CMMC Practice AC.2.009
Limit unsuccessful logon attempts.
Bold Coast Security Guidance
There are two pieces to this control: You have to choose both a how many times a person can guess the password, and then for how long the account will be locked. Usual settings are to lock the account after 3-5 failed login attempts, and then lock the account for 5 minutes, up to an indefinite period, requiring the user to contact IT to have account unlocked.
DRAFT NIST SP 800-171 R2
This requirement applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by systems are, in most cases, temporary and automatically release after a predetermined period established by the organization (i.e., a delay algorithm). If a delay algorithm is selected, organizations may employ different algorithms for different system components based on the capabilities of the respective components . Responses to unsuccessful logon attempts may be implemented at the operating system and application levels.