AC.L2-3.1.8 — Limit unsuccessful logon attempts.
What this control requires
Limit unsuccessful logon attempts.
Source: CMMC L2 v2.13 AC.L2-3.1.8 / NIST SP 800-171 R2 3.1.8 (official control text).
Why this matters
Unlimited login attempts create a runway for brute-force attacks where adversaries systematically guess passwords until they succeed. By enforcing a threshold—typically three to five failed attempts before lockout—organizations force attackers to abandon automated credential-stuffing tools. This control protects user accounts, privileged admin consoles, and application interfaces from password-guessing campaigns. Temporary lockouts balance security with availability: legitimate users who mistype passwords regain access after a brief cooling period, while attackers face prohibitive time costs that render brute-force economically unviable.
What evidence assessors expect
Assessors typically look for: screenshot, configuration export, CSV export, PDF. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.
Related controls
See your live posture on AC.L2-3.1.8.
FORCE shows where you stand on this control and walks you through closing it.
Start a free trial tenant →