CMMC AC.3.019 - Terminate User Sessions

CMMC AC.3.019 - Terminate User Sessions

Requirement text: AC.3.019: Terminate (automatically) user sessions after a defined condition.

DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
This requirement addresses the termination of user-initiated logical sessions in contrast to
the termination of network connections that are associated with communications sessions
(i.e., disconnecting from the network). A logical session (for local, network, and remote
access) is initiated whenever a user (or process acting on behalf of a user) accesses an
organizational system. Such user sessions can be terminated (and thus terminate user
access) without terminating network sessions. Session termination terminates all processes
associated with a user’s logical session except those processes that are specifically created
by the user (i.e., session owner) to continue after the session is terminated. Conditions or
trigger events requiring automatic session termination can include organization-defined
periods of user inactivity, targeted responses to certain types of incidents, and time-of-day
restrictions on system use.

CMMC CLARIFICATION
This practice may require security policy development if it does not exist. Configure the
system to end user sessions based on the organization's policy. Policy guidance for session
termination usually includes circumstances, events, or specific triggers that require
automatically terminating the session or logging off the user. If there is no automatic control
of user sessions, an attacker can take advantage of an unattended session.

Example 1
You are the system administrator for your organization and were given the task to
implement the termination of all user sessions after 1 hour of inactivity. As the session
timeout approaches, the system prompts users with a warning banner asking if they want to
continue the session. When the session timeout does occur, the login page pops-up and the
users must login to start a new session.

Example 2
You are logged into a corporate database containing CUI, but you are not authorized to view
CUI. You have submitted a series of complex queries that violate policy, as they appear to be
an attempt to extract CUI you are not authorized to view. Your session is terminated as a
result of what appears to be a large query set attack, a violation of corporate policy. You
must reestablish the session before you can submit additional legitimate queries.

References
• NIST SP 800-171 Rev 1 3.1.11
• CIS Controls v7.1 16.7, 16.11
• NIST SP 800-53 Rev 4 AC-12

    • Related Articles

    • CMMC SC.3.186 - Terminate Unnecessary Network Sessions

      Requirement text: SC.3.186: Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 This requirement applies to ...

    • CMMC AC.1.002 – Assign Information System User Rights

      Requirement text: AC.1.002: Limit information system access to the types of transactions and functions that authorized users are permitted to execute. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2  Organizations may choose to define access ...

    • CMMC MA.2.113 - Require Multifactor Authentication for Maintenance Sessions

      Requirement text: MA.2.113: Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete. DISCUSSION FROM SOURCE: DRAFT NIST SP ...

    • Access Control: SP 800-171 Security Family 3.1

      Access is the ability to make use of any system resource. Access control is the process of granting or denying requests to:       • use information,       • use information processing services, and       • enter company facilities.  System-based ...

    • CMMC AU.2.041 - Ensure System User Attribution

      Requirement text: AU.2.041: Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 This requirement ensures that the ...