AC-10 Concurrent Session Control (M) (H)

NIST 800-53 (r4) Control:

The information system limits the number of concurrent sessions for each [Assignment: organization-defined account and/or account type] to [FedRAMP Assignment: (M)(H) three (3) sessions for privileged access and two (2) sessions for non-privileged access].

NIST 800-53 (r4) Supplemental Guidance:

Organizations may define the maximum number of concurrent sessions for information system accounts globally, by account type (e.g., privileged user, non-privileged user, domain, specific application), by account, or a combination. For example, organizations may limit the number of concurrent sessions for system administrators or individuals working in particularly sensitive domains or mission-critical applications. This control addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts.

References: None.

NIST 800-53 (r5) Discussion:

Organizations may define the maximum number of concurrent sessions for system accounts globally, by account type, by account, or any combination thereof. For example, organizations may limit the number of concurrent sessions for system administrators or other individuals working in particularly sensitive domains or mission-critical applications. Concurrent session control addresses concurrent sessions for system accounts. It does not, however, address concurrent sessions by single users via multiple system accounts.

38North Guidance:

Meets Minimum Requirement:

• The organization limits the number of concurrent sessions for 3 for privileged access within the information system.

• The organization limits the number of concurrent sessions for 2 for non-privileged access within the information system.

Best Practice:

• Concurrent sessions are limited based on the account role and responsibilities. Clearly defining what accounts are privileged and what accounts are non privileged.

• Complete a roles and responsibilities matrix for all positions within the FedRAMP boundary.

Unofficial FedRAMP Guidance: None.

Assessment Evidence:

• Screen shots of concurrent session configurations for system components/applications.

CSP Implementation Tips:

• Amazon Web Services (AWS): TBD

• Microsoft Azure: TBD

• Google Cloud Platform: TBD