HOME

AC-7

AC-7 H M L
Description

The information system:
a. Enforces a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment: organization-defined time period]; and
b. Automatically [Selection: locks the account/node for an [Assignment: organization-defined time period]; locks the account/node until released by an administrator; delays next logon prompt according to [Assignment: organization-defined delay algorithm]] when the maximum number of unsuccessful attempts is exceeded.

FedRAMP
  • H AC-7(a)-1 [not more than three (3)] AC-7(a)-2 [fifteen (15) minutes] AC-7(b) [locks the account/node for a minimum of three (3) hours or until unlocked by an administrator]
  • M AC-7(a)-1 [not more than three (3)] AC-7(a)-2 [fifteen (15) minutes] AC-7(b) [locks the account/node for thirty minutes]
  • L AC-7(a)-1 [not more than three (3)] AC-7(a)-2 [fifteen (15) minutes] AC-7(b) [locks the account/node for thirty minutes]
DISA Cloud Computing SRG

a(1). Three
a(2). 15 minutes
b(1). locks the account/node
b(2). Until released by an administrator
b(3). Minimum of 5 seconds

Source:
DoD RMF TAG

Supplemental Guidance

This control applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by information systems are usually temporary and automatically release after a predetermined time period established by organizations. If a delay algorithm is selected, organizations may choose to employ different algorithms for different information system components based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at both the operating system and the application levels.

Related Controls