NIST 800-171 R-3.1.8
Limit Unsuccessful Logon Attempts
Official citation: 3.1.8
Class: core · Severity: high
Statement of the obligation — verify against source
3.1.8
What it means
Lock accounts after a set number of failed logins to blunt password-guessing, whether the attempt comes over a local or network connection. To avoid causing a denial of service, lockouts are usually temporary and release automatically after a set period (a delay algorithm), and the approach can differ by system component. Responses can be enforced at both the operating-system and application levels.
Educational reference only — not legal advice. Consult a qualified assessor or attorney for binding compliance determinations.