AC-7

AC-7 UNSUCCESSFUL LOGON ATTEMPTS

Overview

Number	Title	Impact	Priority	Subject Area
AC-7	Unsuccessful Logon Attempts	LOW	P2	Access Control

Instructions
The information system: AC-7a. Enforces a limit of Assignment: organization-defined number consecutive invalid logon attempts by a user during a Assignment: organization-defined time period; and AC-7b. Automatically Selection: locks the account/node for an Assignment: organization-defined time period; locks the account/node until released by an administrator; delays next logon prompt according to Assignment: organization-defined delay algorithm when the maximum number of unsuccessful attempts is exceeded.

Instructions

The information system:

AC-7a.

Enforces a limit of Assignment: organization-defined number consecutive invalid logon attempts by a user during a Assignment: organization-defined time period; and

AC-7b.

Automatically Selection: locks the account/node for an Assignment: organization-defined time period; locks the account/node until released by an administrator; delays next logon prompt according to Assignment: organization-defined delay algorithm when the maximum number of unsuccessful attempts is exceeded.

Guidance
This control applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by information systems are usually temporary and automatically release after a predetermined time period established by organizations. If a delay algorithm is selected, organizations may choose to employ different algorithms for different information system components based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at both the operating system and the application levels.

Guidance

This control applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by information systems are usually temporary and automatically release after a predetermined time period established by organizations. If a delay algorithm is selected, organizations may choose to employ different algorithms for different information system components based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at both the operating system and the application levels.

Enhancements

AC-7 (1) Automatic Account Lock

Withdrawn: Incorporated into AC-7.

AC-7 (2) Purge / Wipe Mobile Device

This control enhancement applies only to mobile devices for which a logon occurs (e.g., personal digital assistants, smart phones, tablets). The logon is to the mobile device, not to any one account on the device. Therefore, successful logons to any accounts on mobile devices reset the unsuccessful logon count to zero. Organizations define information to be purged/wiped carefully in order to avoid over purging/wiping which may result in devices becoming unusable. Purging/wiping may be unnecessary if the information on the device is protected with sufficiently strong encryption mechanisms.

The information system purges/wipes information from Assignment: organization-defined mobile devices based on Assignment: organization-defined purging/wiping requirements/techniques after Assignment: organization-defined number consecutive, unsuccessful device logon attempts.