← Controls / AC

AC-07 Unsuccessful Login Attempts

Access Control

Low Moderate High

Description

The information system enforces a limit of [Assignment: organization-defined number] consecutive invalid access attempts by a user during a [Assignment: organization-defined time period] time period. The information system automatically [Selection: locks the account/node for an [Assignment: organization-defined time period], delays next login prompt according to [Assignment: organization-defined delay algorithm.]] when the maximum number of unsuccessful attempts is exceeded.

Supplemental Guidance

Due to the potential for denial of service, automatic lockouts initiated by the information system are usually temporary and automatically release after a predetermined time period established by the organization.

Changes from Rev 4

Parameter includes additional selection options when the number of allowed consecutive invalid logon attempts threshold is exceeded Discussion amplifies the control text with examples of addition actions to help prevent brute force attacks

Enhancements

(1) The information system automatically locks the account/node until released by an administrator when the maximum number of unsuccessful attempts is exceeded.

MITRE ATT&CK Techniques (16)

ATT&CK v16.1

Techniques mitigated by this control, mapped via CTID.

Initial Access 3 Persistence 7 Privilege Escalation 2 Defense Evasion 6 Credential Access 9 Lateral Movement 3 Collection 1

Compliance Mappings

ISO 27002:2022

5.15

COBIT 2019

DSS05

CIS Controls v8

CIS 4.10

NIS2 Directive

Art. 21(2)(i)

MAS TRM

9

BSI IT-Grundschutz

ORP.4

ANSSI

Hygiene.10Hygiene.12SecNumCloud.10.5

FINMA Circular 2023/1

IV.B.d(59)IV.C(61)

OSFI B-13

B-13.3.2

EU GDPR

Art.32(1)(b)Art.32(1)(d)

EU DORA

Art.9(4)(c)

BIO2

5.15

RBI CSF

Annex1.8

FISC Security Guidelines

FISC.T2

MLPS 2.0

8.1.4.1

DNB Good Practice

DNB.17.2

EU CRA

CRA.I.2d

SWIFT CSCF

SWIFT.4.1

SAMA CSF

3.1

NCA ECC

2-2

UAE IA

T9

CBB TM

TM-6

Qatar NIA

AC

CBUAE

CR-4

CBE CSF

CTO-1

SA JS2

JS2-7.1JS2-8.1

CBN CSF

Part3.2

BoG CISD

CISD-VIII

POPIA

s19

BoM CTRM

3.3

IOSCO Cyber Resilience

PROT-1

CPMI-IOSCO PFMI

CG.PR

FFIEC IS

II.C.15

HIPAA Security Rule

§164.308(a)(5)(ii)(C)§164.312(a)(1)

ECB CROE

CROE.2.3.1

EBA ICT Guidelines

3.4.2

SEBI CSCRF

PR.AA

BOT Cyber Resilience

Ch2.2Ch8.2

CMMC 2.0

AC

10 CFR 73.54

RG5.71-A-AC

TSA Pipeline SD

SD-2 Sec B

IEEE 1686-2022

5.7

DOE C2M2 v2.1

ACCESS

API 1164

Sec 6

AWIA

AWWA Sec 3

IAEA NSS 17-T

Sec 5.3

FIPS 140-3

FIPS 140-3 §7.4

Common Criteria

CC Part 2 — FIACC Part 2 — FRU/FTA/FTP

Solvency II

EIOPA-ICT-4.4

Lloyd's Minimum Standards

MS8.3

NAIC Insurance Data Security

4-access

FCA SYSC 13

SYSC 13.7.3

HITRUST CSF v11

01.c

FDA 21 CFR Part 11

§11.10(d)§11.200(a)(1)(ii)

FDA Cybersecurity Guidance

SA-1

ISO 27799

9.5

NHS DSPT

NDG-4.3

OWASP MASVS v2.1

MASVS-AUTH-2

ISO 17799 (legacy)

11.5.1

COBIT 4.1 (legacy)

None.