03.13.09: Network Disconnect

Control Familly: System and Communications Protection

SPRS: N/A

Top Ten Failed Requirement: N/A

Supporting Publications:

  • N/A

Referenced in: N/A

Control Type: N/A

CPCSC Level 2: 03.13.09

CMMC Level(s): N/A

Derived From: NIST SP 800-53r5

  • SC-10

Terminate the network connection associated with a communications session at the end of the session or after [Assignment: organization-defined time period] of inactivity.

Discussion:

This requirement applies to internal and external networks. Terminating network connections associated with communications sessions includes deallocating TCP/IP addresses or port pairs at the operating system level or deallocating networking assignments at the application level if multiple application sessions are using a single network connection. Time periods of inactivity may be established by organizations and include time periods by type of network access or for specific network accesses.

Assessment Methods and Objectives

Examine [SELECT FROM: system and communications protection policy and procedures; procedures for network disconnect; system design documentation; system configuration settings; system audit records; system security plan; other relevant documents or records]

Interview [SELECT FROM: personnel with information security responsibilities; system developers; system administrators]

Test [SELECT FROM: mechanisms for supporting or implementing a network disconnect capability]

NIST SP 800-171A r3 Determining Statements Determine if:

A.03.13.09.ODP[01]: the time period of inactivity after which the system terminates a network connection associated with a communications session is defined.

A.03.13.09: the network connection associated with a communications session is terminated at the end of the session or after <A.03.13.09.ODP[01]: time period> of inactivity.