• Requirement

    Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity.

  • Discussion

    This requirement applies to internal and external networks. Terminating network connections associated with communications sessions include de-allocating associated TCP/IP address or port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. Time periods of user inactivity may be established by organizations and include time periods by type of network access or for specific network accesses.

More Info

  • Title

    Connections Termination
  • Domain

    System and Communications Protection
  • CMMC Level

  • Related NIST 800-171 ID

  • Related NIST 800-53 ID


  • DoD Scoring Methodology Points


  • Reference Documents

    • N/A

  • Further Discussion

    Prevent malicious actors from taking advantage of an open network session or an unattended computer at the end of the connection. Balance user work patterns and needs against security to determine the length of inactivity that will force a termination.

    This requirement, SC.L2-3.13.9, specifies network connections be terminated under certain conditions, which complements AC.L2-3.1.18 that specifies control of mobile device connections.


    You are an administrator of a server that provides remote access. Your companyā€™s policies state that network connections must be terminated after being idle for 60 minutes [a]. You edit the server configuration file and set the timeout to 60 minutes and restart the remote access software [c]. You test the software and verify that the connection is terminated appropriately.

    Potential Assessment Considerations

    • Are the network connections requiring management and time-out for inactivity documented [a]?
    • Are the network connections requiring management and time-out for inactivity configured and implemented [c]?

NIST 800-171A Assessment Guidance

CMMC Training

Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!