Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

ac-7

unsuccessful login attempts

assessment objective:

Determine if:

ac-7(a)

ac-7(a)[1]

the organization defines the number of consecutive invalid logon attempts allowed to the information system by a user during an organization-defined time period;

ac-7(a)[2]

the organization defines the time period allowed by a user of  the information system for an organization-defined number of consecutive invalid logon attempts;

ac-7(a)[3]

the information system enforces a limit of organization-defined number of consecutive invalid logon attempts by a user during an organization-defined time period;

ac-7(b)

ac-7(b)[1]

the organization defines account/node lockout time period or logon delay algorithm to be automatically enforced by the information system when the maximum number of unsuccessful logon attempts is exceeded;

ac-7(b)[2]

the information system, when the maximum number of unsuccessful logon attempts is exceeded, automatically:

ac-7(b)[2][a]

locks the account/node for the organization-defined time period;

ac-7(b)[2][b]

locks the account/node until released by an administrator; or

ac-7(b)[2][c]

delays next logon prompt according to the organization-defined delay algorithm.

potential assessment methods and objects:

Examine: [select from: Access control policy; procedures addressing unsuccessful logon attempts; security plan; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Interview: [select from: Organizational personnel with information security responsibilities; system developers; system/network administrators].

Test: [select from: Automated mechanisms implementing access control policy for unsuccessful logon attempts].