Back

Establish, implement, and maintain idle session termination and logout capabilities.


CONTROL ID
01418
CONTROL TYPE
Configuration
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain system hardening procedures., CC ID: 12001

This Control has the following implementation support Control(s):
  • Refrain from using assertion lifetimes to limit each session., CC ID: 13871
  • Configure Session Configuration settings in accordance with organizational standards., CC ID: 07698


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The organization should logoff an ID if it is not used within a specified amount of time after logging on to protect the system and data against unauthorized use. (T36.2(1), FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • Outside of business hours, and after an appropriate period of inactivity, user sessions are terminated and workstations are rebooted. (Security Control: 0853; Revision: 1, Australian Government Information Security Manual, March 2021)
  • The organization should develop and implement a policy to automatically logout and shutdown workstations after a predetermined period of inactivity. (Control: 0853, Australian Government Information Security Manual: Controls)
  • Each system should be configured to lock out sessions after a maximum of 15 minutes of inactivity. (§ 3.6.15, Australian Government ICT Security Manual (ACSI 33))
  • The person in charge of processing must be instructed that electronic equipment must not be left unattended and made accessible when processing operations are being conducted. (Annex B.9, Italy Personal Data Protection Code)
  • App 2 ¶ 14.i: For IT systems that process and access restricted information, the system shall automatically log users off of the system if the their terminal is inactive for a predetermined amount of time or the system must activate a password protected screen saver after 15 minutes of inactivity. … (App 2 ¶ 14.i, App 6 ¶ 15.i, The Contractual process, Version 5.0 October 2010)
  • Does the organization limit session lifetimes? (Table Row VI.22, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Which sessions that run on port 80 are the longest sessions? (App Table Intrusion Detection Row 1, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • The wireless LAN (WLAN) should have a session time out capability to prevent sessions from being hijacked by an unauthorized attacker. (§ 2.3.1 (2.3.1.050), The Center for Internet Security Wireless Networking Benchmark, 1)
  • The wireless LAN (WLAN) should have a session time out capability, which should be set for 15 minutes or less. (§ 1.2 (2.3.1.050), The Center for Internet Security Wireless Networking Benchmark, Apple Addendum, 1)
  • The wireless LAN (WLAN) should have a session time out capability, which should be set for 15 minutes or less. (§ 1.2 (2.3.1.050), The Center for Internet Security Wireless Networking Benchmark, Cisco Addendum, 1)
  • The wireless LAN (WLAN) should have a session time out capability, which should be set for 15 minutes or less. (§ 1.2 (2.3.1.050), The Center for Internet Security Wireless Networking Benchmark, DLINK Addendum, 1)
  • The control system shall provide the capability to prevent further access by initiating a session lock after a configurable time period of inactivity or by manual initiation. The session lock shall remain in effect until the human user who owns the session or another authorized human user re-establi… (6.7.1 ¶ 1, IEC 62443-3-3: Industrial communication networks – Network and system security – Part 3-3: System security requirements and security levels, Edition 1)
  • The control system shall provide the capability to terminate a remote session either automatically after a configurable time period of inactivity or manually by the user who initiated the session. (6.8.1 ¶ 1, IEC 62443-3-3: Industrial communication networks – Network and system security – Part 3-3: System security requirements and security levels, Edition 1)
  • If a component supports remote sessions, the component shall provide the capability to terminate a remote session either automatically after a configurable time period of inactivity, manually by a local authority, or manually by the user (human, software process or device) who initiated the session. (6.8.1 ¶ 1, IEC 62443-4-2: Security for industrial automation and control systems – Part 4-2: Technical security requirements for IACS components, Edition 1.0)
  • The organization must establish time limits for consumer sessions. (§ 2b, American Express Data Security Standard (DSS))
  • Enable automatic lockouts on handheld devices after a defined idle period, and configure devices to require a password when powering on. (4.1.1 E, Information Supplement: PCI DSS Wireless Guidelines, Version 2.0)
  • Inspect the system configuration settings for a sample of components to verify that the idle session timeout has been configured to 15 minutes or less. (Testing Procedures § 8.1.8, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Interview responsible personnel and examine the usage policies to verify they require the automatic disconnect of remote sessions after a stated period of inactivity. (Testing Procedures § 12.3.8.a, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • If a session has been idle for more than 15 minutes, require the user to re-authenticate to re-activate the terminal or session. (§ 8.5.15, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • For a sample of system components, obtain and inspect system configuration settings to verify that system/session idle time out features have been set to 15 minutes or less. (§ 8.5.15 Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • The usage policies must require the automatic disconnect of remote sessions after a stated period of inactivity. (PCI DSS Requirements § 12.3.8, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • If a session has been idle for more than 15 minutes, are users required to re-authenticate (for example, re-enter the password) to re-activate the terminal or session? (8.1.8, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Automatic disconnect of sessions for remote-access technologies after a specific period of inactivity? (12.3.8, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • If a session has been idle for more than 15 minutes, are users required to re-authenticate (for example, re-enter the password) to re-activate the terminal or session? (8.1.8, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Automatic disconnect of sessions for remote-access technologies after a specific period of inactivity? (12.3.8, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • An organization will maintain usage policies that require automatic disconnect of sessions for wireless access after a specific period of inactivity. For example, a wireless Point of Sale (POS) terminal should automatically log out and disconnect from the Cardholder Data Environment (CDE) if left un… (§ 4.6.1.G, Payment Card Industry (PCI) Information Supplement: PCI DSS Wireless Guideline)
  • Are usage policies for critical technologies developed to define proper use of these technologies and require automatic disconnect of sessions for remote-access technologies after a specific period of inactivity? (PCI DSS Question 12.3.8, PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
  • Are usage policies for critical technologies developed to define proper use of these technologies and require automatic disconnect of sessions for remote-access technologies after a specific period of inactivity? (PCI DSS Question 12.3.8, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Are usage policies for critical technologies developed to define proper use of these technologies and require automatic disconnect of sessions for remote-access technologies after a specific period of inactivity? (PCI DSS Question 12.3.8, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • General application security controls must be reviewed when the application's logical access controls are performed, including ensuring idle sessions are timed out. (§ 4 (Access Controls) ¶ 2, IIA Global Technology Audit Guide (GTAG) 8: Auditing Application Controls)
  • Computers should not be left unattended when the user is still logged on. (Pg 12-II-40, Protection of Assets Manual, ASIS International)
  • Sign-on mechanisms should be configured so that they limit the duration of any one sign-on session. (CF.06.07.02d, The Standard of Good Practice for Information Security)
  • Servers should be protected against unauthorized access by invoking time-out facilities that automatically log off computer devices (that connect to the server) after a set period of inactivity, clear screens and require users to sign-on again before restoring screens. (CF.07.02.05c, The Standard of Good Practice for Information Security)
  • Sign-on mechanisms should be configured so that they limit the duration of any one sign-on session. (CF.06.07.02d, The Standard of Good Practice for Information Security, 2013)
  • Verify that users are able to view and (having re-entered login credentials) log out of any or all currently active sessions and devices. (3.3.4, Application Security Verification Standard 4.0.3, 4.0.3)
  • The system should automatically log users off after a period of inactivity. (Critical Control 16.5, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The system should terminate interactive sessions that have been idle for a defined period of time. The system should be able to reauthenticate users after a session has been idle for a defined period of time. (§ 12.4, § 17.3, § G.4, § L.3, ISO 15408-2 Common Criteria for Information Technology Security Evaluation Part 2, 2008)
  • Inactive sessions should be shut down after a period of time. The time-out facility should clear the screen and perhaps close all applications and network connections. The amount of time to implement the disconnection depends on the security risks of the area, the information being processed, and ri… (§ 11.5.5, ISO 27002 Code of practice for information security management, 2005)
  • If a component supports remote sessions, the component shall provide the capability to terminate a remote session either automatically after a configurable time period of inactivity, manually by a local authority, or manually by the user (human, software process or device) who initiated the session. (6.8.1 ¶ 1, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • The organization requires that users log out when [Assignment: organization-defined time-period of expected inactivity or description of when to log out]. (AC-2(5) ¶ 1, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • The organization requires that users log out when [Assignment: organization-defined time-period of expected inactivity or description of when to log out]. (AC-2(5) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Provides a logout capability for user-initiated communications sessions whenever authentication is used to gain access to [Assignment: organization-defined information resources]; and (AC-12(1)(a), StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Do inactive workstations lock in 15 minutes? (§ H.2.17, Shared Assessments Standardized Information Gathering Questionnaire - H. Access Control, 7.0)
  • Does the system timeout inactive sessions in 15 minutes? (§ H.2.18, Shared Assessments Standardized Information Gathering Questionnaire - H. Access Control, 7.0)
  • Does the password policy for systems that transmit scoped systems and data include a policy to terminate or secure active sessions when finished? (§ H.4.1.7, Shared Assessments Standardized Information Gathering Questionnaire - H. Access Control, 7.0)
  • Does the password policy for systems that process scoped systems and data include a policy to terminate or secure active sessions when finished? (§ H.4.1.7, Shared Assessments Standardized Information Gathering Questionnaire - H. Access Control, 7.0)
  • Does the password policy for systems that store scoped systems and data include a policy to terminate or secure active sessions when finished? (§ H.4.1.7, Shared Assessments Standardized Information Gathering Questionnaire - H. Access Control, 7.0)
  • Does the password policy for systems that transmit scoped systems and data include a policy to logout of terminals when the session is finished? (§ H.4.1.8, Shared Assessments Standardized Information Gathering Questionnaire - H. Access Control, 7.0)
  • Does the password policy for systems that process scoped systems and data include a policy to logout of terminals when the session is finished? (§ H.4.1.8, Shared Assessments Standardized Information Gathering Questionnaire - H. Access Control, 7.0)
  • Does the password policy for systems that store scoped systems and data include a policy to logout of terminals when the session is finished? (§ H.4.1.8, Shared Assessments Standardized Information Gathering Questionnaire - H. Access Control, 7.0)
  • Does the password policy for systems that transmit scoped systems and data include a policy to logout of personal computers when the session is finished? (§ H.4.1.8, Shared Assessments Standardized Information Gathering Questionnaire - H. Access Control, 7.0)
  • Does the password policy for systems that process scoped systems and data include a policy to logout of personal computers when the session is finished? (§ H.4.1.8, Shared Assessments Standardized Information Gathering Questionnaire - H. Access Control, 7.0)
  • Does the password policy for systems that store scoped systems and data include a policy to logout of personal computers when the session is finished? (§ H.4.1.8, Shared Assessments Standardized Information Gathering Questionnaire - H. Access Control, 7.0)
  • Does the password policy for systems that transmit scoped systems and data include a policy to logout of servers when the session is finished? (§ H.4.1.8, Shared Assessments Standardized Information Gathering Questionnaire - H. Access Control, 7.0)
  • Does the password policy for systems that process scoped systems and data include a policy to logout of servers when the session is finished? (§ H.4.1.8, Shared Assessments Standardized Information Gathering Questionnaire - H. Access Control, 7.0)
  • Does the password policy for systems that store scoped systems and data include a policy to logout of servers when the session is finished? (§ H.4.1.8, Shared Assessments Standardized Information Gathering Questionnaire - H. Access Control, 7.0)
  • Remote terminals should have a time-out feature that disconnects the session after not more than 15 minutes of inactivity. (§ 2-24.d, Army Regulation 380-19: Information Systems Security, February 27, 1998)
  • For Cisco IOS, the organization must configure the system to disconnect sessions after a fixed idle time. (Table F-10, CMS Business Partners Systems Security Manual, Rev. 10)
  • The organization must configure the system to automatically terminate inactive sessions at workstations after 15 minutes. For workstations that use sign-on and password routines and are located in controlled environments, the inactive disconnect requirement is not required. (CSR 2.9.12, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • The information assurance officer must ensure that the Information System device is locked when the session is left unattended. (§ 3.4.4 ¶ AC34.205, DISA Access Control STIG, Version 2, Release 3)
  • Remote users must be disconnected from the system after 30 minutes of inactivity. (§ 6.2, DISA Secure Remote Computing Security Technical Implementation Guide, Version 1 Release 2)
  • The wireless LAN should have a session time out capability, which should be set for 15 minutes or less, in accordance with the organization's security policy. Examine the wireless security gateway configuration screen and verify the session time out is set for 15 minutes or less. (§ 3.1 (WIR0230), DISA WIRELESS SECURITY CHECKLIST, Version 5, Release 2.2, Version 5, Release 2.2)
  • § 2.2 (WIR1120) Windows Mobile handhelds with Sensa are set to lock (timeout) after no more than 15 minutes of inactivity. App B.1Row "Time to Live" should be set to 15 or less. (§ 2.2 (WIR1120), App B.1Row "Time to Live", DISA Wireless STIG Apriva Sensa Secure Wireless Email System Security Checklist, V5R2.2, Version 5 Release 2.2)
  • Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity. (SC.3.186, Cybersecurity Maturity Model Certification, Version 1.0, Level 3)
  • Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity. (SC.3.186, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity. (SC.3.186, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Terminate (automatically) a user session after a defined condition. (AC.L2-3.1.11 Session Termination, Cybersecurity Maturity Model Certification, Version 2.0, Level 2)
  • Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity. (SC.L2-3.13.9 Connections Termination, Cybersecurity Maturity Model Certification, Version 2.0, Level 2)
  • The system must be able to detect user inactivity and enable the user's activity when he/she enters the correct authenticators. (§ 8-609.b(2), NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006)
  • Electronic procedures shall be implemented to terminate electronic sessions after a predetermined period of inactivity. The covered entity shall assess these electronic procedures to determine if it is a reasonable and appropriate safeguard in the environment and, if it is reasonable and appropriate… (§ 164.312(a)(2)(iii), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • Automatic logoff (Addressable). Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. (§ 164.312(a)(2)(iii), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • Complete electronic health records (EHRs) or EHR modules must be capable of terminating electronic sessions after a predetermined amount of inactivity electronically, unless designated as optional, and in accordance with the applicable standards and implementation specifications. (§ 170.302(q), 45 CFR Part 170, Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology, Final Rule)
  • Customers should be encouraged by the organization to log off of computers when they leave the e-banking website, especially from public access terminals. (Pg 33, FFIEC IT Examination Handbook - E-Banking, August 2003)
  • Evaluate the security procedures for periodic password changes, the encryption of password files, password suppression on terminals, and automatic shutdown of terminals not in use. (Exam Tier II Obj 3.3, FFIEC IT Examination Handbook - Retail Payment Systems, March 2004)
  • Review funds transfer system user access profiles to ensure that: ▪ User access levels correspond to job description. ▪ Management appropriately limits user access to the funds transfer system and periodically reviews the access limits for accuracy. ▪ There are adequate separation of duties an… (Exam Tier II Obj 9.3, FFIEC IT Examination Handbook - Wholesale Payment Systems, July 2004)
  • The organization requires that users log out when [FedRAMP Assignment: inactivity is anticipated to exceed Fifteen (15) minutes]. (AC-2(5) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Provides a logout capability for user-initiated communications sessions whenever authentication is used to gain access to [Assignment: organization-defined information resources]; and (AC-12(1)(a) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization requires that users log out when [Assignment: organization-defined time-period of expected inactivity or description of when to log out]. (AC-2(5) Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Require that users log out when [FedRAMP Assignment: inactivity is anticipated to exceed Fifteen (15) minutes]. (AC-2(5) ¶ 1, FedRAMP Security Controls High Baseline, Version 5)
  • Require that users log out when [FedRAMP Assignment: for privileged users, it is the end of a user's standard work period]. (AC-2(5) ¶ 1, FedRAMP Security Controls Moderate Baseline, Version 5)
  • Remote sessions and network connections to systems with Federal Tax Information must be automatically terminated after 15 minutes of inactivity and at the end of a session. (§ 5.6.1, § 5.6.15, Exhibit 4 AC-11, Exhibit 4 AC-12, Exhibit 4 SC-10, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Do terminals timeout or lockout after being idle for a stated period of time? (IT - General Q 15, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Require that users log out when [Assignment: organization-defined time period of expected inactivity or description of when to log out]. (AC-2(5) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Require that users log out when [Assignment: organization-defined time period of expected inactivity or description of when to log out]. (AC-2(5) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • An access token — such as found in OAuth — is used to allow an application to access a set of services on a subscriber's behalf following an authentication event. The presence of an OAuth access token SHALL NOT be interpreted by the RP as presence of the subscriber, in the absence of other signa… (7.1.2 ¶ 1, Digital Identity Guidelines: Authentication and Lifecycle Management, NIST SP 800-63B)
  • Specifications for Minimum Security Requirements calls for Access Control (AC): Organizations must limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems) and to the types of transactions and functions that… (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • Organizational records, documents, and the system configuration should be examined to ensure sessions are automatically terminated after a predefined period of inactivity, connections are terminated at the end of a network session, and specific responsibilities and actions are defined for the implem… (AC-12, AC-12.3, SC-10, SC-10.2, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • The organization requires that users log out when [Assignment: organization-defined time-period of expected inactivity or description of when to log out]. (AC-2(5) ¶ 1 High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Administrators should be automatically logged out of the AP after a predefined period of inactivity. (§ 6.3.3.1(Configuring administrator access), Guide to Securing Legacy IEEE 802.11 Wireless Networks, NIST SP 800-48, Revision 1)
  • If the handheld device has the capability to lock out the device after a preset period of inactivity, it should be enabled. (§ 4.1.2, Guidelines on Cell Phone and PDA Security, NIST SP 800-124, October 2008)
  • The smart grid Information System must terminate remote sessions after a defined period of inactivity or at the end of the session. (SG.AC-13 Requirement, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • Terminate (automatically) a user session after a defined condition. (3.1.11, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171)
  • Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity. (3.13.9, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171)
  • Terminate (automatically) a user session after a defined condition. (3.1.11, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 1)
  • Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity. (3.13.9, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 1)
  • Terminate (automatically) a user session after a defined condition. (3.1.11, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 2)
  • Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity. (3.13.9, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 2)
  • The Information System must terminate the connections at the end of the session or after an established period of inactivity. (App F § SC-10, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Users are required to log out of the system when they expect to be inactive for a predetermined amount of time. (App F § AC-2(5)(a), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must use compensating controls in accordance with the general tailoring guidance when the Industrial Control System cannot terminate a network connection due to significant adverse impact on reliability, performance, or safety; at the end of a session; or after a predefined period o… (App I § SC-10, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization requires that users log out when {organizationally documented time-period of expected inactivity}. (AC-2(5), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The information system automatically terminates a user session after {organizationally documented conditions}. (AC-12 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The information system automatically terminates a user session after {organizationally documented trigger events requiring session disconnect}. (AC-12 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The information system terminates the network connection associated with a communications session at the end of the session or after {organizationally documented time period} of inactivity. (SC-10 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization requires that users log out when {organizationally documented time-period of expected inactivity}. (AC-2(5), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The information system automatically terminates a user session after {organizationally documented conditions}. (AC-12 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The information system automatically terminates a user session after {organizationally documented trigger events requiring session disconnect}. (AC-12, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The information system terminates the network connection associated with a communications session at the end of the session or after {organizationally documented time period} of inactivity. (SC-10 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The information system automatically terminates a user session after {organizationally documented conditions}. (AC-12 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The information system automatically terminates a user session after {organizationally documented trigger events requiring session disconnect}. (AC-12, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The information system terminates the network connection associated with a communications session at the end of the session or after {organizationally documented time period} of inactivity. (SC-10 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization requires that users log out when [Assignment: organization-defined time-period of expected inactivity or description of when to log out]. (AC-2(5) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The organization requires that users log out when [Assignment: organization-defined time-period of expected inactivity or description of when to log out]. (AC-2(5) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Provides a logout capability for user-initiated communications sessions whenever authentication is used to gain access to [Assignment: organization-defined information resources]; and (AC-12(1)(a), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Require that users log out when [Assignment: organization-defined time period of expected inactivity or description of when to log out]. (AC-2(5) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Provide a logout capability for user-initiated communications sessions whenever authentication is used to gain access to [Assignment: organization-defined information resources]. (AC-12(1) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Require that users log out when [Assignment: organization-defined time period of expected inactivity or description of when to log out]. (AC-2(5) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Provide a logout capability for user-initiated communications sessions whenever authentication is used to gain access to [Assignment: organization-defined information resources]. (AC-12(1) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • The organization requires that users log out when [TX-RAMP Assignment: should use a shorter timeframe than AC-12]. (AC-2(5) ¶ 1, TX-RAMP Security Controls Baseline Level 2)