3.1.11

Requirement

Terminate a user session automatically after [Assignment: organization-defined conditions or trigger events requiring session disconnect].

Discussion

This requirement addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., disconnecting from the network) in 03.13.09. A logical session is initiated whenever a user (or processes acting on behalf of a user) accesses a system. Logical sessions can be terminated (and thus terminate user access) without terminating network sessions. Session termination ends all system processes associated with a user’s logical session except those processes that are created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events that require automatic session termination can include organization-defined periods of user inactivity, time-of-day restrictions on system use, and targeted responses to certain types of incidents.

NIST 800-171A r3 Assessment Guidance

Examine

[SELECT FROM: access control policy and procedures; procedures for session termination; system design documentation; system configuration settings; list of conditions or trigger events requiring session disconnect; system audit records; system security plan; other relevant documents or records]
Interview

[SELECT FROM: automated mechanisms for implementing user session termination]
Test

[SELECT FROM: personnel with information security responsibilities; system developers; system administrators]

ID	Assessment Objectives
A.03.01.11	a user session is terminated automatically after .
A.03.01.11.ODP[01]	conditions or trigger events that require session disconnect are defined.

Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!