Overview:
The information system:
a. Prevents further access to the system by initiating a session lock after [Assignment: organization-defined time period] of inactivity or upon receiving a request from a user; and
b. Retains the session lock until the user reestablishes access using established identification and authentication procedures.
Supplemental Guidance:
Session locks are temporary actions taken when users stop work and move away from the immediate vicinity of information systems but do not want to log out because of the temporary nature of their absences. Session locks are implemented where session activities can be determined. This is typically at the operating system level, but can also be at the application level. Session locks are not an acceptable substitute for logging out of information systems, for example, if organizations require users to log out at the end of workdays.
Related controls: AC-7
References:>/b> OMB Memorandum 06-16
Action Items:
1) Implement session locks after a defined time period of inactivity
Related Documents:
1) Access Control Policy
2) Acceptable Use Policy
Additional Guidance:
Moderate FedRAMP-Defined Assignment / Selection Parameters
AC-11(a) [fifteen (15) minutes]
Moderate Additional FedRAMP Requirements and Guidance
none
Article ID: 33
Created: September 25, 2022
Last Updated: September 26, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/fedramp-session-lock-ac-11-33.html