Information Technology Reference
In-Depth Information
Category/
Subcategory/
Element
Control
Reference
Control Summary
Interpretation
AC-7
Unsuccessful login
attempts
The information system enforces a
limit of [assignment: organization-
defined number] consecutive
invalid access attempts by a user
during a [assignment:
organization-defined time period]
time period. The information
system automatically locks the
[selection: account/node] for an
[assignment: organization-defined
time period] and delays next login
prompt according to [assignment:
organization-defined delay
algorithm] when the maximum
number of unsuccessful attempts
is exceeded.
AC-8
System use
notification
The information system displays an
approved, system use notification
message before granting system
access informing potential users:
(i) that the user is accessing a U.S.
government information system;
(ii) that system usage may be
monitored, recorded, and subject
to audit; (iii) that unauthorized
use of the system is prohibited
and subject to criminal and civil
penalties; and (iv) that use of the
system indicates consent to
monitoring and recording. The
system use notification message
provides appropriate privacy and
security notices (based on
associated privacy and security
policies or summaries) and
remains on the screen until the
user takes explicit actions to log
on to the information system.
AC-9
Previous logon
notification
The information system notifies
the user, upon successful logon,
of the date and time of the last
logon, and the number of
unsuccessful logon attempts
since the last successful logon.
