AC-7 Unsuccessful Login Attempts

Description

This Control applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by information systems are usually temporary and automatically release after a predetermined time period established by organizations. If a delay algorithm is selected, organizations may choose to employ different algorithms for different information system components based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at both the operating system and the application levels.

Applicability

The information resource owner, or designee, is responsible for ensuring that the measures described in this Control are implemented.

The intended audience for this Control includes, but is not limited to, all information resources owners and custodians.

Implementation

  1. Enforces a limit of ten (10) consecutive invalid logon attempts by a user during a ten (10) minute time period; and
  2. Accounts locked out due to multiple incorrect logon attempts should stay locked out for a minimum of 15 minutes. Accounts for Moderate or High-risk systems should remain locked until reset by an administrator.

Revision History

Last Updated: February 21, 2025

Previous Versions:

  • June 29, 2023
  • May 31, 2022
  • March 25, 2021
  • September 16, 2019

Chief Information Security and Privacy Officer

Submit a Ticket

News

See All News

Events

See All Events