AC-7—Unsuccessful Login Attempts

PBMM (P1)

Secret (P1)

Technical

>Control Description

(A) The information system enforces a limit of ⚙organization-defined number consecutive invalid logon attempts by a user during a ⚙organization-defined time period. (B) The information system automatically ☑locks the account/node for an [Assignment: organization-defined time period; locks the account/node until released by an administrator; delays next logon prompt according to ⚙organization-defined delay algorithm] when the maximum number of unsuccessful attempts is exceeded.

>Supplemental Guidance

Due to the potential for denial of service, automatic lockouts initiated by the information system are usually temporary and automatically release after a predetermined time period established by the organization. If a delay algorithm is selected, the organization may choose to employ different algorithms for different information system components based on the capabilities of those components. Response to unsuccessful login attempts may be implemented at both the operating system and the application levels.

This control applies to all accesses other than those accesses explicitly identified and documented by the organization in AC-14

>Tailoring Guidance

This security control/enhancement requires careful balance between usability and security. Care needs to be taken to ensure that the appropriate balance between the two seemingly conflicting requirements is achieved. If possible, an increasing time-out period should be used to deter determined attackers.

For example, an original time-out of 5 minutes can become 10 minutes after the next 3 unsuccessful attempts, then 20 minutes, then 40 minutes, etc.

>Profile-Specific Parameters

(A) number [of a maximum of 5] (A) time period [period of at least 5 minutes] (B) automatic response [locks the account/node for an organization defined time period]

Ask AI

Configure your API key to use AI features.