3.1.8 — Lock After Failed Logins

The One-Liner

Pick a number (3-5 failed attempts is standard), configure the lockout everywhere, and prove it works.

What It Says

Limit unsuccessful logon attempts.

What It Actually Means

Straightforward: after a defined number of failed login attempts, the account locks. The attacker can’t keep guessing.

Three decisions to make:

1. How many attempts? 3-5 is standard
2. How long is the lockout? 15-30 minutes, or until an admin unlocks it
3. Does it apply everywhere? Workstations, VPN, cloud apps, remote desktop — all of them

The key word is everywhere. If lockout is configured on Active Directory but not on VPN or cloud apps, you have a gap.

---

Pass or Fail

Your assessor needs a “yes” to every row:

#	Question	What “yes” looks like
1	Is a lockout threshold defined?	A documented number of failed attempts that triggers lockout
2	Is the lockout implemented?	The system actually locks accounts — across all access methods

---

What to Have Ready on Assessment Day

Documents they’ll review: Access control policy, unsuccessful logon procedures, system security plan, system configuration settings, audit logs showing lockout events

People they’ll talk to: Information security staff, system developers, sysadmins

Live demos they’ll ask for: “Type the wrong password [X] times in a row — show me the account locks.”

---

The Assessor’s Playbook

These are the actual questions. Have answers ready.

• “What is your defined threshold for unsuccessful logon attempts?”
• “Is the lockout mechanism implemented and does it use the defined threshold?”
• “Does the lockout apply to all access methods — local, remote, VPN, cloud?”
• “Show me the configuration setting.”

Real-World Example

A contractor configures Entra ID Smart Lockout at 5 failed attempts with a 30-minute lockout. On-premise AD is set to the same threshold via Group Policy. VPN authentication inherits the same Entra ID lockout. The assessor asks for a demo — the IT admin types the wrong password 5 times and shows the lockout message.

---

Where Companies Trip Up

Inconsistent across systems. Lockout on AD but not on VPN, cloud apps, or local accounts.

No lockout at all. Some systems default to unlimited attempts. Check every system.

Threshold too high. 20 failed attempts before lockout gives attackers 20 password guesses.

---

How to Talk About This

To a CEO or Board

Accounts lock after three failed login attempts — across all our systems. It’s basic, it blocks brute-force attacks, and we can show it’s configured consistently everywhere.

To an Engineering Team

Entra ID Smart Lockout at 5 attempts, 30-minute duration. Synced with on-prem AD via GPO. VPN inherits Entra lockout. All lockout events logged in Sentinel.

---

Connected Requirements

Requirement	Why it matters here
3.1.1 — Who Gets In	Foundational access control
3.5.3 — Multifactor Auth	MFA makes brute-force much harder even without lockout

---

Implementation (coming soon)

Step-by-step setup for Microsoft 365 / Entra ID, AWS, Azure, and GCP — console steps, CLI commands, and evidence screenshots.

---

CMMC Practice ID: AC.L2-3.1.8 | SPRS Weight: 1 point | POA&M Eligible: Yes