1. Home
  2. FedRAMP
  3. AC-7

BRACKETOLOGY | FEDRAMP

AC-7: UNSUCCESSFUL LOGON ATTEMPTS

  • FedRAMP Baseline Membership AC-7:
  • LOW
  • MODERATE
  • HIGH

FedRAMP Bracketology

Use the FedRAMP Control Membership information above to determine if a control or control enhancement is required for each Impact Baseline — LOW, MODERATE, or HIGH

Click on the panel below each control or control enhancement to review the FedRAMP Impact Baseline-specific control configuration requirements for each of the [BRACKETS] in each control and/or control enhancement.

Review and use Additional Requirements and Guidance to build FedRAMP-compliant controls for your risk-based cybersecurity program.

To change the baseline view in the panel, click on LOW, MODERATE, or HIGH when the panel is open

Panels only appear where there are [BRACKETS] in the control or enhancement or where there is FedRAMP-specific requirements or guidance available.

The information system:

    • a. Enforces a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment: organization-defined time period]; and
    • b. Automatically [Selection: locks the account/node for an [Assignment: organization-defined time period]; locks the account/node until released by an administrator; delays next logon prompt according to [Assignment: organization-defined delay algorithm]] when the maximum number of unsuccessful attempts is exceeded.

Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.

AC-7 a.: Enforces a limit of not more than three (3) consecutive invalid logon attempts by a user during a fifteen (15) minutes; and

AC-7 b.: Automatically locks the account/node for thirty (30) minutes when the maximum number of unsuccessful attempts is exceeded.

AC-7 a.: Enforces a limit of not more than three (3) consecutive invalid logon attempts by a user during a fifteen (15) minutes; and

AC-7 b.: Automatically locks the account/node for thirty (30) minutes when the maximum number of unsuccessful attempts is exceeded.

AC-7 a.: Enforces a limit of not more than three (3) consecutive invalid logon attempts by a user during a fifteen (15) minutes; and

AC-7 b.: Automatically locks the account/node for a minimum of three (3) hours or until unlocked by an administrator when the maximum number of unsuccessful attempts is exceeded.


SUPPLEMENTAL GUIDANCE

This control applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by information systems are usually temporary and automatically release after a predetermined time period established by organizations. If a delay algorithm is selected, organizations may choose to employ different algorithms for different information system components based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at both the operating system and the application levels.

CONTROL ENHANCEMENTS

AC-7 (1) UNSUCCESSFUL LOGON ATTEMPTS | AUTOMATIC ACCOUNT LOCK

[Withdrawn: Incorporated into AC-7]. (See Above.)

AC-7 (2) UNSUCCESSFUL LOGON ATTEMPTS | PURGE/WIPE MOBILE DEVICE
  • FedRAMP Baseline Membership AC-7 (2):
  • HIGH

The information system purges/wipes information from [Assignment: organization-defined mobile devices] based on [Assignment: organization-defined purging/wiping requirements/techniques] after [Assignment: organization-defined number] consecutive, unsuccessful device logon attempts.

Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.

There are no FedRAMP-specific requirements if this control is used for a Low Impact system.

There are no FedRAMP-specific requirements if this control is used for a Moderate Impact system.

The information system purges/wipes information from mobile devices as defined by organization policy based on organization-defined purging/wiping requirements/techniques after three (3) consecutive, unsuccessful device logon attempts.


Supplemental Guidance:

This control enhancement applies only to mobile devices for which a logon occurs (e.g., personal digital assistants, smart phones, tablets). The logon is to the mobile device, not to any one account on the device. Therefore, successful logons to any accounts on mobile devices reset the unsuccessful logon count to zero. Organizations define information to be purged/wiped carefully in order to avoid over purging/wiping which may result in devices becoming unusable. Purging/wiping may be unnecessary if the information on the device is protected with sufficiently strong encryption mechanisms.

RELATED CONTROLS: AC-7 (2)

REFERENCES:

  • NO REFERENCES