GRCWatch
Sign inStart free trial

AC.L2-3.1.8: Limit Unsuccessful Logon Attempts

Unsuccessful login attempt controls are a critical defense against credential-based attacks on your systems. CMMC AC.L2-3.1.8 requires organizations to implement policies and technical controls that limit and respond to repeated failed authentication attempts. This control protects your most sensitive data by making it harder for attackers to breach user accounts.

What this means

This control requires you to establish and enforce limits on unsuccessful login attempts to prevent brute-force attacks. When a user fails to authenticate within a defined threshold, the system must take action—typically by locking the account, introducing delays, or triggering alerts. The goal is to make credential compromise attacks impractical while maintaining a reasonable user experience for legitimate users.

How to comply

  1. 1.Define a maximum number of consecutive failed login attempts (typically 3-5 attempts) before account lockout
  2. 2.Configure automatic account lockout or temporary suspension after threshold is exceeded
  3. 3.Set a lockout duration (e.g., 15-30 minutes) or require administrative intervention to unlock accounts
  4. 4.Implement progressive delays between login attempts to slow down automated attacks
  5. 5.Log all failed authentication attempts with timestamps and source IP addresses
  6. 6.Configure alerts or notifications when failed attempts reach suspicious levels
  7. 7.Document your authentication failure policy and communicate it to all users
  8. 8.Test lockout mechanisms regularly to ensure they function as intended
  9. 9.Review and adjust thresholds based on your organization's risk tolerance and user base

Evidence auditors look for

  • Documented authentication policy specifying unsuccessful login attempt limits and lockout procedures
  • System configuration screenshots showing failed login thresholds and lockout settings
  • Authentication logs demonstrating account lockouts triggered by exceeded failed attempts
  • Alert reports showing security notifications generated for suspicious login activity
  • User communication materials explaining account lockout policies and unlock procedures
  • System audit trails showing progressive login delays or CAPTCHA enforcement after failed attempts
  • Evidence of policy testing and validation of lockout mechanisms
  • Baseline configuration documentation for all systems enforcing login attempt limits

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automatically collects and correlates authentication logs across your infrastructure, flagging failed login patterns in real-time and generating audit-ready evidence that your unsuccessful login attempt controls are functioning as designed.

See how GRCWatch handles this control automatically

Start free trial

Related controls

AC.L2-3.1.1 Authorized AccessAC.L2-3.1.5 Password ManagementAC.L1-3.1.2 User Registration and De-registrationSI.L2-3.14.1 Information System Monitoring