Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The information system:
a. Enforces a limit of [FedRAMP Assignment: (L)(M)(H) not more than three (3)] consecutive invalid logon attempts by a user during a [FedRAMP Assignment: (L)(M)(H) fifteen (15) minutes]; and
b. Automatically [Selection: locks the account/node for an [FedRAMP Assignment: (L)(M) locks the account/node for thirty minutes; (H) minimum of three (3) hours or until unlocked by an administrator]; locks the account/node until released by an administrator; delays next logon prompt according to [Assignment: organization-defined delay algorithm]] when the maximum number of unsuccessful attempts is exceeded.
NIST 800-53 (r4) Supplemental Guidance:
This control applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by information systems are usually temporary and automatically release after a predetermined time period established by organizations. If a delay algorithm is selected, organizations may choose to employ different algorithms for different information system components based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at both the operating system and the application levels. Related controls: AC-2, AC-9, AC-14, IA-5.
References: None.
NIST 800-53 (r5) Discussion:
The need to limit unsuccessful logon attempts and take subsequent action when the maximum number of attempts is exceeded applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by systems are usually temporary and automatically release after a predetermined, organization-defined time period. If a delay algorithm is selected, organizations may employ different algorithms for different components of the system based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at the operating system and the application levels. Organization-defined actions that may be taken when the number of allowed consecutive invalid logon attempts is exceeded include prompting the user to answer a secret question in addition to the username and password, invoking a lockdown mode with limited user capabilities (instead of full lockout), allowing users to only logon from specified Internet Protocol (IP) addresses, requiring a CAPTCHA to prevent automated attacks, or applying user profiles such as location, time of day, IP address, device, or Media Access Control (MAC) address. If automatic system lockout or execution of a delay algorithm is not implemented in support of the availability objective, organizations consider a combination of other actions to help prevent brute force attacks. In addition to the above, organizations can prompt users to respond to a secret question before the number of allowed unsuccessful logon attempts is exceeded. Automatically unlocking an account after a specified period of time is generally not permitted. However, exceptions may be required based on operational mission or need.
38North Guidance:
Meets Minimum Requirement:
Consecutive invalid logins are required to be set to 3 during 15 minutes.
The 3 consecutive invalid logins within a 15 minute time period needs to be enforced by the information system.
Once the 3 consecutive invalid login threshold has been exceeded the lockout period needs to be (L)(M) thirty minutes; (H) minimum of three (3) hours or until unlocked by an administrator.
Best Practice:
Ensure that 3 consecutive invalid logins within a 15 minutes time period is set for all system components for all Command Line Interfaces (CLI) & Graphical User Interfaces (GUI) interfaces.
Unofficial FedRAMP Guidance: None.
Assessment Evidence:
Active Directory (AD) settings or the user management software being used by the CSP that demonstrates that 3 invalid consecutive logins in a 15 minute period is set to lockout the user for (L)(M) thirty minutes; (H) three (3) hours or until unlocked by an administrator.
Email notification to system administrators that a user's account has been locked.
Security Information and Event Management (SIEM) alerts or a dashboard showing accounts that were locked out after invalid attempts.
Tickets that demonstrate the unlocking or resetting passwords for accounts that were locked after the 3 consecutive invalid login threshold was met.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse