SC.L2-3.13.9 Connections Termination
Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity.
Source: NIST SP 800-171 Rev 2 3.13.9
Discussion: This requirement applies to internal and external networks. Terminating network connections associated with communications sessions include de-allocating associated TCP/IP address or port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. Time periods of user inactivity may be established by organizations and include time periods by type of network access or for specific network accesses
Assessment Objectives:
Determine if:
- [a] a period of inactivity to terminate network connections associated with communications sessions is defined;
- [b] network connections associated with communications sessions are terminated at the end of the sessions; and
- [c] network connections associated with communications sessions are terminated after the defined period of inactivity.
Examine: [SELECT FROM: System and communications protection policy; procedures addressing network disconnect; system design documentation; security plan; system configuration settings and associated documentation; system audit logs and records; other relevant documents or records].
Interview: [SELECT FROM: System or network administrators; personnel with information security responsibilities; system developer].
Test: [SELECT FROM: Mechanisms supporting or implementing network disconnect capability].
SPRS Score: 1
POA&M Allowed: Yes