CMMC Practice AC.2.010

Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.


CMMC Version 1.02, pg. 60

Bold Coast Security Guidance

The easiest way to comply with this practice is to enable locking screen savers on user workstations. If you use Active Directory, you can use group policy to enable this setting, dictate how long the session can be idle before the screen saver kicks in, and require users to re-enter their password to unlock their workstation. Don't forget to train your users to manually lock their workstations when they walk away too! In order to measure the effectiveness of this policy, do some scheduled walk-arounds and see if people are locking their workstations manually when they step away. If you see a trend rising or falling, you may need to increase training or decrease the amount of idle-time before the sessions lock.

Discussion From Source

DRAFT NIST SP 800-171 R2 Session locks are temporary actions taken when users stop work and move away from the immediate vicinity of the system but do not want to log out because of the temporary nature of their absences . Session locks are implemented where session activities can be determined, typically at the operating system level (but can also be at the application level). Session locks are not an acceptable substitute for logging out of the system, for example, if organizations require users to log out at the end of the workday. Pattern-hiding displays can include static or dynamic images, for example, patterns used with screen savers, photographic images, solid colors, clock, battery life indicator, or a blank screen, with the additional caveat that none of the images convey controlled unclassified information.