In your app file where you redirect the user back to
login.cfm if their username and pass dont match with the one in db,
place a <cfparam name="Session.FailCount" default="1">
<cfset session.FailCount=Session.FailCount +1>
<cfif session.FailCount is 3>
your msg: You have exceed the 3 trials....etc
</cfif>
You can submit your msh as a url variable to the login page