A user is allowed three failed logins per session. After the third unsuccessful login attempt, the user is disconnected and must initiate a new session in order to make additional attempts.
After 5 failed login attempts in a time 15 minute span, the account is locked for a period of 15 minutes.
The root user account will be locked for one hour after 5 failed login attempts.
References: AC-7, AC-7(b), IA-11