NIST 800-171 • LEVEL 2 • ACCESS CONTROL

3.1.8Unsuccessful Logon Attempts

Enforce a limit of organization-defined parameter consecutive invalid logon attempts by a user during a organization-defined parameter. Automatically organization-defined parameter when the maximum number of unsuccessful attempts is exceeded.

CMMC Practice Mapping

NIST 800-53 Controls

AC-7

Assessment Objectives

  • a limit of organization-defined parameter consecutive invalid logon attempts by a user during organization-defined parameter is enforced.
  • organization-defined parameter when the maximum number of unsuccessful attempts is exceeded.

Practitioner Notes

This one protects you from brute-force password attacks. If someone (or a bot) keeps guessing passwords, the account should lock out before they get in.

Example 1: In Group Policy, go to Computer Configuration → Windows Settings → Security Settings → Account Policies → Account Lockout Policy. Set "Account lockout threshold" to 5 invalid logon attempts, "Account lockout duration" to 30 minutes, and "Reset account lockout counter after" to 30 minutes. This is the DoD-recommended configuration.

Example 2: In Azure AD, go to Security → Authentication methods → Password protection and enable Smart Lockout. Set the lockout threshold to 5 attempts and the lockout duration to 60 seconds (Azure AD automatically increases duration for repeated lockouts). Also enable Azure AD → Security → Identity Protection to flag risky sign-ins and block accounts under active attack.

Related NIST 800-171 Requirements

3.1.1 Account Management 3.1.2 Access Enforcement 3.1.3 Information Flow Enforcement 3.1.4 Separation of Duties