AC-12 (1) Session Termination | User-initiated Logouts (H)

This page is classified as INTERNAL.

NIST 800-53 (r4) Control:

The information system:

(a) Provides a logout capability for user-initiated communications sessions whenever authentication is used to gain access to [Assignment: organization-defined information resources]; and

(b) Displays an explicit logout message to users indicating the reliable termination of authenticated communications sessions.

NIST 800-53 (r4) Supplemental Guidance:

Information resources to which users gain access via authentication include, for example, local workstations, databases, and password-protected websites/web- based services. Logout messages for web page access, for example, can be displayed after authenticated sessions have been terminated. However, for some types of interactive sessions including, for example, file transfer protocol (FTP) sessions, information systems typically send logout messages as final messages prior to terminating sessions.

NIST 800-53 (r5) Discussion:

Information resources to which users gain access via authentication include local workstations, databases, and password-protected websites or web-based services.

38North Guidance:

Meets Minimum Requirement:

Provide a logout capability (e.g., Sign Out button) for user initiated communications sessions whenever authentication is used to gain access to organization-defined information resources.
- Display an explicit logout message to users indicating the reliable termination of authenticated communications sessions (e.g., they are automatically taken to the login page).

Best Practice:

System components or applications need to provide a logout button or function.
A message should be displayed to the user confirming that they have successfully logged out/terminated the session for system components or applications.

Unofficial FedRAMP Guidance: None.

Assessment Evidence:

Observe and take screen shots of the logout process of a system administrator logging out of a system or application if its being offered and take a screen shot of the logout message.
Application settings for logoff messages to be displayed to the user after successfully logging out of a system component or application.

CSP Implementation Tips:

Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD

Page updated

Report abuse