Question:

Does the account lockout policy used by Vault violate FDA regulation 21CFR11.300?

Note:
This question can arise, for example, when it is revealed during a security compliance-related audit that Vault does not send email notifications for invalid login attempts. 

Answer:

No. Invalid login attempts are logged under Login Audit History.

Related Documentation:

Vault KB articles:

• Can an email notification be configured for account lockouts after invalid login attempts in Vault?
• Why are invalid login attempts not appearing under Login Audit History in Vault?

Third Party documentation:

• Testing for Weak Lock Out Mechanism
• CFR - Code of Federal Regulations Title 21

Vault Help Documentation:

• Configuring Password Security Policies > User Account Lockout