Reference: CMMC v2.13
Family: AC
Level Introduced: 2
Title: Session Lock
Practice:
Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.
Further Discussion:
Session locks can be initiated by the user or, more fundamentally, enabled automatically when the system has been idle for a period of time, for example, five minutes. Session locks are a quick way to prevent unauthorized use of the systems without having a user log off. Minimum configuration requirements are left up to the organization to define.
A locked session shows pattern-hiding information on the screen to mask the data on the display.
Example
You manage systems for an organization that stores, processes, and transmits CUI. You notice that employees leave their offices without locking their computers. Sometimes their screens display sensitive company information. You configure all machines to lock after five minutes of inactivity [a,b]. You also remind your coworkers to lock their systems when they walk away [a].
Potential Assessment Considerations
• Does the session lock hide previously visible information (e.g., replacing what was visible with a lock screen or screensaver that does not include sensitive information) [c]?
• If session locks are not managed centrally, how are all computer users made aware of the requirements and how to configure them [a,b,c]?
Implementation Strategies
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.
800-171 Requirements v2 (1)
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.