AC-12: Session Termination
Control Family:
CSF v1.1 References:
PF v1.0 References:
Threats Addressed:
Baselines:
- Low
N/A
- Moderate
- AC-12
- High
- AC-12
- Privacy
N/A
Previous Version:
- NIST Special Publication 800-53 Revision 4:
- AC-12: Session Termination
Control Statement
Automatically terminate a user session after [Assignment: organization-defined conditions, or trigger events requiring session disconnect].
Supplemental Guidance
Session termination addresses the termination of user-initiated logical sessions (in contrast to SC-10, which addresses the termination of network connections associated with communications sessions (i.e., network disconnect)). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational system. Such user sessions can be terminated without terminating network sessions. Session termination ends all processes associated with a user's logical session except for those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events that require automatic termination of the session include organization-defined periods of user inactivity, targeted responses to certain types of incidents, or time-of-day restrictions on system use.
Control Enhancements
AC-12(1): User-initiated Logouts
Baseline(s):
Provide a logout capability for user-initiated communications sessions whenever authentication is used to gain access to [Assignment: organization-defined information resources].
AC-12(2): Termination Message
Baseline(s):
Display an explicit logout message to users indicating the termination of authenticated communications sessions.
AC-12(3): Timeout Warning Message
Baseline(s):
Display an explicit message to users indicating that the session will end in [Assignment: organization-defined time until end of session].