4.10: Enforce Automatic Device Lockout on Portable End-User Devices

Group:

Info icon.

Control is new to this version of the control set.

Control Statement

Enforce automatic device lockout following a predetermined threshold of local failed authentication attempts on portable end-user devices, where supported. For laptops, do not allow more than 20 failed authentication attempts; for tablets and smartphones, no more than 10 failed authentication attempts. Example implementations include Microsoft® InTune Device Lock and Apple® Configuration Profile maxFailedAttempts.

[csf.tools Note: For more information on the Critical Security Controls, visit the Center for Internet Security.]