NIST 800-53 REV 5 • AWARENESS AND TRAINING
AT-2(3) — Social Engineering and Mining
Provide literacy training on recognizing and reporting potential and actual instances of social engineering and social mining.
CMMC Practice Mapping
No direct CMMC mapping
NIST 800-171 Mapping
No direct NIST 800-171 mapping
Related Controls
No related controls listed
Supplemental Guidance
Social engineering is an attempt to trick an individual into revealing information or taking an action that can be used to breach, compromise, or otherwise adversely impact a system. Social engineering includes phishing, pretexting, impersonation, baiting, quid pro quo, thread-jacking, social media exploitation, and tailgating. Social mining is an attempt to gather information about the organization that may be used to support future attacks. Literacy training includes information on how to communicate the concerns of employees and management regarding potential and actual instances of social engineering and data mining through organizational channels based on established policies and procedures.
Practitioner Notes
Train people specifically on social engineering and information mining — the human-targeting attacks where someone manipulates or tricks employees into revealing sensitive information.
Example 1: Conduct annual social engineering awareness training covering phone pretexting (someone calling and pretending to be IT support), tailgating (following someone through a secure door), and baiting (leaving infected USB drives). Use real-world examples — the 2020 Twitter hack and similar incidents make excellent case studies.
Example 2: Hire a penetration testing firm to conduct a social engineering assessment annually. Have them attempt phone pretexting, physical tailgating, and phishing against your organization. Share the results (anonymized) with all employees as a training tool — nothing teaches like seeing how your own team fell for it.