Reference: CMMC 2.0
Level Introduced: 2
Title: Unsuccessful Logon Attempts
Limit unsuccessful logon attempts.
Consecutive, unsuccessful logon attempts may indicate malicious activity. You can mitigate these types of attacks by limiting the number of unsuccessful logon attempts. There are many ways to do this. Having three consecutive, unsuccessful logon attempts is a common setting. Organizations should set this number at a level that fits their risk profile. Fewer unsuccessful attempts provide higher security.
After the system locks an account, it has several options to unlock it. The most common is to keep the account locked for a predefined time. After that time, the account unlocks. Another option is to keep the account locked until an administrator unlocks it.
You attempt to log on to your work computer. You mistype your password three times in a row. You call your IT help desk or administrator. The administrator tells you your account is locked. He explains that all passwords lock after three unsuccessful logon attempts. This limits the effectiveness of brute-force and other password attacks. He tells you he can unlock it, or you can wait five minutes and the account will unlock automatically.