This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The information system terminates the network connection associated with a communications session at the end of the session or after [FedRAMP Assignment: (H) no longer than ten (10) minutes for privileged sessions and no longer than fifteen (15) minutes for user sessions; (M) no longer than thirty (30) minutes for RAS-based sessions and no longer than sixty (60) minutes for non-interactive user sessions] of inactivity.
NIST 800-53 (r4) Supplemental Guidance:
This control applies to both internal and external networks. Terminating network connections associated with communications sessions include, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. Time periods of inactivity may be established by organizations and include, for example, time periods by type of network access or for specific network accesses.
NIST 800-53 (r5) Discussion:
Network disconnect applies to internal and external networks. Terminating network connections associated with specific communications sessions includes de-allocating TCP/IP address or port pairs at the operating system level and de-allocating the networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. Periods of inactivity may be established by organizations and include time periods by type of network access or for specific network accesses.
38North Guidance:
Meets Minimum Requirement:
Configure system components (e.g., web applications, Operating Systems, etc.) to terminate network connections at the end of the session or after ten (10) minutes of inactivity for privileged sessions and fifteen (15) minutes for user sessions. For example, setting the ClientAliveInterval and ClientAliveCountMax parameters on Linux Operating Systems to 600 and zero, respectively, will terminate SSH connections after ten (10) minutes of inactivity.
Configure VPN connections to terminate at the end of a communication session or after the following durations of inactivity: ten (10) minutes for privileged sessions and fifteen (15) minutes for user sessions.
Note: The scope of SC-10 typically covers network connections such as remote access via client-based VPNs and SSH connections, and network connections originating from a bastion host. The scope of AC-12 typically covers user-initiated logical sessions at the application-level. Such user sessions can be terminated without terminating network sessions.
Best Practice:
None
Unofficial FedRAMP Guidance:
None
Assessment Evidence:
Configuration settings for session disconnect after a period of inactivity (e.g., ten (10) minutes).
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD