In Episode 7 of my NIST SP 800-53 Rev 5 Access Control explanatory series, I break down AC-7 (Unsuccessful Logon Attempts) and what it’s really trying to protect you from. This control is all about stopping invalid credential attempts—wrong usernames/passwords, password expiration issues, even the wrong authentication mode—and reducing the chances of brute force attacks where a malicious actor keeps trying until they get it right (often using scripts). I also show the typical behavior you’ll see when AC-7 is working, like the “account locked due to three unsuccessful login attempts” message. Then I walk through the actual control requirement: you enforce an organization-defined limit of consecutive invalid logon attempts within an organization-defined time period, and you take an automatic action. That action can be locking the account for a set time, locking it until an admin releases it, or applying a delay algorithm for the next logon prompt—plus notifying the admin or taking other defined actions. I also cover key discussion points, like how this applies to both local and network logons, and why auto-unlock is generally not permitted unless mission/operations require it. Finally, I give you my assessment/testing approach for SCA or self-assessments: review policy/procedures, check the SSP implementation statement, collect configuration screenshots, and do a real walkthrough using a test account (or a real user account) to exceed the failed logon limit and verify the lockout behavior actually works.