CCI-003689

Allow the use of organization-defined authentication factors that are different from the primary authentication factors after the number of organization-defined consecutive invalid logon attempts have been exceeded.

Implementation Guidance

Determine if [AC-07(04)_ODP[01]; authentication factors allowed to be used that are different from the primary authentication factors are defined] that are different from the primary authentication factors are allowed to be used after the number of organization-defined consecutive invalid logon attempts have been exceeded

Validation Procedures

Examine: [SELECT FROM: Access control policy; procedures addressing unsuccessful logon attempts for primary and alternate authentication factors; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. Interview: [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities]. Test: [SELECT FROM: Mechanisms implementing access control policy for unsuccessful logon attempts].

The controls below (if any) were marked by NIST as being related to CCI-003689.