# Privilege Training Mapper (CISA CPG 4.3) > Map privileged job functions to role-specific training modules and validate training compliance. Cross-reference Privileged User List with HR training log to flag missing or overdue certifications. Tags: CISA, CPG, Critical Infrastructure, Training, Compliance, Privileged Access ## Example Prompts - Map our Firewall Admins and OT Admins to required training and check who is overdue - Cross-check our Privileged User List against the HR training log for CPG 4.3 - Flag anyone with administrative privileges who is missing role-specific certification - Document role-specific training requirements for our critical infrastructure teams URL: https://rakenne.app/skills/privilege-training-mapper/index.md Try this skill: https://rakenne.app/a/?skill=privilege-training-mapper ## Overview Map privileged job functions to role-specific training modules and validate training compliance. Cross-reference Privileged User List with HR training log to flag missing or overdue certifications. The skill supports CISA CPG 4.3 (role-specific training for Administrative Privileges) by ensuring that each privileged role—e.g. Firewall Admin, OT Admin, Domain Admin—is tied to required training (e.g. Secure Configuration, Incident Response) and that every listed user has completed and kept current that training. ## Example Conversation > **You:** We need CPG 4.3 evidence for our water utility. I have a Privileged User List and our HR training log. Can you check who’s missing or overdue for their role-specific training? > **Agent:** I’ll run `compliance_matrix_checker` using your Privileged User List and the training log. The tool maps each job function (e.g. Firewall Admin, OT Admin) to the required modules and checks completion and expiry (default 12 months). I’ll report who needs to be remediated. > **Agent:** Running `compliance_matrix_checker` with `privileged-user-list.csv` and `training-log.csv`... > **Agent:** Check result: **FAIL** — two users are out of compliance. Jane Smith (Firewall Admin) is missing “Network Security” and Alex Rivera (OT Admin) has “OT/ICS Security” expired. I’ve added a short summary to the workspace. You can schedule training for them and re-run the checker after updating the log; once it passes, the matrix and this report can go into your CPG 4.3 evidence package. > **You:** We use a custom role for “SCADA Operator” that should require Secure Configuration and OT/ICS Security. Can we add that? > **Agent:** I can add a custom role→training mapping. Either provide a small CSV (Role, Module1, Module2, ...) and pass it as `roleMappingPath`, or I’ll document the built-in mapping and add SCADA Operator with those two modules in a mapping file so the checker uses it on the next run. ## What the Tools Validate The skill includes one extension tool: **`compliance_matrix_checker`** cross-references the Privileged User List with the HR training log and flags anyone missing or overdue for role-specific training (CPG 4.3). - **Inputs:** Path to the Privileged User List (CSV or markdown table with identifier—Name or Email—and Role/Job Function); path to the training log (CSV or markdown table with identifier, Training Module/Course, Date Completed, and optional Expiry). Optional: `validityMonths` (default 12) when the log has no Expiry column; `roleMappingPath` for a custom role→modules file. - **Role→training mapping:** Built-in mapping covers common roles (Firewall Admin, Domain Admin, OT Admin, IT Admin, etc.) with modules such as Secure Configuration, Incident Response, OT/ICS Security, Privileged Access Management. Custom mapping can override or extend via a file (one line per role: Role, Module1, Module2, ...). - **Checks:** For each user in the Privileged User List, the tool determines required modules from their role, then looks up that user in the training log. It flags **missing** (no completion record for a required module) and **expired** (completion older than validity or past an Expiry date). - **Output:** PASS if all privileged users have all required trainings current; FAIL with a list of users to remediate, showing missing and/or expired modules per user. Use the report as evidence that role-specific training is tracked and gaps are identified for CPG 4.3. ## Output Excerpt Example checker report when two users are out of compliance: ``` === CPG 4.3 Compliance Matrix Check === Privileged User List: privileged-user-list.csv (5 user(s)) Training Log: training-log.csv Validity: 12 months Result: FAIL — 2 user(s) missing or overdue for role-specific training. ## Users to remediate - **Jane Smith** (Firewall Admin) — Missing: Network Security - **Alex Rivera** (OT Admin) — Expired: OT/ICS Security CPG 4.3 requires role-specific training for those with Administrative Privileges. Update the training log or schedule training for the users above. ``` After updating the training log (e.g. Jane completes Network Security, Alex renews OT/ICS Security), re-run the checker. When the result is PASS, the Privileged User List, training log, and this report form the evidence package for CPG 4.3. ## Getting Started Add your Privileged User List and HR training log (CSV or markdown tables) to the project workspace, then activate the *Privilege Training Mapper (CISA CPG 4.3)* skill. The agent will run the compliance matrix checker and help you fix any gaps so you can document role-specific training for CPG 4.3. --- Back to [Skill Library](https://rakenne.app/skills/index.md)