Reference: CMMC 2.11
Family: SC
Level Introduced: 2
Title: Connections Termination
Practice:
Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity.
CMMC Clarification:
Organizations should terminate the internal and external network connections associated with communication sessions at the end of the session or after a period of inactivity by deallocating (stopping) TCP/IP addresses or ports at the operating system level, and/or deallocating assignments at the application system level. This prevents malicious actors from taking advantage of an open network session or an unattended laptop at the end of the connection. Organization's must balance user work patterns and needs against security when they determine the length of inactivity that will force a termination.
Example
You are an administrator of a server that provides remote access. You read your company's policies and see that your company has decided that network connections must be terminated after being idle for 60 minutes.
Reading the documentation for your remote access software, you learn that the configuration file for the software allows you to set an idle timeout in seconds. You edit the configuration file and set the timeout to 3600 seconds and restart the remote access software. You test the software and verify that after 60 minutes of being idle, your connection is terminated.
Implementation Strategies
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.
NIST 800-171 Requirements (1)
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.
NIST 800-53 Controls (1)
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.