Requirement text: AC.2.010: Use session lock with pattern-hiding displays to prevent access and
viewing of data after a period of inactivity.
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
Session locks are temporary actions taken when users stop work and move away from the
immediate vicinity of the system but do not want to log out because of the temporary nature
of their absences. Session locks are implemented where session activities can be
determined, typically at the operating system level (but can also be at the application level).
Session locks are not an acceptable substitute for logging out of the system, for example, if
organizations require users to log out at the end of the workday.
Pattern-hiding displays can include static or dynamic images, for example, patterns used
with screen savers, photographic images, solid colors, clock, battery life indicator, or a blank
screen, with the additional caveat that none of the images convey controlled unclassified
information.
CMMC CLARIFICATION
You can set session locks on your system. A user can enable the lock. Also, the system can
enable it automatically after a preset time, for example, from one to five minutes. Session
locks are a quick way to prevent unauthorized use of the systems without having a user log
off.
A locked session shows pattern-hiding information on the machine screen. This masks the
data on the display.
Example
You are the IT administrator in your organization. You notice that employees leave their
offices without locking their computers. Sometimes their screens display sensitive company
information. You remind your coworkers to lock their systems when they walk away. You
set all machines to lock after five minutes of inactivity.
References
• NIST SP 800-171 Rev 1 3.1.10
• CIS Controls v7.1 16.11
• NIST SP 800-53 Rev 4 AC-11, AC-11(1)