CIS Control 4.10: Enforce Automatic Device Lockout on Portable End-User Devices
Credential compromise remains a top attack vector, especially on portable devices that are frequently lost or stolen. CIS Control 4.10 requires organizations to enforce automatic lockout after a predetermined number of failed authentication attempts, creating a critical barrier against brute-force attacks and unauthorized access.
What this means
This control requires implementing automatic device lockout policies that activate after a defined threshold of consecutive failed login attempts. For laptops, the threshold is 20 failed attempts; for tablets and smartphones, it's 10 failed attempts. Once triggered, the device enters a locked state, requiring administrative intervention or a password reset to regain access. This control assumes the device platform supports this capability natively or through mobile device management (MDM) solutions.
How to comply
- 1.Audit all portable devices in your organization (laptops, tablets, smartphones) to determine which support automatic lockout functionality.
- 2.Configure lockout thresholds: set laptops to lock after 20 failed authentication attempts and mobile devices after 10 attempts.
- 3.Use mobile device management (MDM), endpoint protection, or device operating system settings to enforce lockout policies centrally.
- 4.Define the lockout duration—typically 15-30 minutes—before users can attempt authentication again.
- 5.Document your lockout policy in your access control procedures and communicate it to all users.
- 6.Test lockout functionality on a sample device to verify configuration is working as intended.
- 7.Monitor lockout events through your MDM or security information and event management (SIEM) system to detect attack patterns.
- 8.Establish a process for authorized users to unlock devices (e.g., help desk verification or administrator reset).
Evidence auditors look for
- MDM policy screenshots showing lockout thresholds configured for each device type
- Device settings documentation confirming automatic lockout is enabled
- Help desk procedures for handling locked-out user requests
- Security logs or MDM reports showing lockout events and timestamps
- Configuration backups from endpoint management tools showing active policies
- User acknowledgment records confirming receipt of lockout policy documentation
- Audit reports from third-party security assessments verifying lockout enforcement
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automatically discovers all portable devices across your organization, detects unsupported platforms, and generates lockout policy compliance reports—eliminating manual audits and configuration drift across your device estate.
See how GRCWatch handles this control automatically
Start free trial