AC-2(5): Inactivity Logout

Control Family:

Access Control

Parent Control:

AC-2: Account Management

CSF v1.1 References:

PR.AC-4
DE.CM-3

Threats Addressed:

Spoofing

Baselines:

Moderate
High

Previous Version:

NIST Special Publication 800-53 Revision 4:
AC-2(5): Inactivity Logout

Control Statement

Require that users log out when [Assignment: organization-defined time period of expected inactivity or description of when to log out].

Supplemental Guidance

Inactivity logout is behavior- or policy-based and requires users to take physical action to log out when they are expecting inactivity longer than the defined period. Automatic enforcement of inactivity logout is addressed by AC-11.

Control Statement

Supplemental Guidance

Related Controls

NIST Special Publication 800-53 Revision 5

Critical Security Controls Version 8