Skip to main content
MuonPartners
Services
Architecture

Solution design and technology roadmapping

Solution AssessmentTechnology RoadmapsIntegration DesignSolution ArchitectureTechnical Design
Cyber Security

Security assessments, IAM, and compliance

AssessmentsIAMComplianceSecurity BaselineCyber Innovation
Network and Platform

Network architecture and cloud platforms

Network DesignCloud StrategyModernisation
Enterprise Architecture

Business-technology alignment

Business AlignmentPortfolio AnalysisGovernance
View all services
ProjectsCase StudiesInsightsToolsAbout
Contact Us

Services

Architecture
Solution AssessmentTechnology RoadmapsIntegration DesignSolution ArchitectureTechnical Design
Cyber Security
AssessmentsIAMComplianceSecurity BaselineCyber Innovation
Network and Platform
Network DesignCloud StrategyModernisation
Enterprise Architecture
Business AlignmentPortfolio AnalysisGovernance
ProjectsCase StudiesInsightsToolsAboutContact
Get in Touch
MuonPartners

Strategic technology consulting for Australian organisations navigating complexity.

Services

  • Architecture
  • Cyber Security
  • Network and Platform
  • Enterprise Architecture

Company

  • About
  • Products
  • Frameworks
  • Cross-Framework Mapping
  • Projects
  • Case Studies
  • Insights
  • Contact

Contact

  • [email protected]
  • Australia
  • LinkedIn

© 2026 Muon Partners. All rights reserved.

ABN 50 669 022 315 · A Muon Group company.

Privacy PolicyTerms of Service
  1. Frameworks
  2. >SP 800-53
  3. >Access Control
  4. >SP800-53-AC-7
SP800-53-AC-7Active

Unsuccessful Logon Attempts

Statement

Enforce a limit of number consecutive invalid logon attempts by a user during a time period ; and Automatically one or more: lock the account or node for ...; lock the account or node until released by an administrator; delay next logon prompt per ...; notify system administrator; take other ... when the maximum number of unsuccessful attempts is exceeded.

Location

Control Family
Access Control

Control Details

Identifier
SP800-53-AC-7
Family
AC

Organisation-Defined Parameters

ac-07_odp.01
number
ac-07_odp.02
time period
ac-07_odp.03
one or more: lock the account or node for ...; lock the account or node until released by an administrator; delay next logon prompt per ...; notify system administrator; take other ...
ac-07_odp.04
time period
ac-07_odp.05
delay algorithm
ac-07_odp.06
action

Supplemental Guidance

The need to limit unsuccessful logon attempts and take subsequent action when the maximum number of attempts is exceeded applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by systems are usually temporary and automatically release after a predetermined, organization-defined time period. If a delay algorithm is selected, organizations may employ different algorithms for different components of the system based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at the operating system and the application levels. Organization-defined actions that may be taken when the number of allowed consecutive invalid logon attempts is exceeded include prompting the user to answer a secret question in addition to the username and password, invoking a lockdown mode with limited user capabilities (instead of full lockout), allowing users to only logon from specified Internet Protocol (IP) addresses, requiring a CAPTCHA to prevent automated attacks, or applying user profiles such as location, time of day, IP address, device, or Media Access Control (MAC) address. If automatic system lockout or execution of a delay algorithm is not implemented in support of the availability objective, organizations consider a combination of other actions to help prevent brute force attacks. In addition to the above, organizations can prompt users to respond to a secret question before the number of allowed unsuccessful logon attempts is exceeded. Automatically unlocking an account after a specified period of time is generally not permitted. However, exceptions may be required based on operational mission or need.

Assessment Objective

a limit of number consecutive invalid logon attempts by a user during time period is enforced; automatically one or more: lock the account or node for ...; lock the account or node until released by an administrator; delay next logon prompt per ...; notify system administrator; take other ... when the maximum number of unsuccessful attempts is exceeded.

ATTACK
ATTACK-T1021.001relatedvia ctid-attack-to-sp800-53
ATTACK-T1078.002relatedvia ctid-attack-to-sp800-53
ATTACK-T1078.004relatedvia ctid-attack-to-sp800-53
ATTACK-T1556.004relatedvia ctid-attack-to-sp800-53
ATTACK-T1021relatedvia ctid-attack-to-sp800-53
View in graphReport an issue
← Back to Access Control
Access Control147 controls
SP800-53-AC-1Policy and ProceduresSP800-53-AC-2Account ManagementSP800-53-AC-2(1)Automated System Account ManagementSP800-53-AC-2(2)Automated Temporary and Emergency Account ManagementSP800-53-AC-2(3)Disable AccountsSP800-53-AC-2(4)Automated Audit ActionsSP800-53-AC-2(5)Inactivity LogoutSP800-53-AC-2(6)Dynamic Privilege ManagementSP800-53-AC-2(7)Privileged User AccountsSP800-53-AC-2(8)Dynamic Account ManagementSP800-53-AC-2(9)Restrictions on Use of Shared and Group AccountsSP800-53-AC-2(10)Shared and Group Account Credential ChangeSP800-53-AC-2(11)Usage ConditionsSP800-53-AC-2(12)Account Monitoring for Atypical UsageSP800-53-AC-2(13)Disable Accounts for High-risk IndividualsSP800-53-AC-3Access EnforcementSP800-53-AC-3(1)Restricted Access to Privileged FunctionsSP800-53-AC-3(2)Dual AuthorizationSP800-53-AC-3(3)Mandatory Access ControlSP800-53-AC-3(4)Discretionary Access ControlSP800-53-AC-3(5)Security-relevant InformationSP800-53-AC-3(6)Protection of User and System InformationSP800-53-AC-3(7)Role-based Access ControlSP800-53-AC-3(8)Revocation of Access AuthorizationsSP800-53-AC-3(9)Controlled ReleaseSP800-53-AC-3(10)Audited Override of Access Control MechanismsSP800-53-AC-3(11)Restrict Access to Specific Information TypesSP800-53-AC-3(12)Assert and Enforce Application AccessSP800-53-AC-3(13)Attribute-based Access ControlSP800-53-AC-3(14)Individual AccessSP800-53-AC-3(15)Discretionary and Mandatory Access ControlSP800-53-AC-4Information Flow EnforcementSP800-53-AC-4(1)Object Security and Privacy AttributesSP800-53-AC-4(2)Processing DomainsSP800-53-AC-4(3)Dynamic Information Flow ControlSP800-53-AC-4(4)Flow Control of Encrypted InformationSP800-53-AC-4(5)Embedded Data TypesSP800-53-AC-4(6)MetadataSP800-53-AC-4(7)One-way Flow MechanismsSP800-53-AC-4(8)Security and Privacy Policy FiltersSP800-53-AC-4(9)Human ReviewsSP800-53-AC-4(10)Enable and Disable Security or Privacy Policy FiltersSP800-53-AC-4(11)Configuration of Security or Privacy Policy FiltersSP800-53-AC-4(12)Data Type IdentifiersSP800-53-AC-4(13)Decomposition into Policy-relevant SubcomponentsSP800-53-AC-4(14)Security or Privacy Policy Filter ConstraintsSP800-53-AC-4(15)Detection of Unsanctioned InformationSP800-53-AC-4(16)Information Transfers on Interconnected SystemsSP800-53-AC-4(17)Domain AuthenticationSP800-53-AC-4(18)Security Attribute BindingSP800-53-AC-4(19)Validation of MetadataSP800-53-AC-4(20)Approved SolutionsSP800-53-AC-4(21)Physical or Logical Separation of Information FlowsSP800-53-AC-4(22)Access OnlySP800-53-AC-4(23)Modify Non-releasable InformationSP800-53-AC-4(24)Internal Normalized FormatSP800-53-AC-4(25)Data SanitizationSP800-53-AC-4(26)Audit Filtering ActionsSP800-53-AC-4(27)Redundant/Independent Filtering MechanismsSP800-53-AC-4(28)Linear Filter PipelinesSP800-53-AC-4(29)Filter Orchestration EnginesSP800-53-AC-4(30)Filter Mechanisms Using Multiple ProcessesSP800-53-AC-4(31)Failed Content Transfer PreventionSP800-53-AC-4(32)Process Requirements for Information TransferSP800-53-AC-5Separation of DutiesSP800-53-AC-6Least PrivilegeSP800-53-AC-6(1)Authorize Access to Security FunctionsSP800-53-AC-6(2)Non-privileged Access for Nonsecurity FunctionsSP800-53-AC-6(3)Network Access to Privileged CommandsSP800-53-AC-6(4)Separate Processing DomainsSP800-53-AC-6(5)Privileged AccountsSP800-53-AC-6(6)Privileged Access by Non-organizational UsersSP800-53-AC-6(7)Review of User PrivilegesSP800-53-AC-6(8)Privilege Levels for Code ExecutionSP800-53-AC-6(9)Log Use of Privileged FunctionsSP800-53-AC-6(10)Prohibit Non-privileged Users from Executing Privileged FunctionsSP800-53-AC-7Unsuccessful Logon AttemptsSP800-53-AC-7(1)Automatic Account LockSP800-53-AC-7(2)Purge or Wipe Mobile DeviceSP800-53-AC-7(3)Biometric Attempt LimitingSP800-53-AC-7(4)Use of Alternate Authentication FactorSP800-53-AC-8System Use NotificationSP800-53-AC-9Previous Logon NotificationSP800-53-AC-9(1)Unsuccessful LogonsSP800-53-AC-9(2)Successful and Unsuccessful LogonsSP800-53-AC-9(3)Notification of Account ChangesSP800-53-AC-9(4)Additional Logon InformationSP800-53-AC-10Concurrent Session ControlSP800-53-AC-11Device LockSP800-53-AC-11(1)Pattern-hiding DisplaysSP800-53-AC-12Session TerminationSP800-53-AC-12(1)User-initiated LogoutsSP800-53-AC-12(2)Termination MessageSP800-53-AC-12(3)Timeout Warning MessageSP800-53-AC-13Supervision and Review — Access ControlSP800-53-AC-14Permitted Actions Without Identification or AuthenticationSP800-53-AC-14(1)Necessary UsesSP800-53-AC-15Automated MarkingSP800-53-AC-16Security and Privacy AttributesSP800-53-AC-16(1)Dynamic Attribute AssociationSP800-53-AC-16(2)Attribute Value Changes by Authorized IndividualsSP800-53-AC-16(3)Maintenance of Attribute Associations by SystemSP800-53-AC-16(4)Association of Attributes by Authorized IndividualsSP800-53-AC-16(5)Attribute Displays on Objects to Be OutputSP800-53-AC-16(6)Maintenance of Attribute AssociationSP800-53-AC-16(7)Consistent Attribute InterpretationSP800-53-AC-16(8)Association Techniques and TechnologiesSP800-53-AC-16(9)Attribute Reassignment — Regrading MechanismsSP800-53-AC-16(10)Attribute Configuration by Authorized IndividualsSP800-53-AC-17Remote AccessSP800-53-AC-17(1)Monitoring and ControlSP800-53-AC-17(2)Protection of Confidentiality and Integrity Using EncryptionSP800-53-AC-17(3)Managed Access Control PointsSP800-53-AC-17(4)Privileged Commands and AccessSP800-53-AC-17(5)Monitoring for Unauthorized ConnectionsSP800-53-AC-17(6)Protection of Mechanism InformationSP800-53-AC-17(7)Additional Protection for Security Function AccessSP800-53-AC-17(8)Disable Nonsecure Network ProtocolsSP800-53-AC-17(9)Disconnect or Disable AccessSP800-53-AC-17(10)Authenticate Remote CommandsSP800-53-AC-18Wireless AccessSP800-53-AC-18(1)Authentication and EncryptionSP800-53-AC-18(2)Monitoring Unauthorized ConnectionsSP800-53-AC-18(3)Disable Wireless NetworkingSP800-53-AC-18(4)Restrict Configurations by UsersSP800-53-AC-18(5)Antennas and Transmission Power LevelsSP800-53-AC-19Access Control for Mobile DevicesSP800-53-AC-19(1)Use of Writable and Portable Storage DevicesSP800-53-AC-19(2)Use of Personally Owned Portable Storage DevicesSP800-53-AC-19(3)Use of Portable Storage Devices with No Identifiable OwnerSP800-53-AC-19(4)Restrictions for Classified InformationSP800-53-AC-19(5)Full Device or Container-based EncryptionSP800-53-AC-20Use of External SystemsSP800-53-AC-20(1)Limits on Authorized UseSP800-53-AC-20(2)Portable Storage Devices — Restricted UseSP800-53-AC-20(3)Non-organizationally Owned Systems — Restricted UseSP800-53-AC-20(4)Network Accessible Storage Devices — Prohibited UseSP800-53-AC-20(5)Portable Storage Devices — Prohibited UseSP800-53-AC-21Information SharingSP800-53-AC-21(1)Automated Decision SupportSP800-53-AC-21(2)Information Search and RetrievalSP800-53-AC-22Publicly Accessible ContentSP800-53-AC-23Data Mining ProtectionSP800-53-AC-24Access Control DecisionsSP800-53-AC-24(1)Transmit Access Authorization InformationSP800-53-AC-24(2)No User or Process IdentitySP800-53-AC-25Reference Monitor