Control: The information system:
a. Enforces a limit of [Assignment: organisation-defined number] consecutive invalid logon
attempts by a user during a [Assignment: organisation-defined time period]; and
b. Automatically [Selection: locks the account/node for an [Assignment: organisation-defined time period]; locks the account/node until released by an administrator; delays next logon prompt according to [Assignment: organisation-defined delay algorithm]] when the maximum number of unsuccessful attempts is exceeded.
Unsuccessful logon attempts Control Enhancements:
AC-7 (1) Unsuccessful logon attempts - Automatic account lock
[Withdrawn: Incorporated into AC-7].
AC-7 (2) Unsuccessful logon attempts - Purge / wipe mobile device
The information system purges/wipes information from [Assignment: organisation-defined mobile devices] based on [Assignment: organisation-defined purging/wiping requirements/techniques] after [Assignment: organisation-defined number] consecutive, unsuccessful device logon attempts.
Unsuccessful logon attempts - Supplemental Guidance
This control enhancement applies only to mobile devices for which a logon occurs (e.g., personal digital assistants, smart phones, tablets). The logon is to the mobile device, not to any one account on the device. Therefore, successful logons to any accounts on mobile devices reset the unsuccessful logon count to zero. Organisations define information to be purged/wiped carefully in order to avoid over purging/wiping which may result in devices becoming unusable. Purging/wiping may be unnecessary if the information on the device is protected with sufficiently strong encryption mechanisms.