ISM-1403

User accounts, except for break glass accounts, are locked out after a maximum of five failed logon attempts.

Topic
User account lockouts
Applicable to
Non Classified, Official, Protected, Secret, Top Secret

History

Priority
must
Dec 2024
User accounts, except for break glass accounts, are locked out after a maximum of five failed logon attempts.
References to ‘accounts’ were changed to ‘user accounts’ in order to more closely match Microsoft Active Directory account types (i.e. ‘users’ and ‘computers’).
Jun 2023
Accounts, except for break glass accounts, are locked out after a maximum of five failed logon attempts.
The existing control relating to locking out accounts after a maximum of five failed logon attempts was amended to exclude break glass accounts.
Oct 2019
Accounts are locked out after a maximum of five failed logon attempts.
Security control 1403 was modified slightly.
Sep 2019
Accounts are locked after a maximum of five failed logon attempts.
2015
Agencies must ensure accounts are locked after a maximum of five failed logon attempts.