GRCWatch
Sign inStart free trial

NIST 800-171 Control 3.1.8: Limit Unsuccessful Logon Attempts

Control 3.1.8 requires organizations to restrict unauthorized access attempts by limiting unsuccessful logon tries. This foundational access control prevents brute-force attacks and credential guessing while maintaining usability. For SMBs handling controlled unclassified information, implementing this control reduces breach risk and demonstrates security maturity to auditors.

What this means

This control mandates that systems automatically restrict further logon attempts after a defined number of failures within a specified timeframe. Common implementations include account lockouts (temporary or permanent), progressive delays between attempts, or CAPTCHA challenges. The goal is to make brute-force attacks impractical while allowing legitimate users to retry after a cooldown period. Organizations must balance security with user experience—locking accounts too aggressively creates support burden, while loose thresholds leave systems vulnerable.

How to comply

  1. 1.Define unsuccessful logon attempt thresholds (e.g., 3-5 failed attempts within 15 minutes)
  2. 2.Configure automatic account lockouts or login delays after threshold is exceeded
  3. 3.Set lockout duration (e.g., 15-30 minutes) or require administrator intervention to unlock
  4. 4.Implement progressive delays—increasing wait time between each failed attempt
  5. 5.Log all failed logon attempts with timestamp, user ID, and source IP for audit trail
  6. 6.Apply controls to all systems with user authentication (applications, databases, infrastructure)
  7. 7.Test lockout mechanisms to ensure they function and don't block legitimate access
  8. 8.Document the policy, thresholds, and enforcement methods in your security procedures

Evidence auditors look for

  • System access control policy specifying unsuccessful logon limits per application
  • Screenshots of account lockout settings in Active Directory, VPN, or cloud platforms
  • Logon failure reports from security information and event management (SIEM) tools
  • Authentication system configuration files showing failed attempt thresholds
  • User notification templates for account lockouts sent to helpdesk
  • Audit logs showing enforcement of lockout rules over 30-day period
  • Test results documenting lockout triggers and duration validation

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automatically monitors failed logon attempts across your systems, logs them for audit evidence, and alerts you when thresholds are exceeded—eliminating manual log reviews and reducing compliance review cycles.

See how GRCWatch handles this control automatically

Start free trial

Related controls

3.1.1 — Authorized Access3.1.2 — System Access Control3.1.5 — Access Control for Privileged Accounts3.1.11 — Session Lock and Termination3.2.1 — User Identification and Authentication