AC-07 Unsuccessful Login Attempts
Control: The information system enforces a limit of [Assignment: organization-defined number] consecutive invalid access attempts by a user during a [Assignment: organization-defined time period] time period. The information system automatically [Selection: locks the account/node for an [Assignment: organization-defined time period], delays next login prompt according to [Assignment: organization-defined delay algorithm.]] when the maximum number of unsuccessful attempts is exceeded.
Supplemental Guidance: Due to the potential for denial of service, automatic lockouts initiated by the information system are usually temporary and automatically release after a predetermined time period established by the organization.
Control Enhancements: (1) The information system automatically locks the account/node until released by an administrator when the maximum number of unsuccessful attempts is exceeded.
Baseline: LOW AC-7 MOD AC-7 HIGH AC-7
Family: Access Control
Class: Technical
ISO 17799 mapping: 11.5.1
COBIT 4.1 mapping: None.
PCI-DSS v2 mapping: 8.5.13