Navigate

CCI-000043

CCI-000043 Definition

Defines the maximum number of consecutive invalid logon attempts to the information system by a user during an organization-defined time period.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

Determine if a limit of [AC-07_ODP[01]; the number of consecutive invalid logon attempts by a user allowed during a time period is defined] consecutive invalid logon attempts by a user during [AC-07_ODP[02]; the time period to which the number of consecutive invalid logon attempts by a user is limited is defined] is enforced.

Validation Procedures

Examine: [SELECT FROM: Access control policy; procedures addressing unsuccessful logon attempts; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with information security responsibilities; system developers; system/network administrators]. Test: [SELECT FROM: Mechanisms implementing access control policy for unsuccessful logon attempts].

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-000043.

Control	Description
AC-7	a: Enforce a limit of [the number of consecutive invalid logon attempts by a user allowed during a time period is defined;] consecutive invalid logon attempts by a user during a [the time period to which the number of consecutive invalid logon attempts by a user is limited is defined;] ; and b: Automatically [one or more of "lock the account or node for {{ insert: param, ac-07_odp.04 }} "/"lock the account or node until released by an administrator"/"delay next logon prompt per {{ insert: param, ac-07_odp.05 }} "/"notify system administrator"/"take other {{ insert: param, ac-07_odp.06 }} "] when the maximum number of unsuccessful attempts is exceeded.

Control

Description

AC-7

a: Enforce a limit of [the number of consecutive invalid logon attempts by a user allowed during a time period is defined;] consecutive invalid logon attempts by a user during a [the time period to which the number of consecutive invalid logon attempts by a user is limited is defined;] ; and

b: Automatically [one or more of "lock the account or node for {{ insert: param, ac-07_odp.04 }} "/"lock the account or node until released by an administrator"/"delay next logon prompt per {{ insert: param, ac-07_odp.05 }} "/"notify system administrator"/"take other {{ insert: param, ac-07_odp.06 }} "] when the maximum number of unsuccessful attempts is exceeded.