AC-11 Session Lock

Description

Device locks are temporary actions taken when users stop work and move away from the immediate vicinity of information systems but do not want to log out because of the temporary nature of their absences. Device locks are implemented where session activities can be determined. This is typically at the operating system level but can also be at the application level. Device locks are not an acceptable substitute for logging out of information systems, for example, if organizations require users to log out at the end of workdays.

Applicability

The information resource owner, or designee, is responsible for ensuring that the measures described in this Control are implemented.

The intended audience for this Control includes, but is not limited to, all information resource owners and custodians.

Implementation

The information system:

  1. Custodians shall configure servers such that:
    1. Sessions are locked after 15 minutes of inactivity or upon receiving a request from the session user, and
    2. The session lock remain in effect until the user re-establishes access using established identification and authentication procedures.
  2. Custodians shall configure workstations and other endpoint devices such that:
    1. Sessions are locked after 15 minutes of inactivity or upon receiving a request from the session user, except for the following workstation types:
      1. Conference room workstation sessions are locked after 60 minutes of inactivity or upon receiving a request from the session user;
      2. Classroom workstation sessions are locked after 120 minutes of inactivity or upon receiving a request from the session user;
      3. Kiosk workstations and special event workstations sessions are exempt from session lockout;
    2. The session lock remain in effect until the user re-establishes access using established identification and authentication procedures.
  3. Custodians shall configure session lock screens to completely conceal any information previously visible on the display. Retains the session lock until the user reestablishes access using established identification and authentication procedures.

Revision History

Last Updated: February 21, 2025

Previous Versions:

  • June 29, 2023
  • May 31, 2022
  • March 25, 2021
  • September 16, 2019

Chief Information Security and Privacy Officer

Submit a Ticket

News

See All News

Events

See All Events