AC-7—Unsuccessful Logon Attempts
>Control Description
Enforce a limit of ⚙organization-defined number consecutive invalid logon attempts by a user during a ⚙organization-defined time period; and
Automatically [Selection (one or more): lock the account or node for an ⚙organization-defined time period; lock the account or node until released by an administrator; delay next logon prompt per ⚙organization-defined delay algorithm; notify system administrator; take other ⚙organization-defined action] when the maximum number of unsuccessful attempts is exceeded.
>FedRAMP Baseline Requirements
Additional Requirements and Guidance
AC-7 Requirement: In alignment with NIST SP 800-63B
>Discussion
The need to limit unsuccessful logon attempts and take subsequent action when the maximum number of attempts is exceeded applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by systems are usually temporary and automatically release after a predetermined, organization-defined time period. If a delay algorithm is selected, organizations may employ different algorithms for different components of the system based on the capabilities of those components.
Responses to unsuccessful logon attempts may be implemented at the operating system and the application levels. Organization-defined actions that may be taken when the number of allowed consecutive invalid logon attempts is exceeded include prompting the user to answer a secret question in addition to the username and password, invoking a lockdown mode with limited user capabilities (instead of full lockout), allowing users to only logon from specified Internet Protocol (IP) addresses, requiring a CAPTCHA to prevent automated attacks, or applying user profiles such as location, time of day, IP address, device, or Media Access Control (MAC) address. If automatic system lockout or execution of a delay algorithm is not implemented in support of the availability objective, organizations consider a combination of other actions to help prevent brute force attacks.
In addition to the above, organizations can prompt users to respond to a secret question before the number of allowed unsuccessful logon attempts is exceeded. Automatically unlocking an account after a specified period of time is generally not permitted. However, exceptions may be required based on operational mission or need.
>Cross-Framework Mappings
>Programmatic Queries
Related Services
CLI Commands
aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=ConsoleLogin --query 'Events[?contains(CloudTrailEvent, `"responseElements":{"ConsoleLogin":"Failure"}`)]'aws cloudwatch describe-alarms --alarm-name-prefix 'FailedLogin'aws iam generate-credential-report && aws iam get-credential-reportaws logs filter-log-events --log-group-name CloudTrail/logs --filter-pattern '{ $.errorCode = "*UnauthorizedAccess*" }'>Relevant Technologies
Technology-specific guidance with authoritative sources and verification commands.
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What formal policies and procedures govern the implementation of AC-7 (Unsuccessful Logon Attempts)?
- •Who are the designated roles responsible for implementing, maintaining, and monitoring AC-7?
- •How frequently is the AC-7 policy reviewed and updated, and what triggers policy changes?
- •What training or awareness programs ensure personnel understand their responsibilities related to AC-7?
Technical Implementation:
- •Describe the specific technical mechanisms or controls used to enforce AC-7 requirements.
- •What automated tools, systems, or technologies are deployed to implement AC-7?
- •How is AC-7 integrated into your system architecture and overall security posture?
- •What configuration settings, parameters, or technical specifications enforce AC-7 requirements?
Evidence & Documentation:
- •What documentation demonstrates the complete implementation of AC-7?
- •What audit logs, records, reports, or monitoring data validate AC-7 compliance?
- •Can you provide evidence of periodic reviews, assessments, or testing of AC-7 effectiveness?
- •What artifacts would you present during a FedRAMP assessment to demonstrate AC-7 compliance?
Ask AI
Configure your API key to use AI features.