SC.L2-3.13.9 Connections Termination

Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity.

Source: NIST SP 800-171 Rev 2 3.13.9

Discussion: This requirement applies to internal and external networks. Terminating network connections associated with communications sessions include de-allocating associated TCP/IP address or port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. Time periods of user inactivity may be established by organizations and include time periods by type of network access or for specific network accesses

Assessment Objectives:

Determine if:

Examine: [SELECT FROM: System and communications protection policy; procedures addressing network disconnect; system design documentation; security plan; system configuration settings and associated documentation; system audit logs and records; other relevant documents or records].

Interview: [SELECT FROM: System or network administrators; personnel with information security responsibilities; system developer].

Test: [SELECT FROM: Mechanisms supporting or implementing network disconnect capability].

SPRS Score: 1

POA&M Allowed: Yes