The Verified Sovereign Computing Mark
Turning conformance into a rating a buyer can compare
The conformance checklist tells an operator whether it qualifies. The Verified Sovereign Computing Mark turns that into something a buyer can recognise and compare across competing clouds. This part of the framework is in active development; the shape below is the working model.
A tiered rating
The Mark grades a cloud into one of four tiers. The tier is a coarse classification for a procurement comparison; finer ranking within a tier is by operational metrics and market plurality, not by raw item counts.
| Tier | Meaning |
|---|---|
| Tier 1 — Conformant | Passes every MUST and the Sovereignty Test, with a current, independently audited report. |
| Tier 2 — Conformant with exceptions | Passes the cross-cutting MUSTs and the Sovereignty Test; a small number of named MUST exceptions, each with a dated remediation plan. |
| Tier 3 — Aspirant | Passes the cross-cutting MUSTs; has a published roadmap to Tier 1; self-assessed report. |
| Tier 4 — Non-conformant | Anything below Tier 3, including any cloud claiming a tier without a current public report. |
Across its dimensions - the software components, the implementor, the implementation, and the operator - the Mark is intended to work like a recognised star rating: an at-a-glance signal backed by a verifiable report.
Evidence
Every claim in a conformance report is backed by evidence of a stated class:
- Publicly verifiable - a linked, dated public artefact. Acceptable for any item.
- Audit-verified - confirmed by an independent auditor's review of internal systems.
- Declared - self-declared by the operator. Counts only for SHOULDs, never toward Tier 1 or Tier 2 qualification.
Components bound the score
A cloud is a composition of components, and its tier is bounded by the weakest one - with a deliberate exception. A non-conformant component that the customer can substitute through the cloud's documented APIs does not drag the tier down; only a load-bearing, non-conformant component does. The Component Conformance Manifest records which is which.
The procurement comparison
The Mark is designed to drop into a procurement comparison. For each candidate cloud, a buyer can line up:
- the assessed tier, the last audit date, and the auditor
- the number of independent providers at Levels 1 to 4 - the measure of market plurality
- open MUST exceptions, and the count of load-bearing non-conformant components
- a link to the full conformance report
What the Mark does not measure
Some things cannot honestly be reduced to a rating and need a parallel due-diligence process: the strategic alignment of a cloud's governance with your legal and regulatory environment, the quality of the Level 5 advisory available to you, and the political or ownership exposure of the operator and of each component's maintainer.
The Mark measures openness and replaceability. It does not measure fitness for a specific sovereignty mandate. For what the tiers are built on, see conformance and the Sovereignty Test.