NIST 800-53 REV 5 • ACCESS CONTROL
AC-7(2) — Purge or Wipe Mobile Device
Purge or wipe information from {{ insert: param, ac-07.02_odp.01 }} based on {{ insert: param, ac-07.02_odp.02 }} after {{ insert: param, ac-07.02_odp.03 }} consecutive, unsuccessful device logon attempts.
Supplemental Guidance
A mobile device is a computing device that has a small form factor such that it can be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable or removable data storage; and includes a self-contained power source. Purging or wiping the device applies only to mobile devices for which the organization-defined number of unsuccessful logons occurs. The logon is to the mobile device, not to any one account on the device. Successful logons to accounts on mobile devices reset the unsuccessful logon count to zero. Purging or wiping may be unnecessary if the information on the device is protected with sufficiently strong encryption mechanisms.
Practitioner Notes
For mobile devices, failed login attempts beyond the threshold should trigger a remote wipe. If someone has stolen a phone and is trying to guess the password, the data needs to be destroyed before they succeed.
Example 1: In Microsoft Intune, configure a device compliance policy under Devices → Compliance policies → Create policy. Set Maximum failed sign-in attempts before device is wiped to 10. After 10 failed PIN attempts, Intune will factory-reset the device.
Example 2: For iOS devices managed via Apple Business Manager, push a configuration profile that sets maxFailedAttempts to 10 and maxGracePeriod to 0. The device will erase all content and settings after 10 consecutive failed passcode attempts — this is enforced at the hardware level.