03.01.11: Session Termination

Control Familly: Access Control

SPRS: N/A

Top Ten Failed Requirement: N/A

Supporting Publications:

N/A

Referenced in: N/A

Control Type: N/A

CPCSC Level 2: 03.01.11

CMMC Level(s): N/A

Derived From: NIST SP 800-53r5

AC-12

Terminate a user session automatically after [Assignment: organization-defined conditions or trigger events requiring session disconnect].

Discussion:

This requirement addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., disconnecting from the network) in 03.13.09. A logical session is initiated whenever a user (or processes acting on behalf of a user) accesses a system. Logical sessions can be terminated (and thus terminate user access) without terminating network sessions. Session termination ends all system processes associated with a user’s logical session except those processes that are created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events that require automatic session termination can include organization-defined periods of user inactivity, time-of-day restrictions on system use, and targeted responses to certain types of incidents.

Assessment Methods and Objectives

[SELECT FROM: access control policy and procedures; procedures for session termination; system design documentation; system configuration settings; list of conditions or trigger events requiring session disconnect; system audit records; system security plan; other relevant documents or records]

Interview [SELECT FROM: personnel with information security responsibilities; system developers; system administrators]

Test [SELECT FROM: automated mechanisms for implementing user session termination]