AC-11: Session Lock

Control Family:

Access Control

Priority:

P3: Implement P3 security controls after implementation of P1 and P2 controls.

CSF v1.1 References:

PR.AC-7

Threats Addressed:

Baselines:

Low
N/A
Moderate
- AC-11
- (1)
High
- AC-11
- (1)

Next Version:

NIST Special Publication 800-53 Revision 5:
AC-11: Device Lock

Control Statement

The information system:

Prevents further access to the system by initiating a session lock after [Assignment: organization-defined time period] of inactivity or upon receiving a request from a user; and
Retains the session lock until the user reestablishes access using established identification and authentication procedures.

Supplemental Guidance

Session locks are temporary actions taken when users stop work and move away from the immediate vicinity of information systems but do not want to log out because of the temporary nature of their absences. Session locks are implemented where session activities can be determined. This is typically at the operating system level, but can also be at the application level. Session locks are not an acceptable substitute for logging out of information systems, for example, if organizations require users to log out at the end of workdays.

Control Enhancements

AC-11(1): Pattern-Hiding Displays

Baseline(s):

Moderate
High

The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image.

Control Statement

Supplemental Guidance

Control Enhancements

Related Controls

NIST Special Publication 800-53 Revision 4

Cloud Controls Matrix v3.0.1

Critical Security Controls Version 8

Critical Security Controls Version 7.1