AC-2 (5) Account Management | Inactivity Logout (M) (H)

This page is classified as INTERNAL.

NIST 800-53 (r4) Control:

The organization requires that users log out when [FedRAMP Assignment: (H) inactivity is anticipated to exceed Fifteen (15) minutes].

AC-2 (5) Additional FedRAMP Requirements and Guidance: Should use a shorter timeframe than AC-12.

NIST 800-53 (r4) Supplemental Guidance:

Related control: SC-23.

NIST 800-53 (r5) Discussion:

Inactivity logout is behavior- or policy-based and requires users to take physical action to log out when they are expecting inactivity longer than the defined period. Automatic enforcement of inactivity logout is addressed by AC-11.

38North Guidance:

Meets Minimum Requirement:

Require all users to log out when the organization-defined time period of inactivity is reached or in accordance with organization-defined description of when to log out.
for Moderate systems, this should use a shorter time frame than AC-12.
For High systems, this should not exceed 15 minutes.
This is a policy control, training and policy --> state this in AC policy, SAT training, RoB and require users to review - would pass audit. There are other technical controls in the AC that require timeouts within defined timeframes.

Best Practice:

Configure all system components or applications within the FedRAMP boundary to enforce logging out all accounts after an inactivity period of 15 minutes for FedRAMP High or a time less than the session termination configured for AC-12 for FedRAMP Moderate.

Unofficial FedRAMP Guidance: None

Assessment Evidence:

State this in AC policy, SAT training, RoB and require users to review - would pass audit. There are other technical controls in the AC that require timeouts within defined timeframes.
Screenshots of timeout settings for system components or applications offered by the CSP ensuring that the logout period is set to 15 minutes or less FedRAMP High and set to a shorter time frame than AC-12 for FedRAMP Moderate.
Observe a login to a system component or application and observe the inactivity logout time period being enforced within the environment and ensure that the system requires user logouts to meet the FedRAMP standards.

CSP Implementation Tips:

Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD

Page updated

Report abuse