Skip to Content

NIST 800-171 - Network Disconnect (3.13.9)

201  Matthew Burdick September 26, 2022  System and Communications Protection

Overview:
Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity.


Action Items:
3.13.9[a]
Determine if: a period of inactivity to terminate network connections associated with communications sessions is defined.


3.13.9[b]
Determine if: network connections associated with communications sessions are terminated at the end of the sessions.


3.13.9[c]
Determine if: network connections associated with communications sessions are terminated after the defined period of inactivity.


POTENTIAL ASSESSMENT METHODS AND OBJECTS


1
Examine: System and communications protection policy; procedures addressing network disconnect; system design documentation; system security plan; system configuration settings and associated documentation; system audit logs and records; other relevant documents or records].


2
Interview: System or network administrators; personnel with information security responsibilities; system developer].


3
Test: Mechanisms supporting or implementing network disconnect capability].


Related Documents (document name and content will vary by organization):
1) System and communications protection policy
2) procedures addressing network disconnect
3) system design documentation
4) system security plan
5) system configuration settings and associated documentation
6) system audit logs and records
7) other relevant documents or records


Additional Guidance:
This requirement applies to internal and external networks. Terminating network connections associated with communications sessions include, for example, de-allocating associated TCP/IP address or port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. Time periods of user inactivity may be established by organizations and include, for example, time periods by type of network access or for specific network accesses.
Not Rated
Secure Code