Skip to content
CMMC 2.13
CMMC · Rev 2.132FAMILY AC

AC.L2-3.1.10

Session Lock

Requirement

Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.

Further discussion

Session locks can be initiated by the user or, more fundamentally, enabled automatically when the system has been idle for a period of time, for example, five minutes. Session locks are a quick way to prevent unauthorized use of the systems without having a user log off. Minimum configuration requirements are left up to the organization to define. A locked session shows pattern-hiding information on the screen to mask the data on the display. Example You manage systems for an organization that stores, processes, and transmits CUI. You notice that employees leave their offices without locking their computers. Sometimes their screens display sensitive company information. You configure all machines to lock after five minutes of inactivity [a,b]. You also remind your coworkers to lock their systems when they walk away [a]. Potential Assessment Considerations • Does the session lock hide previously visible information (e.g., replacing what was visible with a lock screen or screensaver that does not include sensitive information) [c]? • If session locks are not managed centrally, how are all computer users made aware of the requirements and how to configure them [a,b,c]?

Supporting controls

NIST 800-171 · Rev 21 mapped

Create a free account or log in to view the cross-referenced controls.

Implementation strategies

10 recommended strategies for this practice.

Create a free account or log in to view the implementation strategies.

Source: DoD CIO · https://dodcio.defense.gov/CMMC/