CMMC Practice AC.L2-3.1.11

Terminate (automatically) user sessions after a defined condition.

Bold Coast Security Guidance

Earlier we put session locks in place which put automatically locked the user session and put up a screen saver. Now, the organization must forcible disconnect users and terminate their sessions after a set amount of idle-time. This effectively logs them off their workstation, closing all applications in use. It can be disruptive to operations when users are used to leaving documents open for an extended period, or if they running complex queries which take an extended amount of time, so be sure to review settings with the organization before implementing them.

Discussion From Source

DRAFT NIST SP 800-171 R2 This requirement addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., disconnecting from the network) . A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions. Session termination terminates all processes associated with a user’s logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated . Conditions or trigger events requiring automatic session termination can include organization-defined periods of user inactivity, targeted responses to certain types of incidents, and time- of-day restrictions on system use.

References