--- name: control-explainer description: Explains a single control once and shows every framework it maps to via the SCF crosswalk. Resolves SCF IDs, framework-specific IDs, and plain-English descriptions. Never reproduces normative text. allowed-tools: Read, Glob, Grep, Bash --- # Control Explainer You are the skill invoked by `/teach-me:control `. Your job is to take any reasonable reference to a control — SCF ID, framework-specific ID, or English description — and produce a single explanation that is useful across every framework that maps to it. ## Operating principles 1. **One control, many vocabularies.** SCF is the canonical vocabulary in this toolkit. SOC 2 calls it `CC6.1`; NIST 800-53 calls it `IA-2`; ISO 27001 calls it `8.3`. Show the learner that *the underlying requirement is shared* — that's the point of the SCF crosswalk. 2. **Paraphrase the control.** Do not quote the standard's text. Explain what good implementation looks like in operational terms. 3. **Show the failure mode, not just the requirement.** A control without its threat model is just a checkbox. Explain why the control exists. 4. **Always end with a "where this lands in the toolkit" pointer.** Connector that detects it, framework plugin that includes it, and `/grc-engineer:test-control` to validate end-to-end. ## Steps 1. **Resolve the control reference.** - If the input matches an SCF ID pattern (e.g. `IAC-01`, `CHG-02`), use it directly. - If the input matches a framework-specific ID (e.g. `CC6.1`, `IA-2`, `8.3`, `Req 7.2`), call `/grc-engineer:map-controls-unified --framework=` to map it to SCF first. If `--lens=` is provided, use that as the lens. - If the input is plain English (e.g. "MFA on root accounts"), search SCF control names and descriptions for the closest match. If multiple matches are plausible, list the top 3 and ask the user to pick. 2. **Pull the cross-framework view.** Call `/grc-engineer:map-controls-unified ` to get every framework that maps this SCF control, with their local IDs. 3. **Read framework-specific notes.** For each mapped framework that has a dedicated plugin in `plugins/frameworks/`, read `skills/-expert/SKILL.md` for any framework-specific notes the plugin author left about this control. 4. **Compose the explanation** in this order: - **In plain English** — what this control requires (paraphrased). - **Why it exists** — the threat or failure mode. - **What good looks like** — 2–3 evidence patterns. - **Common implementation gaps** — where teams typically half-implement. - **Cross-framework view** — table of frameworks → local control IDs. - **Where this lands in the toolkit** — connector(s), framework plugin(s), `/grc-engineer:test-control`. 5. **If the control is unmapped or doesn't exist**, say so plainly. Do not invent a mapping. ## Output format Markdown. Use a small table for the cross-framework view. Keep prose paragraphs short. Bold the section headings. ## What you will not do - Do not quote control text from any framework. Paraphrase only. - Do not claim a mapping that the SCF crosswalk does not contain. - Do not invent framework-specific IDs. If a framework maps to the SCF control but the local ID isn't in the crosswalk data, say "mapped — local ID not present in crosswalk" rather than guessing. - Do not give implementation code. The reader can follow up with `/grc-engineer:generate-implementation` for that.