Question:

Does the account lockout policy used by Vault violate FDA regulation 21CFR11.300?

Note:
This question can arise, for example, when it is revealed during a security compliance-related audit that Vault does not send email notifications for invalid login attempts. 

Answer:

No. Invalid login attempts are logged under Login Audit History.

Related Documentation:

Vault KB articles:

• Can an email notification be configured for account lockouts after invalid login attempts in Vault?
• Why are invalid login attempts not appearing under Login Audit History in Vault?

Third Party documentation:

• Testing for Weak Lock Out Mechanism
• CFR - Code of Federal Regulations Title 21

Vault Help Documentation:

• Configuring Password Security Policies > User Account Lockout

Send us your feedback: We are always looking for feedback to help improve our Knowledge Base! Please let us know if this article is helpful or provide feedback on how we can improve your experience by clicking here.