Control: The information system enforces a limit of [Assignment: organization-defined number] consecutive invalid access attempts by a user during a [Assignment: organization-defined time period] time period. The information system automatically [Selection: locks the account/node for an [Assignment: organization-defined time period], delays next login prompt according to [Assignment: organization-defined delay algorithm.]] when the maximum number of unsuccessful attempts is exceeded.

Supplemental Guidance: Due to the potential for denial of service, automatic lockouts initiated by the information system are usually temporary and automatically release after a predetermined time period established by the organization.

Control Enhancements: (1) The information system automatically locks the account/node until released by an administrator when the maximum number of unsuccessful attempts is exceeded.

Baseline: LOW AC-7 MOD AC-7 HIGH AC-7

Family: Access Control

Class: Technical

ISO 17799 mapping: 11.5.1

COBIT 4.1 mapping: None.