03.01.08: Unsuccessful Logon Attempts
Control Familly: Access Control
SPRS: N/A
Top Ten Failed Requirement: N/A
Supporting Publications:
SP 800-63-3 [27]
SP 800-124 [28]
Referenced in: N/A
Control Type: N/A
CPCSC Level 2: 03.01.08
CMMC Level(s): N/A
Derived From: NIST SP 800-53r5
AC-07
a. Enforce a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment: organization-defined time period].
b. Automatically [Selection (one or more): lock the account or node for an [Assignment: organization-defined time period]; lock the account or node until released by an administrator; delay next logon prompt; notify system administrator; take other action] when the maximum number of unsuccessful attempts is exceeded.
Discussion:
Due to the potential for denial of service, automatic system lockouts are in most cases, temporary and automatically release after a predetermined time period established by the organization (i.e., using a delay algorithm). Organizations may employ different delay algorithms for different system components based on the capabilities of the respective components. Responses to unsuccessful system logon attempts may be implemented at the system and application levels. Organization-defined actions that may be taken include prompting the user to answer a secret question in addition to the username and password, invoking a lockdown mode with limited user capabilities (instead of a full lockout), allowing users to only logon from specified Internet Protocol (IP) addresses, requiring a CAPTCHA to prevent automated attacks, or applying user profiles, such as location, time of day, IP address, device, or Media Access Control (MAC) address.
Assessment Methods and Objectives
Examine [SELECT FROM: access control policy and procedures; procedures for unsuccessful logon attempts; system design documentation; system audit records; system configuration settings; system security plan; other relevant documents or records]
Interview [SELECT FROM: personnel with information security responsibilities; system developers; system administrators]
Test [SELECT FROM: mechanisms for implementing the access control policy for unsuccessful logon attempts]
NIST SP 800-171A r3 Determining Statements Determine if:
A.03.01.08.ODP[01]: the number of consecutive invalid logon attempts by a user allowed during a time period is defined.
A.03.01.08.ODP[02]: the time period to which the number of consecutive invalid logon attempts by a user is limited is defined.
A.03.01.08.ODP[03]: one or more of the following PARAMETER VALUES are selected: {the account or node is locked automatically for <A.03.01.08.ODP[04]: time period>; the account or node is locked automatically until released by an administrator; the next logon prompt is delayed automatically; the system administrator is notified automatically; other action is taken automatically}.
A.03.01.08.ODP[04]: the time period for an account or node to be locked is defined (if selected).
A.03.01.08.a: a limit of <A.03.01.08.ODP[01]: number> consecutive invalid logon attempts by a user during <A.03.01.08.ODP[02]: time period> is enforced.
A.03.01.08.b: <A.03.01.08.ODP[03]: SELECTED PARAMETER VALUES> when the maximum number of unsuccessful attempts is exceeded.