Resources | GCITP

To download the Candidate Handbook, please click the button below.

To download the GCITP Exam Guide, please click on the button below.

GCITP Essential Body of Work

GCITP assessment was developed using a two-stage process. First, a practice analysis was performed to codify the community’s “skill standard.” The skill standard consisted of the Essential Body of Work (EBW), which defined the critical tasks performed by the community, and the Essential Body of Knowledge (EBK), which defined the critical knowledge and skills required to perform the EBW tasks. GCITP EBW are listed below:

Task	Description
Task 1	Identify stakeholder partners and establish priorities
Task 2	Define sustainable methods for detection of irregular and/or abnormal activities and relevant reporting thresholds
Task 3	Define requirements, goals, metrics, and appropriate analytics
Task 4	Apply all relevant government and organization policies and procedures to core insider threat activities
Task 5	Monitor and review technical and non-technical data sources to identify potential insider-related events
Task 6	Perform triage to eliminate false indicators and determine relevance, credibility, probability, magnitude, and imminence of potential threats
Task 7	Identify information gaps associated with potential threats
Task 8	Document and track potential insider-related events and actions in defined platforms/tools
Task 9	Aggregate information and determine appropriate level of escalation
Task 10	Conduct appropriate insider-related investigations and gather additional data needed for analysis and decision making
Task 11	Collaborate with internal and external partners, to gain access to data, expertise, and more effective use of information
Task 12	Analyze, synthesize, and evaluate all data sources to identify insider threats
Task 13	Create and deliver reports, presentations, and briefings for appropriate audiences
Task 14	Support decision makers to determine the best methods for mitigating, transferring, or accepting risk
Task 15	Assess effectiveness and efficiency of insider threat procedures to identify opportunities for continuous process improvement and provide recommendations and refinement based on learnings
Task 16	Support stakeholder by monitoring and assessing the effectiveness for potential mitigation strategies and making recommendations for potential updates
Task 17	Design, develop, and implement techniques and resources that enable the team to operate more efficiently and effectively
Task 18	Consult with stakeholders and senior leadership to influence organizational change, behavior, and results
Task 19	Follow established policies and procedures for closing an inquiry

GCITP Essential Body of Knowledge - Technical Competencies

GCITP assessment was developed using a two-stage process. First, a practice analysis was performed to codify the community’s “skill standard.” The skill standard consisted of the Essential Body of Work (EBW), which defined the critical tasks performed by the community, and the Essential Body of Knowledge (EBK), which defined the critical knowledge and skills required to perform the EBW tasks. GCITP EBK Technical Competencies are listed below:

Competency 1 – Policies and Regulations	Complies with and stays current on relevant insider threat guidelines, policies, regulations, and laws.
PR-AoE 1 - Insider Threat Policies	Be familiar with and stay current on relevant insider threat regulations, guidelines, laws, and directives (organizational, local, state, federal, international as appropriate/needed); examples include: Executive Order (EO) 13587 National Insider Threat Policy and Minimum Standards NISPOM Change 2 (CFR Title 32, Part 117) National Institute of Standards and Technology (NIST)
PR-AoE 2 - Counter Insider Threat Program - Operational Process	Knowledge of and compliance with: Insider Threat Case Management process Reporting chain(s) for information sharing, dissemination, and escalation Insider Threat Program goals and objectives Concepts and terminologies (e.g., thresholds and priorities, Multi-disciplinary Insider Threat Working Groups, Potential Risk Indicators)
PR-AoE 3 - Privacy and Civil Liberties	Complies with and stays current on relevant privacy and civil liberties protections; examples include: Ethics and Compliance Policies (e.g., retaliation and whistleblower act(s)) Health Insurance Portability and Accountability Act (HIPAA) Equal Employment Opportunity (EEO)/Americans with Disabilities Act (ADA) compliant General Data Protection Regulation (GDPR) California Consumer Privacy Act (CCPA) Payment Card Industry Data Security Standard (PCI DSS) Federal Trade Commission (FTC) guidelines Federal Communications Commission (FCC) guidelines Sarbanes-Oxley Act (SOX)
PR-AoE 4 - Information Protection	Understands and complies with proper handling of sensitive information; examples include information related to: Privacy and civil liberties Protection of Personally Identifiable Information (PII) Information collection & storage limitations Protection of intellectual property and proprietary information (e.g., Non-Disclosure & Confidentiality Agreements)
PR-AoE 5 - Investigative and Operational Viability	Familiar with the investigative lifecycles related to associated pillars/disciplines and how the insider threat program might provide support (i.e., complies with proper investigative procedures and protocols for preserving chain of custody and integrity of collected information)

Competency 2 – Researching	Identifies a need for and knows where or how to gather information. Obtains, evaluates, organizes, and maintains information. Understands the Potential Risk Indicators (PRIs), capabilities, and when to engage with each pillar.
R-AoE 1 - Counterintelligence Pillar	Understands basic terms of reference, concepts, and principles related to the Counterintelligence Pillar to include: Foreign Intelligence Entity (FIE) collection priorities, tactics, techniques, and procedures Potential risk indicators (PRIs) (e.g., contact with foreign nationals, foreign visits, foreign travel, finances, elicitation, polygraph results) Capabilities, authorities, and jurisdictions of counterintelligence (CI) organizations and/or elements Reporting and escalation procedures Identifies anomalous behaviors within the Counterintelligence Pillar and knows when and how to engage with relevant counterintelligence professionals who: Provide detailed risk and threat assessments Provide CI data in support of Insider threat assessments and mitigation
R-AoE 2 - Cyber Pillar	Understands basic terms of reference, concepts, and principles related to the Cyber Pillar to include: User activity monitoring (UAM) for data analysis UAM trigger development Users, privileged users, and trusted agents Potential risk indicators (PRIs) (e.g., unauthorized downloads, unauthorized access, sharing credentials, misuse of organizational systems and tools) Reporting and escalation procedures Identifies anomalous behaviors within the Cyber Pillar and knows when and how to engage with relevant cyber professionals who: Provide enterprise audit monitoring, audit logs, profile data, printer log data, and download history Conduct long term analysis of UAM data Provide cyber data in support of Insider threat assessments and mitigation Identify users, privileged users, and trusted agents
R-AoE 3 - Human Resources Pillar	Understands basic terms of reference, concepts, and principles related to the Human Resources Pillar to include: Basic employment records (e.g., disciplinary actions, performance reviews, transfer applications, awards information, timesheet data, leave approvals, corporate credit card data) Basic employee rights (e.g., EEO, ADA, FMLA, HIPAA) Potential risk indicators (PRIs) (e.g., changes in employee behavior and/or changes in employee performance, Equal Employment Opportunity issues, workplace complaints, lying about application information (i.e., resume)) Reporting and escalation procedures Identifies anomalous behaviors within the Human Resources Pillar and knows when and how to engage with relevant human resource professionals who: Provide human resources (HR) data in support of Insider threat assessments and mitigation Identify the field of work assigned to potential insider threat Identify minimum access potential insider threat needs to perform their job
R-AoE 4 - Law Enforcement Pillar	Understands basic terms of reference, concepts, and principles related to the Law Enforcement Pillar to include: Public records (e.g., arrest records, court records, civil actions) Potential risk indicators (PRIs) (e.g., harassment, making threats, signs of extremism) Reporting and escalation procedures Identifies anomalous behaviors within the Law Enforcement Pillar and knows when and how to engage with relevant law enforcement professionals who: Report and/or prevent suspected criminal activity Provide law enfocement (LE) data in support of Insider threat assessments and mitigation
R-AoE 5 - Legal Pillar	Understands basic terms of reference, concepts, and principles related to the Legal Pillar to include: Potential risk indicators (PRIs) (e.g., NDA/confidentiality violations, misuse of company systems/resources, finance violations, ethical violations, data handling violations, sabotage of company systems, theft) Reporting and escalation procedures Identifies anomalous behaviors within the Legal Pillar and knows when and how to engage with relevant legal professionals who: Provide legal data in support of Insider threat assessments, mitigation, and potential prosecution Provide guidance on legal requirements and boundaries
R-AoE 6 - Social and Behavioral Sciences Pillar	Understands basic terms of reference, concepts, and principles related to the social and behavioral sciences to include: Psychology of insider threat Critical path (e.g., predispositions, stressors, concerning behaviors, organizational responses to concerning behaviors) Basic behavioral models and psychological profiles to differentiate between normative behaviors vs. anomalous behaviors Potential risk indicators (PRIs) (e.g., access attributes; professional lifecycle and performance; foreign considerations; security and compliance incidents; technical activity; criminal, violent, or abusive conduct; financial considerations; substance abuse and addictive behaviors; judgment, character, and psychological conditions) Role of social and behavioral sciences (SBS) in production of Insider Threat products Identifies anomalous behaviors within the Social and Behavioral Sciences pillar and knows when and how to engage with relevant behavioral science professionals who: Gain a general understanding of what is included and how to interpret mental health data found in workforce vetting forms Differentiate between behavioral considerations vs. health considerations Conduct real-time case reviews Case studies
R-AoE 7 - Security Pillar	Understands basic terms of reference, concepts, and principles related to the Security Pillar to include: Different types of security and security related policies (e.g., Personnel, Physical, Cyber, Information, Industrial, and Special Access Programs) Potential risk indicators (PRIs) (e.g., unauthorized access/entry, unauthorized disclosure/leak, other incident reports) Reporting and escalation procedures Identifies anomalous behaviors within the Security Pillar and knows when and how to engage with relevant security professionals who: Provide security data in support of Insider threat assessments and mitigation Provide guidance on employee eligibility and access to sensitive/protected information Interpret background investigation and workforce vetting/suitability data

Competency 3 - Information Analysis & Synthesis	Identifies anomalous behavior(s) and/or pattern(s) of behaviors; analyzes, interprets, and integrates data (technical and non-technical) or other information; differentiates between primary and secondary sources; evaluates and prioritizes alternatives; and assesses similarities and differences in data to develop findings and conclusions.
S-AoE 1 - Insider Threat Referral Triage	Conduct insider threat referral triage by compiling, reviewing, interpreting, correlating, and analyzing insider threat referral data in order to: Differentiate between false -positive indicators and true indicators that are potentially indicative of a threat Determine relevance, credibility, probability, magnitude (impact), and imminence of potential threat Identify known information gaps associated with potential threats Develop and recommend referral and analytic strategies Document triage activities detailing reasons for referral closure or escalation
S-AoE 2 - Insider Threat Trend Analysis	Conduct timely, preventative, and relevant insider threat trend analysis in order to: Identify anomalous behavior/patterns of behavior indicative of an insider threat Identify new Potential Risk Indicators (PRIs) thresholds and referral guidance Provide direct support to senior leaders and stakeholders for organizational mitigation considerations
S-AoE 3 - All-Source Analysis	Understand collection capabilities and reporting cycles from the primary Pillars (e.g., CI, Security, Cyber, HR, SBS, LE) and use a multi-disciplinary approach to: Gather, integrate, and analyze threat-related information Leverage open-source intelligence as authorized by local, state, and/or federal regulations and organizational policies Aggregate and synthesize and place information in context Identify patterns and trends Present summary findings in support of insider threat assessments and mitigation
S-AoE 4 - Insider Threat Assessment	Develop threat/risk assessment(s) on a potential insider threat using a multi- disciplinary approach including concepts, principles, and standards related to: Potential insider threat indicators Research strategies for an insider threat inquiry Thresholds for reporting and action Aggregation and synthesis of all-source data Risk scores (risk = threat * impact * probability)

Competency 4 – Tools and Methods	Applies tools and methods to substantive discipline, domain, or area of work. Adapts existing tools and/or methods or employs new methodological approaches required for substantive discipline, domain, or area of work. A tool is defined as a physical or virtual device, application, or database used to perform work rather than something that is studied, exploited, or targeted. A method is defined as a structured and repeatable process for carrying out work.
TM - AoE 1 - Analytical Communication	Support senior leaders, stakeholders, and mitigation activities by providing analytic assessments that incorporate: Analytic Standards for Analytic Products (e.g., Objective, Independent, Timely, Holistic, Descriptive) Intellectual Standards (e.g., clear, accurate, precise, relevant, in-depth, logical) Best practices and challenges of working with multi-disciplinary teams Strategies to prevent group polarization, group think, and/or artificial consensus
TM-AoE 2 - Critical Thinking and Structured Analytic Techniques	Exercise critical thinking and structured analytic techniques when conducting insider threat activities. Document analytic processes in a clear and understandable method. These techniques include but are not limited to: Hypotheses/scenario generation Alternative analysis techniques Argument mapping Bias elimination (e.g., confirmation, hindsight, foresight, availability, overconfidence) Occam’s Razor Diagnostic techniques (e.g., Key Assumptions, Quality of Information, Indicators or Signposts of Change, Analysis of Competing Hypothesis) Imaginative Thinking (e.g., Brainstorming, Outside-In Thinking, Red Team Analysis) Contrarian Techniques (e.g., Devil’s Advocacy, Team A/Team B, High Impact/Low Probability Analysis)
TM-AoE 3 - Databases/Data Feeds, Dashboards, and Analytic Tools	Understand how to access relevant databases/data feeds (e.g., local/national, government, and commercial) and understand the basic functions/capabilities of relevant dashboards and analytic tools in order to: Collect relevant insider threat related data Document and track potential insider-related events and actions Aggregate information and determine appropriate level of escalation Conduct trend analysis

Competency 5 – Vulnerabilities Assessment and Management	Conducts assessments of individuals and organizational vulnerabilities in order to identify changes in the likelihood of an insider event, determines deviations from acceptable configurations of enterprise or local policy, assesses the level of risk, and, when appropriate, supports potential mitigation countermeasures.
VAM- AoE 1 - Counter Insider Threat Program - Organizational Structure	Understand the mission, capabilities, and structure of the organization in order to: Support organizational leadership to identify key assets and vulnerabilities Identify key stakeholders within the organization and their roles in the insider threat process Create and/or participate in multi-disciplinary Insider Threat Working Groups (formal/informal and/or internal/external) Support your organization's Insider Threat program model (e.g., Point-to-Point vs. Hub-and-Spokes)
VAM-AoE 2- Individual Risk Assessment	Understand procedures for determining an individual’s current level of risk based on the following factors: Placement and access (e.g., badges and credentials) Exposure (e.g., clearance levels, administrative privileges) Influence/seniority Historical disciplinary actions Performance reviews Pervasiveness of all factors
VAM-AoE 3 - Insider Threat Mitigation: Individual	Understand how an insider threat or potential insider threat may be impacted (positively or negatively) by individual or organizational mitigation actions; considerations include: Where the individual falls along the critical pathway Predispositions, stressors, and concerning behaviors exhibited Previous organizational responses Available mitigation options (individual and organizational) Understand and support the implementation of individual mitigation response options – CI, Cyber, HR, LE, Legal, SBS, and Security (e.g., administrative actions, performance counseling, remedial training, compliance mandate, performance improvement plan, employee assistance referral, access suspension and/or downgrades, suspension and/or termination of employment) Monitor and assess the effectiveness and impact of chosen mitigation strategies and report findings to appropriate leaders and stakeholders
VAM-AoE 4 - Insider Threat Mitigation: Organizational	Understand how an insider threat or potential insider threat may be impacted (positively or negatively) by individual or organizational mitigation actions; considerations include: Where the individual falls along the critical pathway Predispositions, stressors, and concerning behaviors exhibited Previous organizational responses Available mitigation options (individual and organizational) Understand and support the implementation of organizational mitigation response options – CI, Cyber, HR, LE, Legal, SBS, and Security (e.g., changes in policy, processes and procedures, and/or additional education/training/awareness) Monitor and assess the effectiveness and impact of chosen mitigation strategies and report findings to appropriate leaders and stakeholders

GCITP Essential Body of Knowledge - Non-Technical Competencies

GCITP EBK Non-Technical Competencies are listed below:

Non-Technical Competency 1 – Communication	Understands effective and appropriate communication patterns and the ability to use and adapt that knowledge in various contexts.
COM-AoE 1 - Information Sharing	Shares information, as appropriate, with customers, colleagues, and others. Ensures colleagues receive organizational information and recognizes the responsibility and takes action to provide information within the intelligence communicty, to other federal, state and local law enforcement or authorities, the private sector, and/or foreign partners, as appropriate.
COM-AoE 2 – Oral Communication	Makes clear and convincing oral presentations. Listens effectively; clarifies information as needed.
COM-AoE 3 – Written Communication	Writes in a clear, concise, organized, and convincing manner for the intended audience.

Non-Technical Competency 2 – Collaboration	Implements a working practice whereby individuals, other organizational/office departments, and Insider Threat Programs work together for a common purpose to complete a task or achieve a common goal. Negotiates one’s needs to create a shared objective; cooperates and coordinates resources to execute a plan to reach goals.
COL-AoE 1 - Influencing, Advocating, Negotiating	Tailors presentations to an audience’s unique blend of goals, values, and knowledge in order to persuade others, build consensus through give and take, and gain cooperation from others in order to obtain information, resources, and/or accomplish goals.
COL-AoE 2 - Partnering	Develops networks and builds alliances; collaborates across boundaries to build strategic relationships and achieve common goals.
COL-AoE 3 - Team Building	Inspires and fosters team commitment, spirit, pride, and trust. Facilitates cooperation and motivates team members to accomplish group goals.

Non-Technical Competency 3 – Solution Development	Determines the best way of satisfying requirements for an output by evaluating baseline requirements and alternative solutions to achieve them, selecting the optimum solution, and creating a specification for the solution.
SD-AoE 1 - Problem Solving	Identifies and analyzes problems; weighs relevance and accuracy of information; generates and evaluates alternative solutions; perceives the impact and implications of decisions; and makes recommendations.
SD-AoE 2 - Systems Thinking	Understands how variables within a system interact with one another and change over time. Applies this understanding to solve complex problems and drive integration.
SD-AoE 3 - Flexibility	Is open to change and new information; rapidly adapts to new information, changing conditions, or unexpected obstacles.
SD-AoE 4 - Creativity & Innovation	Develops new insights into situations; questions conventional approaches; encourages new ideas and innovations; designs and implements new or cutting-edge programs/processes.
SD-AoE 5 - External Awareness	Understands and keeps up to date on local, national, and international policies and trends that affect the organization and shape stakeholders' views; is aware of the organization's impact on the external environment.

Non-Technical Competency 4 – Project Coordination	Streamlines the workflow of assigned tasks. Manages resources and information and assists with scheduling and planning project activities to ensure deadlines are met.
PC-AoE 1 - Decisiveness	Makes well-informed, effective, and timely decisions needed to execute core insider threat activities even when data are limited or solutions produce unpleasant consequences.
PC-AoE 2 - Planning & Evaluation	Organizes work, sets priorities, and determines resource requirements; determines short- or long-term goals and strategies to achieve them; coordinates with other organizations or parts of the organization to accomplish goals; monitors progress and evaluates outcomes
PC-AoE 3 - Customer Service	Anticipates and meets the needs of both internal and external customers. Delivers high-quality products and services; is committed to continuous improvement.
PC-AoE 4 - Accountability	Holds self and others accountable for measurable, high-quality, timely, and cost- effective results. Determines objectives, sets priorities, and delegates work. Accepts responsibility for mistakes. Complies with established control systems and rules.
PC-AoE 5 - Integration	Searches for opportunities to collaborate and actively promotes collaboration on work products and across work domains to enhance the quality of results.

Preparing for the GCITP Exam

GCITP Certification Program strongly encourages all candidates to study each of the certification exam blueprint areas to prepare for the exam. There are several providers and courses available (both free and fee-based) that can help candidates to prepare. The list of training providers and courses below is not all inclusive but is intended to provide a few examples of the resources available to candidates. However, please be advised of the following important caveats:

The Certification Program does not favor or endorse any specific provider or course – listed below or otherwise.
Participation in these or any courses are not required to participate in the GCITP Certification Program.
Participating in or attending these courses does not guarantee a passing score on the GCITP exam.
These are not the only training opportunities available, nor does taking these specific training courses give you any advantages or guarantee that you will score higher on the GCITP exam as compared to any other training courses available in the market.
Whether looking at taking a course to meet the prerequisite requirements for the certification program or to maintain your existing certification, the certification program does not guarantee that the resources listed below are specifically aligned to the exam blueprint or to the exact proficiency level desired. Therefore, candidates are encouraged to evaluate the course descriptions and content areas being taught to ensure they will align to the candidate’s individual needs.
All of the training providers and training opportunities listed below, including those offered by the University of Maryland, have been developed by training professionals external to the GCITP Certification Program and have no direct affiliation to the professionals that developed the GCITP exam.

Some of the training providers that offer courses which could help you prepare for the GCITP exam are listed below (we plan to add additional providers as we become aware of them):

Carnegie Mellon University Software Engineering Institute CERT Insider Threat Program Manager Certificate

Carnegie Mellon University Software Engineering Institute Insider Threat Awareness Training

Center for Development of Security Excellence (CDSE) Insider Threat Curricula and E-Learning Courses

Cybersecurity & Infrastructure Security Agency (CISA) Insider Threat Mitigation Resources and Tools (Training)

Help2Protect

National Insider Threat Task Force (NITTF) Insider Threat Training Module

University of Maryland Insider Risk Management and Mitigation Graduate Certificate

Download