03.01.10: Device Lock
Control Familly: Access Control
SPRS: N/A
Top Ten Failed Requirement: N/A
Supporting Publications:
N/A
Referenced in: N/A
Control Type: N/A
CPCSC Level 2: 03.01.10
CMMC Level(s): N/A
Derived From: NIST SP 800-53r5
AC-11
AC-11(01)
a. Prevent access to the system by [Selection (one or more): initiating a device lock after [Assignment: organization-defined time period] of inactivity; requiring the user to initiate a device lock before leaving the system unattended].
b. Retain the device lock until the user reestablishes access using established identification and authentication procedures.
c. Conceal, via the device lock, information previously visible on the display with a publicly viewable image.
Discussion:
Device locks are temporary actions taken to prevent access to the system when users depart from the immediate vicinity of the system but do not want to log out due to the temporary nature of their absences. Device locks can be implemented at the operating system level or application level. User-initiated device locking is behavior- or policy-based and requires users to take physical action to initiate the device lock. Device locks are not an acceptable substitute for logging out of the system (e.g., when organizations require users to log out at the end of workdays). Publicly viewable images can include static or dynamic images, such as patterns used with screen savers, solid colors, photographic images, a clock, a battery life indicator, or a blank screen with the caveat that controlled unclassified information is not displayed.
Assessment Methods and Objectives
Examine [SELECT FROM: access control policy and procedures; procedures for session lock and identification and authentication; system design documentation; system configuration settings; display screen with session lock activated; system security plan; other relevant documents or records]
Interview [SELECT FROM: personnel with information security responsibilities; system developers; system administrators]
Test [SELECT FROM: mechanisms for implementing the access control policy for session lock; session lock mechanisms]
NIST SP 800-171A r3 Determining Statements Determine if:
A.03.01.10.ODP[01]: one or more of the following PARAMETER VALUES are selected: {a device lock is initiated after <A.03.01.10.ODP[02]: time period> of inactivity; the user is required to initiate a device lock before leaving the system unattended}.
A.03.01.10.ODP[02]: the time period of inactivity after which a device lock is initiated is defined (if selected).
A.03.01.10.a: access to the system is prevented by <A.03.01.10.ODP[01]: SELECTED PARAMETER VALUES>.
A.03.01.10.b: the device lock is retained until the user reestablishes access using established identification and authentication procedures.
A.03.01.10.c: information previously visible on the display is concealed via device lock with a publicly viewable image.