AC-7(4)

Requirement
1. Allow the use of [Assignment: organization-defined authentication factors] that are different from the primary authentication factors after the number of organization-defined consecutive invalid logon attempts have been exceeded; and
2. Enforce a limit of [Assignment: organization-defined number] consecutive invalid logon attempts through use of the alternative factors by a user during a [Assignment: organization-defined time period].

Discussion

The use of alternate authentication factors supports the objective of availability and allows a user who has inadvertently been locked out to use additional authentication factors to bypass the lockout.

NIST 800-53A Assessment Guidance

Examine

[SELECT FROM: Access control policy; procedures addressing unsuccessful logon attempts for primary and alternate authentication factors; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records].

Interview

[SELECT FROM: System/network administrators; organizational personnel with information security responsibilities].

Test

[SELECT FROM: Mechanisms implementing access control policy for unsuccessful logon attempts].

ID	Assessment Objectives
AC-07(04)(a)	<AC-07(04)_ODP[01] authentication factors> that are different from the primary authentication factors are allowed to be used after the number of organization-defined consecutive invalid logon attempts have been exceeded;
AC-07(04)(b)	a limit of <AC-07(04)_ODP[02] number> consecutive invalid logon attempts through the use of the alternative factors by the user during a <AC-07(04)_ODP[03] time period> is enforced.

Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!