NIST recently updated Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations , adding some critical new language to the sections covering security awareness. Here’s the skinny.
The relevant language is within Section 3.2 (see page 60).
Notice that the updated NIST standard now includes providing frequent simulated social engineering testing. Specifically, their language states, “[p]ractical exercises include no-notice social engineering attempts to collect information, gain unauthorized access, or simulate the adverse impact of opening malicious email attachments or invoking, via spear phishing attacks, malicious web links .”
Read all about in the blog and discuss it here: