Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The information system:
a. Prevents further access to the system by initiating a session lock after [FedRAMP Assignment: (M)(H) fifteen (15) minutes] of inactivity or upon receiving a request from a user; and
b. Retains the session lock until the user reestablishes access using established identification and authentication procedures.
NIST 800-53 (r4) Supplemental Guidance:
Session locks are temporary actions taken when users stop work and move away from the immediate vicinity of information systems but do not want to log out because of the temporary nature of their absences. Session locks are implemented where session activities can be determined. This is typically at the operating system level, but can also be at the application level. Session locks are not an acceptable substitute for logging out of information systems, for example, if organizations require users to log out at the end of workdays. Related control: AC-7.
References: OMB Memorandum 06-16.
NIST 800-53 (r5) Discussion:
Device locks are temporary actions taken to prevent logical access to organizational systems when users stop work and move away from the immediate vicinity of those systems but do not want to log out because of the temporary nature of their absences. Device locks can be implemented at the operating system level or at the application level. A proximity lock may be used to initiate the device lock (e.g., via a Bluetooth-enabled device or dongle). User-initiated device locking is behavior or policy-based and, as such, requires users to take physical action to initiate the device lock. Device locks are not an acceptable substitute for logging out of systems, such as when organizations require users to log out at the end of workdays.
38North Guidance:
Meets Minimum Requirement:
Configure user-initiated logical sessions at the application-level to lock sessions after 15 minutes of inactivity.
User must re-establish connection using the proper identification and authentication procedures for the system.
Workstations are out of scope, this applies to anything in-boundary that has an interface, like shell, web interface, bastion.
Best Practice:
Implement session locks implemented on all system components and applications (if applications are being offered as part of the service offering).
Note: The scope of SC-10 typically covers network connections such as remote access via client-based VPNs and SSH connections, and network connections originating from a bastion host. The scope of AC-11, AC-12 typically covers user-initiated logical sessions at the application-level. Such user sessions can be terminated without terminating network sessions.
Unofficial FedRAMP Guidance: None.
Assessment Evidence:
Active Directory (AD) group policy settings for session lock demonstrating that session lock is initiated at 900 seconds or 15 minutes of inactivity.
Puppet settings or other tools that push out settings for session lock that demonstrate the sessions are being locked at 900 seconds or 15 minutes of inactivity.
Observe and take screen shots of a system administrator leaving an idol session up and setting a timer to go back and look at the idle session ensuring that the session did indeed lock in 15 minutes or less.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse