03.01.08 — (a) Enforce a limit of {{ insert: param, A.03.01.08.ODP.01 }} consecutive invalid logon attempts by a user during a {{ insert: param, A.03.01.08.ODP.02 }}. (b) Automatically {{ insert: param, A.03.01.08.ODP.03 }} when the maximum number of unsuccessful attempts is exceeded.

What this control requires

(a) Enforce a limit of {{ insert: param, A.03.01.08.ODP.01 }} consecutive invalid logon attempts by a user during a {{ insert: param, A.03.01.08.ODP.02 }}. (b) Automatically {{ insert: param, A.03.01.08.ODP.03 }} when the maximum number of unsuccessful attempts is exceeded.

Source: NIST SP 800-171 R3 §03.01.08 (official control text).

Why this matters

Unsuccessful logon attempt limits protect against brute-force password attacks where adversaries systematically try password combinations until they gain access. Without account lockout or throttling mechanisms, attackers can attempt thousands of passwords per minute using automated tools. This control forces attackers to abandon brute-force strategies by either locking accounts temporarily or introducing delays that make large-scale guessing impractical. The balance is critical: too few attempts frustrate legitimate users who mistype passwords, while too many attempts give attackers room to operate. Most organizations settle on 3-5 failed attempts within a 15-minute window, followed by a temporary lockout of 15-30 minutes or escalating delays.

What evidence assessors expect

Assessors typically look for: screenshot, configuration export, PDF. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls