8.1.7 Set the lockout duration to a minimum of 30 minutes or until an administrator enables the user ID

8.1.7 Set the lockout duration to a minimum of 30 minutes or until an administrator enables the user ID.

8.1.7 For a sample of system components, inspect system configuration settings to verify that password parameters are set to require that once a user account is locked out, it remains locked for a minimum of 30 minutes or until a system administrator resets the account.

If an account is locked out due to someone continually trying to guess a password, controls to delay reactivation of these locked accounts stops the malicious individual from continually guessing the password (they will have to stop for a minimum of 30 minutes until the account is reactivated).

Additionally, if reactivation must be requested, the admin or help desk can validate that it is the actual account owner requesting reactivation.|