Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The information system automatically terminates a user session after [Assignment: organization-defined conditions or trigger events requiring session disconnect].
NIST 800-53 (r4) Supplemental Guidance:
This control addresses the termination of user-initiated logical sessions in contrast to SC-10 which addresses the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions. Session termination terminates all processes associated with a user’s logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events requiring automatic session termination can include, for example, organization-defined periods of user inactivity, targeted responses to certain types of incidents, time-of-day restrictions on information system use. Related controls: SC-10, SC-23.
References: None.
NIST 800-53 (r5) Discussion:
Session termination addresses the termination of user-initiated logical sessions (in contrast to SC-10, which addresses the termination of network connections associated with communications sessions (i.e., network disconnect)). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational system. Such user sessions can be terminated without terminating network sessions. Session termination ends all processes associated with a user’s logical session except for those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events that require automatic termination of the session include organization-defined periods of user inactivity, targeted responses to certain types of incidents, or time-of-day restrictions on system use.
38North Guidance:
Meets Minimum Requirement:
Configure cloud accounts and internal system platform/backend/components to terminate sessions after 15 minutes of inactivity.
The user reestablishes connection using the proper identification and authentication for the system.
Kills the session and and returns to login screen, so covers AC-11 (1).
Workstations are out of scope, this applies to anything in-boundary that has an interface, like shell, web interface, bastion.
Best Practice:
For logical/user settings (not connections), sessions should be disconnected after a period of time. FedRAMP doesn't have a specific parameter of time but best practice should be to disconnect after 15 minutes.
Note: The scope of SC-10 typically covers network connections such as remote access via client-based VPNs and SSH connections, and network connections originating from a bastion host. The scope of AC-11, AC-12 typically covers user-initiated logical sessions at the application-level. Such user sessions can be terminated without terminating network sessions.
Unofficial FedRAMP Guidance: None.
Assessment Evidence:
Screen shots of system settings within Active Directory (AD) or other account management within AWS, Azure, Google etc. that shows user sessions are terminated after a period of time or certain triggers.
Screen shots of session termination configurations in tools like Puppet or other tools that push out session termination for SSH & Linux based operating systems.
Screen shots of the administrative settings within an application if its part of the service offering with a setting for sessions being terminated after a period of time or certain triggers.
Screen shots that show an expired session after a system administrator has left the session idled with the system administrator reauthenticating the session before being granted access.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse