NIST 800-171 • LEVEL 2 • ACCESS CONTROL
3.1.8 — Unsuccessful Logon Attempts
Enforce a limit of {{ insert: param, A.03.01.08.ODP.01 }} consecutive invalid logon attempts by a user during a {{ insert: param, A.03.01.08.ODP.02 }}. Automatically {{ insert: param, A.03.01.08.ODP.03 }} when the maximum number of unsuccessful attempts is exceeded.
CMMC Practice Mapping
NIST 800-53 Controls
Assessment Objectives
- a limit of {{ insert: param, A.03.01.08.ODP.01 }} consecutive invalid logon attempts by a user during {{ insert: param, A.03.01.08.ODP.02 }} is enforced.
- {{ insert: param, A.03.01.08.ODP.03 }} when the maximum number of unsuccessful attempts is exceeded.
Practitioner Notes
This one protects you from brute-force password attacks. If someone (or a bot) keeps guessing passwords, the account should lock out before they get in.
Example 1: In Group Policy, go to Computer Configuration → Windows Settings → Security Settings → Account Policies → Account Lockout Policy. Set "Account lockout threshold" to 5 invalid logon attempts, "Account lockout duration" to 30 minutes, and "Reset account lockout counter after" to 30 minutes. This is the DoD-recommended configuration.
Example 2: In Azure AD, go to Security → Authentication methods → Password protection and enable Smart Lockout. Set the lockout threshold to 5 attempts and the lockout duration to 60 seconds (Azure AD automatically increases duration for repeated lockouts). Also enable Azure AD → Security → Identity Protection to flag risky sign-ins and block accounts under active attack.