>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

3.1.11Access Control - Derived

Derived Requirement

>Control Description

Terminate (automatically) a user session after a defined condition.

>Discussion

This requirement addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., disconnecting from the network). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions.

Session termination terminates all processes associated with a user's logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events requiring automatic session termination can include organization-defined periods of user inactivity, targeted responses to certain types of incidents, and time-of-day restrictions on system use

>Cross-Framework Mappings

CMMC

AC.L2-3.1.11
Compare

SCF

IAC-25
Compare

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policy governs remote session termination?
  • What are the defined timeouts for remote sessions?
  • How do you differentiate timeout requirements for different remote access types?
  • Who approves remote session timeout configurations?
  • What process handles user complaints about session timeouts?

Technical Implementation:

  • How do VPN or remote access systems enforce session termination?
  • What technical mechanisms disconnect idle remote sessions?
  • How are remote session timeouts configured (VPN, RDP, web apps)?
  • What controls prevent users from maintaining persistent remote connections?
  • How do you handle session termination for different protocols?

Evidence & Documentation:

  • Can you show remote access timeout configurations?
  • What logs demonstrate automatic remote session termination?
  • Can you provide evidence of VPN or RDP timeout enforcement?
  • What reports track remote session durations and terminations?
  • What audit findings verify remote session controls?

Ask AI

Configure your API key to use AI features.