Browse Skills

Privilege Training Mapper (CISA CPG 4.3)

    CISA CPG Critical Infrastructure Training Compliance Privileged Access
    Get Started with This Skill

    Overview

    Map privileged job functions to role-specific training modules and validate training compliance. Cross-reference Privileged User List with HR training log to flag missing or overdue certifications. The skill supports CISA CPG 4.3 (role-specific training for Administrative Privileges) by ensuring that each privileged role—e.g. Firewall Admin, OT Admin, Domain Admin—is tied to required training (e.g. Secure Configuration, Incident Response) and that every listed user has completed and kept current that training.

    Example Conversation

    You: We need CPG 4.3 evidence for our water utility. I have a Privileged User List and our HR training log. Can you check who’s missing or overdue for their role-specific training?

    Agent: I’ll run compliance_matrix_checker using your Privileged User List and the training log. The tool maps each job function (e.g. Firewall Admin, OT Admin) to the required modules and checks completion and expiry (default 12 months). I’ll report who needs to be remediated.

    Agent: Running compliance_matrix_checker with privileged-user-list.csv and training-log.csv

    Agent: Check result: FAIL — two users are out of compliance. Jane Smith (Firewall Admin) is missing “Network Security” and Alex Rivera (OT Admin) has “OT/ICS Security” expired. I’ve added a short summary to the workspace. You can schedule training for them and re-run the checker after updating the log; once it passes, the matrix and this report can go into your CPG 4.3 evidence package.

    You: We use a custom role for “SCADA Operator” that should require Secure Configuration and OT/ICS Security. Can we add that?

    Agent: I can add a custom role→training mapping. Either provide a small CSV (Role, Module1, Module2, …) and pass it as roleMappingPath, or I’ll document the built-in mapping and add SCADA Operator with those two modules in a mapping file so the checker uses it on the next run.

    What the Tools Validate

    The skill includes one extension tool:

    compliance_matrix_checker cross-references the Privileged User List with the HR training log and flags anyone missing or overdue for role-specific training (CPG 4.3).

    • Inputs: Path to the Privileged User List (CSV or markdown table with identifier—Name or Email—and Role/Job Function); path to the training log (CSV or markdown table with identifier, Training Module/Course, Date Completed, and optional Expiry). Optional: validityMonths (default 12) when the log has no Expiry column; roleMappingPath for a custom role→modules file.
    • Role→training mapping: Built-in mapping covers common roles (Firewall Admin, Domain Admin, OT Admin, IT Admin, etc.) with modules such as Secure Configuration, Incident Response, OT/ICS Security, Privileged Access Management. Custom mapping can override or extend via a file (one line per role: Role, Module1, Module2, …).
    • Checks: For each user in the Privileged User List, the tool determines required modules from their role, then looks up that user in the training log. It flags missing (no completion record for a required module) and expired (completion older than validity or past an Expiry date).
    • Output: PASS if all privileged users have all required trainings current; FAIL with a list of users to remediate, showing missing and/or expired modules per user. Use the report as evidence that role-specific training is tracked and gaps are identified for CPG 4.3.

    Output Excerpt

    Example checker report when two users are out of compliance:

    === CPG 4.3 Compliance Matrix Check ===

Privileged User List: privileged-user-list.csv (5 user(s))
Training Log: training-log.csv
Validity: 12 months

Result: FAIL — 2 user(s) missing or overdue for role-specific training.

## Users to remediate

- **Jane Smith** (Firewall Admin) — Missing: Network Security
- **Alex Rivera** (OT Admin) — Expired: OT/ICS Security

CPG 4.3 requires role-specific training for those with Administrative Privileges. Update the training log or schedule training for the users above.

    After updating the training log (e.g. Jane completes Network Security, Alex renews OT/ICS Security), re-run the checker. When the result is PASS, the Privileged User List, training log, and this report form the evidence package for CPG 4.3.

    Getting Started

    Add your Privileged User List and HR training log (CSV or markdown tables) to the project workspace, then activate the Privilege Training Mapper (CISA CPG 4.3) skill. The agent will run the compliance matrix checker and help you fix any gaps so you can document role-specific training for CPG 4.3.

    Ready to let your expertise drive the workflow?

    Stop wrestling with rigid templates and complex tooling. Write your process in markdown, let the agent handle the rest.

    Get Started