CMMC Practice Requirement:
Limit unsuccessful logon attempts.
CMMC Requirement Explanation:
By locking an account after several consecutive failed logon attempts you prevent brute-force attacks. An account lockout can be triggered by a legitimate user incorrectly entering their password. To give them another chance to try logging in again you can configure your accounts to automatically unlock after a set period of time (e.g., 5 minutes). By allowing accounts to automatically unlock after several minutes you can reduce IT ticket loads, otherwise IT staff may be kept busy unlocking user accounts.
Example CMMC Implementation:
Configure your user accounts to lock after consecutive failed logon attempts. Locking an account after three failed attempts is a common setting. Set your accounts to unlock after several minutes or require your admins to manually unlock accounts.
- Scenario 1:
John, an employee at your company incorrectly entered his password three times in a row, resulting in his account being locked. John submits a help desk ticket requesting an account unlock. Your IT staff asks him to wait 5 minutes for the account to unlock. 5 minutes later John has remembered his password and is able to log in.
Discover Our NIST SP 800-171 Solutions:
For contractors seeking compliance
For IT service providers
Supply Chain Verifier
For contractors seeking to verify partner compliance