CMMC Practice AC.L2-3.1.8

Limit unsuccessful logon attempts.

Bold Coast Security Guidance

There are two pieces to this control: You have to designate how many times a person can guess the password for a user account, and then how long the account will be locked after the number of failed logins is reached. Usual settings are to lock the account after 3-5 failed login attempts, and lock the account for 5 minutes, up to an indefinite period, requiring the user to contact IT to have account unlocked.
Security Catapult

Be prepared for CMMC

Our Q&A assessment tool is designed by security advisors for MSPs and DoD contractors of all sizes.

Try now for free

Understand your gaps
Security Catapult

Understand your gaps

See compliance gaps, compliance scores and proactive security tasks in a single interface.

Try now for free

Validate NIST SP 800-171
Security Catapult

Validate NIST SP 800-171

Based on your CMMC answers, we let you know where you stand on NIST.

Try now for free

Build a plan of action
Security Catapult

Build a plan of action

Track your burn down and stay on top of security needs.

Try now for free

Build your policy
Security Catapult

Build your policy

Say goodbye to maintaining a security policy. We do it for you.

Try now for free

Discussion From Source

DRAFT NIST SP 800-171 R2 This requirement applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by systems are, in most cases, temporary and automatically release after a predetermined period established by the organization (i.e., a delay algorithm). If a delay algorithm is selected, organizations may employ different algorithms for different system components based on the capabilities of the respective components . Responses to unsuccessful logon attempts may be implemented at the operating system and application levels.

References