Requirement text: SC.3.186: Terminate network connections associated with communications sessions
at the end of the sessions or after a defined period of inactivity.
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
This requirement applies to internal and external networks. Terminating network
connections associated with communications sessions include de-allocating associated
TCP/IP address or port pairs at the operating system level, or de-allocating networking
assignments at the application level if multiple application sessions are using a single,
operating system-level network connection. Time periods of user inactivity may be
established by organizations and include time periods by type of network access or for
specific network accesses.
CMMC CLARIFICATION
Organizations should terminate the internal and external network connections associated
with communication sessions at the end of the session or after a period of inactivity by
deallocating (stopping) TCP/IP addresses or ports at the operating system level, and/or
deallocating assignments at the application system level. This prevents malicious actors
from taking advantage of an open network session or an unattended laptop at the end of the
connection. Organization’s must balance user work patterns and needs against security
when they determine the length of inactivity that will force a termination.
Example
You are an administrator of a server that provides remote access. You read your company’s
policies and see that your company has decided that network connections must be
terminated after being idle for 60 minutes.
Reading the documentation for your remote access software, you learn that the
configuration file for the software allows you to set an idle timeout in seconds. You edit the
configuration file and set the timeout to 3600 seconds and restart the remote access
software. You test the software and verify that after 60 minutes of being idle, your
connection is terminated.
References
• NIST SP 800-171 Rev 1 3.13.9
• NIST SP 800-53 Rev 4 SC-10