Every priority ranking in your assessment results is produced by the Universal Control Prioritization Algorithm (UCPA) — a deterministic, seven-factor scoring model developed by Midwest Cyber, LLC and Viosoph, LLC.
Start an AssessmentCIS Controls v8.1 has 153 safeguards. NIST SP 800-53 has 1,189 controls. CMMC Level 2 requires 110 practices. Organizations subject to multiple frameworks can face a combined control universe exceeding 1,500 requirements.
Frameworks are intentionally silent on implementation order — context matters. But that leaves most organizations without actionable guidance. The UCPA fills that gap with a transparent, reproducible scoring model that turns a compliance checklist into an implementation roadmap.
Every control receives a composite Priority Score (P) computed from seven weighted factors. Each factor is normalized to a 0–100 scale before weighting, and the weights always sum to 1.0.
Each factor draws from empirical, publicly available data sources — not vendor claims or consultant opinion.
Controls that mitigate techniques appearing in active campaigns score higher than those addressing theoretical or rarely observed threats.
Computed from a Directed Acyclic Graph (DAG) of control relationships. Controls with high out-degree — those that unlock or amplify other controls — are prioritized as foundational infrastructure.
Particularly important for resource-constrained organizations. Scores are calibrated to three resource profiles: Minimal (volunteer IT), Moderate (small IT team), and Well-resourced (dedicated security staff).
Distinct from Threat Relevance: T measures probability, B measures magnitude. Together they approximate classic risk (likelihood × impact), decomposed into independently scored components.
Scored on a rubric tied to real-world consequence: automatic audit failure scores highest; best-practice recommendations score lowest. The vertical weight profile determines R's influence — it matters most for defense contractors (CMMC) and least for churches.
Cross-framework consensus is a strong signal of foundational importance. When CIS, NIST CSF, NIST 800-53, CMMC, and HIPAA all require access control enforcement, that convergence speaks for itself.
The only factor that varies by individual organization rather than by vertical. A control protecting cloud workloads is irrelevant to an organization with no cloud presence. Asset Exposure personalizes the priority sequence to your actual environment.
Each control is pre-tagged with relevant environment factors. Your assessment responses activate or deactivate relevance flags, producing an A score of 0 (irrelevant), 50 (partially relevant), or 100 (directly applicable).
The seven factor weights are not one-size-fits-all. Each industry vertical has a default weight profile that reflects its operational reality — threat exposure, resource constraints, and compliance obligations.
Emphasis Profiles — Illustrative Examples
Illustrative — not the actual coefficients| Vertical | T | D | E | B | R | C | A |
|---|---|---|---|---|---|---|---|
| K-12 Education | Leads | Leads | Leads | Standard | Minimal | Standard | Standard |
| Defense Industrial Base | Standard | Standard | Minimal | Standard | Dominant | Standard | Standard |
| Church / House of Worship | Standard | Elevated | Leads | Reduced | Minimal | Elevated | Standard |
All 24 verticals carry a calibrated seven-factor weight profile. The exact coefficients are confidential and proprietary to Midwest Cyber, LLC and Viosoph, LLC. Customers receive the applied weights for their vertical inside assessment reports under their engagement's confidentiality terms, and authorized auditors can verify them against the integrity commitment below.
Elevated ransomware exposure, minimal IT staff, limited budgets. Threat Relevance, Dependency, and Effort-to-Value share equal top priority. Regulatory weight is low — most K-12 cybersecurity compliance is voluntary.
CMMC certification is binary — pass or fail. Regulatory Criticality dominates the profile. Effort-to-Value drops to its floor because required controls must be implemented regardless of cost.
Volunteer IT, near-zero budgets, no regulatory mandates. Effort-to-Value leads the profile, ensuring recommended actions are achievable with available resources.
The full weight table is confidential — but it is cryptographically committed. We publish a SHA-256 fingerprint of every versioned weight profile. Customers and auditors who receive the table under confidentiality can hash it and confirm it matches this public commitment, proving the weights were fixed in advance and never retro-tuned to justify a result.
Given identical inputs, the algorithm always produces an identical priority sequence — essential for audit defensibility. An assessor reviewing results at any point in time can reproduce the exact sequence from documented inputs.
Every Priority Score decomposes into its seven constituent factor scores and applied weights. This decomposition is preserved and surfaced as plain-language rationale in your assessment report. The applied weights for your vertical are disclosed in customer reports under your engagement's confidentiality terms:
Every T score traces back to specific KEV entries, DBIR frequency data, and advisory references. Every D score traces back to a documented dependency in the control DAG. Every R score traces back to a specific audit checklist item or enforcement action.
This audit trail is maintained as structured metadata and is available for inspection at any time — supporting grant applications, audit responses, and organizational leadership briefings.
Threat intelligence (Factor T) refreshes on a per-feed cadence: CISA #StopRansomware weekly, CISA KEV and MITRE ATT&CK prevalence quarterly, MS-ISAC advisories quarterly, and the Verizon DBIR annually. Factor weights and blast radius scores are reviewed annually. Coverage Breadth (C) and Asset Exposure (A) update automatically.
The ATT&CK technique intermediary layer keeps maintenance bounded to a technique prevalence catalog rather than thousands of individual control scores. Every refresh is recorded as a versioned snapshot so changes in priority are traceable over time.
UCPA scores which controls to implement first. The Tool Trust Index (TTI) scores which tools to actually procure. The two algorithms share no scoring state and operate on different objects, but together they answer "what should I do, and what should I buy to do it?"
The UCPA was developed by Midwest Cyber, LLC and Viosoph, LLC and is implemented as a scoring engine within the FrameworkMapper platform. © 2026 Midwest Cyber, LLC and Viosoph, LLC. All rights reserved.
Run an assessment and receive a prioritized implementation roadmap with full factor-level explanations for every control recommendation.