© 2026 Midwest Cyber, LLC and Viosoph, LLC. All rights reserved.
Run an assessment to receive a UCPA-prioritized control roadmap alongside vertical-tuned TTI tool recommendations.