AC.2.009

Control Acronym

AC

Family

Access Control

CMMC Level

2

800-171 Control #

3.1.8

CMMC Description

Limit unsuccessful logon attempts.

CMMC Clarification

Consecutive, unsuccessful logon attempts may indicate malicious activity. You can mitigate these types of attacks by limiting the number of unsuccessful logon attempts. There are many ways to do this. Having three consecutive, unsuccessful logon attempts is a common setting. Organizations should set this number at a level that fits their risk profile. Fewer unsuccessful attempts provide higher security. After the system locks an account, it has several options to unlock it. The most common is to keep the account locked for a predefined time. After that time, the account unlocks. Another option is to keep the account locked until an administrator unlocks it. Example You attempt to log on to your work computer. You mistype your password three times in a row. You call your IT help desk or administrator. The administrator tells you your account is locked. He explains that all passwords lock after three unsuccessful logon attempts. This limits the effectiveness of brute-force and other password attacks. He tells you he can unlock it, or you can wait five minutes and the account will unlock automatically.

800-171 Description

Limit unsuccessful logon attempts.

800-171 Discussion

This requirement applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by systems are, in most cases, temporary and automatically release after a predetermined period established by the organization (i.e., a delay algorithm). If a delay algorithm is selected, organizations may employ different algorithms for different system components based on the capabilities of the respective components. Responses to unsuccessful logon attempts may be implemented at the operating system and application levels.

Other Source Discussion

N/A

CIS Control References

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 AC-7

CMMC Derived

NIST CSF Control References

NIST 800-171 References

NIST SP 800-171 Rev 1 3.1.8

Applicable FAR Clause

NIST CSF Control Reference

NIST CSF v1.1 PR.AC-7

CERT RMM Reference

Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference

Assessment Sub-Criteria 1

AC.2.009.[a] the means of limiting unsuccessful logon attempts is defined; and

Assessment Sub-Criteria 2

AC.2.009.[b] the defined means of limiting unsuccessful logon attempts is implemented.

Assessment Sub-Criteria 3

Assessment Sub-Criteria 4

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15