Skip to main content
NetStable
Level 2 AC.L2-3.1.8

Limit unsuccessful logon attempts

What It Means Why It Matters How to Implement Evidence SSP Guidance Assessment Common Mistakes

πŸ“– What This Means

This practice requires organizations to set a limit on the number of unsuccessful login attempts a user can make before their account is locked or temporarily disabled. This helps prevent unauthorized access through brute force attacks, where attackers try multiple password combinations to gain entry. For example, if a user enters the wrong password five times in a row, their account will be locked for a specified period or until an administrator resets it. This control ensures that attackers cannot endlessly guess passwords, protecting sensitive systems and data. Think of it like a security guard stopping someone after too many failed attempts to unlock a door.

🎯 Why It Matters

Unlimited login attempts make systems vulnerable to brute force attacks, where attackers systematically guess passwords until they find the correct one. For instance, in 2019, a brute force attack on a major retailer’s remote access system led to a data breach affecting millions of customers. Such breaches can result in significant financial losses, reputational damage, and regulatory penalties. From a DoD/CMMC perspective, limiting login attempts is critical to safeguarding Controlled Unclassified Information (CUI) and ensuring compliance with cybersecurity standards. This practice mitigates the risk of unauthorized access, protecting sensitive data from exploitation.

βœ… How to Implement

  1. For AWS: Use IAM policies to configure account lockout thresholds in AWS Organizations.
  2. For Azure: Set account lockout policies in Azure Active Directory under Password Reset settings.
  3. For GCP: Configure account lockout thresholds using Identity and Access Management (IAM) settings.
  4. Enable Multi-Factor Authentication (MFA) to add an extra layer of security.
  5. Monitor login attempts using cloud-native logging tools like AWS CloudTrail or Azure Monitor.
  6. Automate account lockout notifications to administrators using cloud-native alerting systems.
  7. Regularly review and update lockout policies to align with organizational security requirements.
⏱️
Estimated Effort
Implementation typically takes 2-3 hours for cloud environments and 4-6 hours for on-premise systems, depending on complexity. Requires intermediate IT skills.

πŸ“‹ Evidence Examples

Account Lockout Policy Document

Format: PDF or Word
Frequency: Annually or after significant changes.
Contents: Detailed policy outlining lockout thresholds, durations, and procedures.
Collection: Export from policy management system.

Configuration Screenshots

Format: PNG or JPEG
Frequency: After initial setup and after changes.
Contents: Screenshots of lockout settings in AWS IAM, Azure AD, or Active Directory.
Collection: Capture from admin consoles.

Failed Login Attempt Logs

Format: CSV or TXT
Frequency: Monthly.
Contents: Logs showing failed login attempts and lockout events.
Collection: Export from cloud or on-premise logging tools.

Testing Results

Format: Excel or PDF
Frequency: Quarterly.
Contents: Documentation of testing lockout functionality.
Collection: Conduct tests and record results.

Training Records

Format: Excel or PDF
Frequency: Annually.
Contents: Records of employee training on recognizing suspicious login activity.
Collection: Maintain in HR or training management system.

πŸ“ SSP Guidance

Use this guidance when writing the System Security Plan (SSP) narrative for this control.

How to Write the SSP Narrative

For AC.L2-3.1.8 ("Limit unsuccessful logon attempts"), your SSP narrative should specifically describe: (1) the tools and technologies you use to implement this control, (2) the configuration or process that enforces it, (3) who is responsible for maintaining it, and (4) what evidence proves it's working. Describe how access to CUI systems is controlled, including the specific IAM tools, policies, and processes used. Reference your Access Control Policy and identify the systems in scope. Be specific -- name your actual products, settings, and responsible personnel.

Example SSP Narratives

Cloud (Azure/AWS)

"AC.L2-3.1.8 is implemented using cloud-native controls. [Organization] uses [specific cloud service/feature] to limit unsuccessful logon attempts. The configuration is managed through [Azure Policy/AWS Config/Terraform] and monitored via [SIEM tool]. Responsible party: [IT Security Manager]. Evidence: [specific artifact, e.g., 'Azure AD Conditional Access policy screenshot, CloudTrail logs']."

On-Premise

"AC.L2-3.1.8 is implemented through on-premise infrastructure controls. [Organization] uses [Active Directory/Group Policy/specific tool] to limit unsuccessful logon attempts. Configuration is documented in [location] and audited [frequency]. Responsible party: [System Administrator]. Evidence: [specific artifact, e.g., 'Group Policy export, Windows Event logs']."

Hybrid

"AC.L2-3.1.8 is implemented across both cloud and on-premise environments. [Organization] uses [Azure AD Connect/hybrid tool] to ensure consistent enforcement. Cloud resources are managed via [cloud tool] and on-premise systems via [on-prem tool]. Both environments report to [centralized SIEM]. Responsible party: [IT Director]. Evidence: [artifacts from both environments]."

System Boundary Considerations

  • β€’ Identify all access points to CUI systems (VPN, direct network, cloud portals)
  • β€’ Document which IAM system manages access (Azure AD, AWS IAM, on-prem AD)
  • β€’ Map user roles to system access levels
  • β€’ Ensure this control covers all systems within your defined CUI boundary where limit unsuccessful logon attempts applies
  • β€’ Document any systems where this control is not applicable and explain why

Key Documentation to Reference in SSP

  • πŸ“„ Access Control Policy
  • πŸ“„ IAM configuration documentation
  • πŸ“„ Access request and approval records
  • πŸ“„ Evidence artifacts specific to AC.L2-3.1.8
  • πŸ“„ POA&M entry if control is not fully implemented

What the Assessor Looks For

The assessor will verify that access controls are implemented as described, test whether unauthorized users are blocked, and review access logs for evidence of enforcement.

πŸ’¬ Self-Assessment Questions

Use these questions to assess your compliance. Each "NO" answer provides specific remediation guidance.

Question 1: Have you configured account lockout thresholds in your systems?

βœ… YES β†’ Proceed to Q2.
❌ NO β†’ GAP: Configure lockout thresholds using Active Directory or cloud IAM settings. Complete within 1 week.
Remediation:
Follow step-by-step instructions in your system’s admin guide.

Question 2: Are failed login attempts logged and monitored?

βœ… YES β†’ Proceed to Q3.
❌ NO β†’ GAP: Enable logging in AWS CloudTrail, Azure Monitor, or Windows Event Viewer. Complete within 1 week.
Remediation:
Consult your logging tool’s documentation for setup instructions.

Question 3: Is MFA enabled for sensitive accounts?

βœ… YES β†’ Proceed to Q4.
❌ NO β†’ GAP: Implement MFA using Duo Security or Microsoft Authenticator. Complete within 2 weeks.
Remediation:
Follow the vendor’s setup guide.

Question 4: Are lockout policies reviewed and updated regularly?

βœ… YES β†’ Proceed to Q5.
❌ NO β†’ GAP: Schedule annual reviews and updates of lockout policies. Complete within 1 month.
Remediation:
Add a recurring task to your IT calendar.

Question 5: Are employees trained to recognize suspicious login activity?

βœ… YES β†’ You are fully compliant.
❌ NO β†’ GAP: Conduct training sessions and maintain records. Complete within 1 month.
Remediation:
Use a training management system to track completion.

⚠️ Common Mistakes (What Auditors Flag)

1. Not setting lockout thresholds.

Why this happens: Overlooking the importance of brute force protection.
How to avoid: Configure lockout thresholds during initial system setup.

2. Failing to monitor failed login attempts.

Why this happens: Logging tools are not enabled or configured.
How to avoid: Enable and regularly review logs using cloud or on-premise tools.

3. Not implementing MFA.

Why this happens: Perceived complexity or lack of awareness.
How to avoid: Use user-friendly MFA tools and provide training.

4. Inconsistent lockout policies across systems.

Why this happens: Lack of centralized policy management.
How to avoid: Use tools like Azure AD Connect to synchronize policies.

5. Inadequate documentation.

Why this happens: Focusing only on implementation, not documentation.
How to avoid: Maintain detailed records of policies, configurations, and tests.

πŸ“š Parent Policy

This practice is governed by the Access Control Policy

View AC Policy β†’

πŸ“š Related Controls

AC.L2-3.1.1 AC.L2-3.1.2 AC.L2-3.1.7
Previous
AC.L2-3.1.7
Back to AC
Next
AC.L2-3.1.9