NIST Special Publication 800-171 Revision 2
Date Published: January 28th, 2021
Withdrawn on May 14, 2024. Superseded by SP 800-171 Rev. 3
Author(s): Ron Ross (NIST), Victoria Pillitteri (NIST), Kelley Dempsey (NIST), Mark Riddle (NARA), Gary Guissanie (IDA)
Note: A Class Deviation is in effect as of May 2, 2024 (DEVIATION 2024O0013). The deviation clause requires contractors, who are subject to 252.204-7012, to comply with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Revision 2, instead of the version of NIST SP 800-171 in effect at the time the solicitation is issued or as authorized by the contracting officer. Click Here
3.13.9: Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity.
Control Family: System and Communications Protection
Control Type: Derived
SPRS Value: 1
SPRS Supplemental Guidance: N/A
CMMC Level(s):
SC.L2-3.13.9
Top Ten Failed Requirement:
No
Referenced in:
DFARS 252.204-7012
Derived From: NIST SP 800-53r4
SC-10
NIST Supplemental Guidance:
N/A
Discussion:
This requirement applies to internal and external networks. Terminating network connections associated with communications sessions include de-allocating associated TCP/IP address or port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. Time periods of user inactivity may be established by organizations and include time periods by type of network access or for specific network accesses.
Upon assessment, assessors must determine if-
3.13.9[a] a period of inactivity to terminate network connections associated with communications sessions is defined.
3.13.9[b] network connections associated with communications sessions are terminated at the end of the sessions.
3.13.9[c] network connections associated with communications sessions are terminated after the defined period of inactivity.
Assessors are instructed to-
Examine: [SELECT FROM: System and communications protection policy; procedures addressing network disconnect; system design documentation; system security plan; system configuration settings and associated documentation; system audit logs and records; other relevant documents or records].
Interview: [SELECT FROM: System or network administrators; personnel with information security responsibilities; system developer].
Test: [SELECT FROM: Mechanisms supporting or implementing network disconnect capability].
FURTHER DISCUSSION
Prevent malicious actors from taking advantage of an open network session or an unattended computer at the end of the connection. Balance user work patterns and needs against security to determine the length of inactivity that will force a termination. This requirement, SC.L2-3.13.9, specifies network connections be terminated under certain conditions, which complements AC.L2-3.1.18 that specifies control of mobile device connections.
Example
You are an administrator of a server that provides remote access. Your company’s policies state that network connections must be terminated after being idle for 60 minutes [a]. You edit the server configuration file and set the timeout to 60 minutes and restart the remote access software [c]. You test the software and verify that the connection is terminated appropriately.
Potential Assessment Considerations
Are the network connections requiring management and time-out for inactivity documented [a]?
Are the network connections requiring management and time-out for inactivity configured and implemented [c]?
Frameworks & Controls
3.13: System and Communications Protection
3.13.3: Separate user functionality from system management functionality.
3.13.4: Prevent unauthorized and unintended information transfer via shared system resources
3.13.11: Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.
3.13.14: Control and monitor the use of Voice over Internet Protocol (VoIP) technologies.