NIST 800-53 REV 5 • ACCESS CONTROL

AC-9(2)Successful and Unsuccessful Logons

Notify the user, upon successful logon, of the number of {{ insert: param, ac-09.02_odp.01 }} during {{ insert: param, ac-09.02_odp.02 }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Information about the number of successful and unsuccessful logon attempts within a specified time period allows the user to recognize if the number and type of logon attempts are consistent with the user’s actual logon attempts.

Practitioner Notes

Show users both successful and unsuccessful logon attempts. This gives a complete picture — not just failures, but also successful logins they do not recognize, which could indicate their account is compromised.

Example 1: Configure the Windows logon information GPO (from AC-9) which shows both successful and failed logon counts. For additional detail, have users check the Security event log filtered on Event IDs 4624 (successful) and 4625 (failed) for their username.

Example 2: In M365, direct users to the mysignins.microsoft.com portal which shows all authentication events — successful, failed, and interrupted. Users can see IP addresses, locations, and devices. Encourage users to review this monthly as part of your security awareness program.

More Access Control Controls

AC-1 Policy and Procedures AC-2 Account Management AC-2(1) Automated System Account Management AC-2(2) Automated Temporary and Emergency Account Management