AC-2(5)

Requirement

Require that users log out when [Assignment: organization-defined time period of expected inactivity or description of when to log out].

Discussion

Inactivity logout is behavior- or policy-based and requires users to take physical action to log out when they are expecting inactivity longer than the defined period. Automatic enforcement of inactivity logout is addressed by AC-11.

NIST 800-53A Assessment Guidance

Examine

[SELECT FROM: Access control policy; procedures addressing account management; system design documentation; system configuration settings and associated documentation; security violation reports; system audit records; system security plan; other relevant documents or records].

Interview

[SELECT FROM: Organizational personnel with account management responsibilities; system/network administrators; organizational personnel with information security responsibilities; users that must comply with inactivity logout policy].

ID	Assessment Objectives
AC-02(05)	users are required to log out when <AC-02(05)_ODP time period of expected inactivity or description of when to log out>.

Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!