FedRAMP Concurrent Session Control AC-10

Overview:
The information system limits the number of concurrent sessions for each [Assignment: organization-defined account and/or account type] to [Assignment: organization-defined number].

Supplemental Guidance:
Organizations may define the maximum number of concurrent sessions for information system accounts globally, by account type (e.g., privileged user, non-privileged user, domain, specific application), by account, or a combination. For example, organizations may limit the number of concurrent sessions for system administrators or individuals working in particularly sensitive domains or mission-critical applications. This control addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts

Action Items:
1) Limit the number of concurrent sessions

Related Documents:
1) Access Control Policy

Additional Guidance:
Moderate FedRAMP-Defined Assignment / Selection Parameters
AC-10-2 [three (3) sessions for privileged access and two (2) sessions for non-privileged access]

Moderate Additional FedRAMP Requirements and Guidance
none