NIST SP 800-171
Control 3.1.8
Limit Unsuccessful Logon Attempts
CMMC-RP Certified Team
24+ Years Experience
2,500+ Clients Served
Official Requirement
Limit unsuccessful logon attempts.
What This Means in Plain English
After a certain number of failed login attempts, the account should be locked or the login process should be slowed down. This prevents attackers from guessing passwords through brute force.
How Petronella Implements This Control
Petronella Technology Group implements this control through:
- Active Directory account lockout policy set to lock accounts after 5 failed attempts for 30 minutes
- Microsoft Entra ID Smart Lockout providing cloud-based brute force protection
- FortiGate VPN configuration with login attempt thresholds and IP blocking
- Arctic Wolf SIEM alerting on repeated failed logon attempts across systems
- CrowdStrike Falcon monitoring for credential stuffing and brute force attacks at the endpoint level
Assessment Guidance
Assessors will test account lockout by attempting multiple failed logins, verify lockout thresholds in Group Policy, check that lockout events are logged and alerted, and test VPN and remote access lockout settings.
Common Implementation Gaps
- No account lockout policy configured in Active Directory
- VPN allowing unlimited login attempts
- Cloud applications without lockout thresholds
- No alerting on repeated failed logon events
- Lockout policy not applied consistently across all systems
Cross-Framework Mapping
| Framework | Mapped Controls |
|---|---|
| NIST SP 800-53 | AC-7 |
| HIPAA | 164.312(a)(1) - Access Control |
| PCI DSS | Req 8.1.6 - Lock out user ID after not more than six attempts |
Need Help Implementing 3.1.8?
Our CMMC-RP certified team can assess your current compliance posture and build a remediation plan.
Schedule a Compliance Assessment