AC.L2-3.1.10 Session Lock

Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.

Source: NIST SP 800-171 Rev 2 3.1.10

Discussion: Session locks are temporary actions taken when users stop work and move away from the immediate vicinity of the system but do not want to log out because of the temporary nature of their absences. Session locks are implemented where session activities can be determined, typically at the operating system level (but can also be at the application level). Session locks are not an acceptable substitute for logging out of the system, for example, if organizations require users to log out at the end of the workday. Pattern-hiding displays can include static or dynamic images, for example, patterns used with screen savers, photographic images, solid colors, clock, battery life indicator, or a blank screen, with the additional caveat that none of the images convey controlled unclassified information.

Assessment Objectives:

Determine if:

Examine: [SELECT FROM: Access control policy; procedures addressing session lock; procedures addressing identification and authentication; system design documentation; system configuration settings and associated documentation; security plan; other relevant documents or records].

Interview: [SELECT FROM: System or network administrators; personnel with information security responsibilities; system developers].

Test: [SELECT FROM: Mechanisms implementing access control policy for session lock].

SPRS Score: 1

POA&M Allowed: Yes