Navigate

AC-7

AC-7: Unsuccessful Logon Attempts

The information system:

a: Enforces a limit of [organization-defined number] consecutive invalid logon attempts by a user during a [organization-defined time period]; and

b: Automatically [] when the maximum number of unsuccessful attempts is exceeded.

Supplemental

This control applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by information systems are usually temporary and automatically release after a predetermined time period established by organizations. If a delay algorithm is selected, organizations may choose to employ different algorithms for different information system components based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at both the operating system and the application levels.

CIA Levels
Confidentiality	high
Integrity	high
Availability	high

Overlays
None

CSF Categories
PR.AC-7

Related Controls

The controls below (if any) were marked by NIST as being related to AC-7.

Control	Description
AC-2	The organization: a: Identifies and selects the following types of information system accounts to support organizational missions/business functions: [organization-defined information system account types]; b: Assigns account managers for information system accounts; c: Establishes conditions for group and role membership; d: Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account; e: Requires approvals by [organization-defined personnel or roles] for requests to create information system accounts; f: Creates, enables, modifies, disables, and removes information system accounts in accordance with [organization-defined procedures or conditions]; g: Monitors the use of information system accounts; h: Notifies account managers: 1: When accounts are no longer required; 2: When users are terminated or transferred; and 3: When individual information system usage or need-to-know changes; i: Authorizes access to the information system based on: 1: A valid access authorization; 2: Intended system usage; and 3: Other attributes as required by the organization or associated missions/business functions; j: Reviews accounts for compliance with account management requirements [organization-defined frequency]; and k: Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.
AC-9	The information system notifies the user, upon successful logon (access) to the system, of the date and time of the last logon (access).
AC-14	The organization: a: Identifies [organization-defined user actions] that can be performed on the information system without identification or authentication consistent with organizational missions/business functions; and b: Documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification or authentication.
IA-5	The organization manages information system authenticators by: a: Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator; b: Establishing initial authenticator content for authenticators defined by the organization; c: Ensuring that authenticators have sufficient strength of mechanism for their intended use; d: Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators; e: Changing default content of authenticators prior to information system installation; f: Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators; g: Changing/refreshing authenticators [organization-defined time period by authenticator type]; h: Protecting authenticator content from unauthorized disclosure and modification; i: Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and j: Changing authenticators for group/role accounts when membership to those accounts changes.

Enhancements

The controls below (if any) add on to the requirements of AC-7.

Control	Description
AC-7(1)
AC-7(2)	The information system purges/wipes information from [organization-defined mobile devices] based on [organization-defined purging/wiping requirements/techniques] after [organization-defined number] consecutive, unsuccessful device logon attempts.

Related CCIs

The CCIs below are tied to AC-7.

CCI	Definition
CCI-000043	Defines the maximum number of consecutive invalid logon attempts to the information system by a user during an organization-defined time period.
CCI-000044	Enforce the organization-defined limit of consecutive invalid logon attempts by a user during the organization-defined time period.
CCI-001423	Defines the time period in which the organization-defined maximum number of consecutive invalid logon attempts occur.
CCI-002236	Defines the time period the information system will automatically lock the account or node when the maximum number of unsuccessful logon attempts is exceeded.
CCI-002237	Defines the delay algorithm to delay the next logon prompt when the maximum number of unsuccessful logon attempts is exceeded.
CCI-002238	Automatically lock the account or node for either an organization-defined time period, until the locked account or node is released by an administrator, or delays the next logon prompt according to the organization-defined delay algorithm when the maximum number of unsuccessful logon attempts is exceeded.