CMMC Practice Requirement:

Limit unsuccessful logon attempts.

CMMC Requirement Explanation:

By locking an account after several consecutive failed logon attempts you prevent brute-force attacks. An account lockout can be triggered by a legitimate user incorrectly entering their password. To give them another chance to try logging in again you can configure your accounts to automatically unlock after a set period of time (e.g., 5 minutes). By allowing accounts to automatically unlock after several minutes you can reduce IT ticket loads, otherwise IT staff may be kept busy unlocking user accounts.

Example CMMC Implementation:

Configure your user accounts to lock after consecutive failed logon attempts. Locking an account after three failed attempts is a common setting. Set your accounts to unlock after several minutes or require your admins to manually unlock accounts.


- Scenario 1:

John, an employee at your company incorrectly entered his password three times in a row, resulting in his account being locked. John submits a help desk ticket requesting an account unlock. Your IT staff asks him to wait 5 minutes for the account to unlock. 5 minutes later John has remembered his password and is able to log in.

Discover Our NIST SP 800-171 Solutions:


Compliance Accelerator

For contractors seeking compliance

Quantum Assessor

For IT service providers

Supply Chain Verifier

For contractors seeking to verify partner compliance