9.1.10.6. Unsuccessful Login Attempts

A user is allowed three failed logins per session. After the third unsuccessful login attempt, the user is disconnected and must initiate a new session in order to make additional attempts.

After 5 failed login attempts in a time 15 minute span, the account is locked for a period of 15 minutes.

The root user account will be locked for one hour after 5 failed login attempts.

References: AC-7 : UNSUCCESSFUL LOGON ATTEMPTS, AC-7(b), IA-11