Control ID: AC-11 Session Lock |
Family: Access Control |
Source: NIST 800-53r4 |
Control: The information system:
- Prevents further user access to the system by initiating a session lock after [Assignment: organization-defined time period] of inactivity or upon receiving a request from a user; and
- Retains the session lock until the user reestablishes access using established identification and authentication procedures.
|
Supplemental Guidance: Session locks are temporary actions taken when users stop work and move away from the immediate vicinity of information systems but do not want to log out because of the temporary nature of their absences. Session locks are implemented where session activities can be determined. This is typically at the operating system level, but can also be at the application level. Session locks are not an acceptable substitute for logging out of information systems, for example, if organizations require users to log out at the end of workdays.
Related Controls:
AC-7
|
Control Enhancements:
(1) Session Lock | Pattern-hiding Displays
The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image.
Supplemental Guidance: Publicly viewable images can include static or dynamic images, for example, patterns used with screen savers, photographic images, solid colors, clock, battery life indicator, or a blank screen, with the additional caveat that none of the images convey sensitive information.
Related Controls:
N/A
|
References: OMB Memorandum 06-16.
|
Mechanisms:
- The device supports the functionality of monitoring user activity for users in privileged roles and locking out the session after a certain period of inactivity, such that the user has to re-authenticate to continue carrying out privileged activities.
- The device is configurable such that the threshold inactivity length is five minutes.
- The device supports the functionality of an appropriately privileged user being able to explicitly lock an active session at any time.
- The device shall support the functionality of a user locking their own session.
- The device may support the functionality of an appropriately privileged administrator locking another user's session.
|
Protocol Implementation Conformance Statements:
ID |
Statement |
Status |
Reference |
Notes |
AC-11/1
|
Support monitoring user activity for users in roles with privileged attributes and locking out the session after a certain period of inactivity
|
M
|
|
|
AC-11/2
|
Support the mechanism of AC-11/1 such that the threshold inactivity time is five minutes
|
M
|
AC-11/1
|
|
AC-11/3
|
Privileged user able to lock sessions at any time
|
M
|
|
|
AC-11/4
|
User can lock their own session
|
M
|
|
|
AC-11/5
|
Administrative user can lock another user's session
|
M
|
|
|
AC-11(1)/1
|
Support pattern hiding displays as specified above
|
M
|
|
|
|