AC.2.010

Control Acronym

AC

Family

Access Control

CMMC Level

2

800-171 Control #

3.1.10

CMMC Description

Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.

CMMC Clarification

You can set session locks on your system. A user can enable the lock. Also, the system can enable it automatically after a preset time, for example, from one to five minutes. Session locks are a quick way to prevent unauthorized use of the systems without having a user log off. A locked session shows pattern-hiding information on the machine screen. This masks the data on the display. Example You are the IT administrator in your organization. You notice that employees leave their offices without locking their computers. Sometimes their screens display sensitive company information. You remind your coworkers to lock their systems when they walk away. You set all machines to lock after five minutes of inactivity.

800-171 Description

Use session lock with pattern- hiding displays to prevent access and viewing of data after a period of inactivity.

800-171 Discussion

Session locks are temporary actions taken when users stop work and move away from the immediate vicinity of the system but do not want to log out because of the temporary nature of their absences. Session locks are implemented where session activities can be determined, typically at the operating system level (but can also be at the application level). Session locks are not an acceptable substitute for logging out of the system, for example, if organizations require users to log out at the end of the workday. Pattern-hiding displays can include static or dynamic images, for example, patterns used with screen savers, photographic images, solid colors, clock, battery life indicator, or a blank screen, with the additional caveat that none of the images convey controlled unclassified information.

Other Source Discussion

N/A

CIS Control References

CIS Controls v7.1 16.11

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 AC-11, AC-11(1)

CMMC Derived

NIST CSF Control References

NIST 800-171 References

NIST SP 800-171 Rev 1 3.1.10

Applicable FAR Clause

NIST CSF Control Reference

CERT RMM Reference

Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference

Assessment Sub-Criteria 1

AC.2.010.[a] the period of inactivity after which the system initiates a session lock is defined;

Assessment Sub-Criteria 2

AC.2.010.[b] access to the system and viewing of data is prevented by initiating a session lock after the defined period of inactivity; and

Assessment Sub-Criteria 3

AC.2.010.[c] previously visible information is concealed via a pattern-hiding display after the defined period of inactivity.

Assessment Sub-Criteria 4

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15