CMMC Practice AC.L2-3.1.8

Unsuccessful Logon Attempts: Limit unsuccessful logon attempts.

Monarch ISC Guidance

There are two pieces to this control: You have to designate how many times a person can guess the password for a user account, and then how long the account will be locked after the number of failed logins is reached. Usual settings are to lock the account after 3-5 failed login attempts, and lock the account for 5 minutes, up to an indefinite period, requiring the user to contact IT to have account unlocked.

Discussion From Source

NIST SP 800-171 R2 This requirement applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by systems are, in most cases, temporary and automatically release after a predetermined period established by the organization (i.e., a delay algorithm). If a delay algorithm is selected, organizations may employ different algorithms for different system components based on the capabilities of the respective components. Responses to unsuccessful logon attempts may be implemented at the operating system and application levels.

References