Back to Control Explorer
SC.3.186
Content
Control Acronym
SC
Family
System And Communications Protection
CMMC Level
3
800-171 Control #
3.13.9
CMMC Description
Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity.
CMMC Clarification
Organizations should terminate the internal and external network connections associated with communication sessions at the end of the session or after a period of inactivity by deallocating (stopping) TCP/IP addresses or ports at the operating system level, and/or deallocating assignments at the application system level. This prevents malicious actors from taking advantage of an open network session or an unattended laptop at the end of the connection. Organization’s must balance user work patterns and needs against security when they determine the length of inactivity that will force a termination. Example You are an administrator of a server that provides remote access. You read your company’s policies and see that your company has decided that network connections must be terminated after being idle for 60 minutes. Reading the documentation for your remote access software, you learn that the configuration file for the software allows you to set an idle timeout in seconds. You edit the configuration file and set the timeout to 3600 seconds and restart the remote access software. You test the software and verify that after 60 minutes of being idle, your connection is terminated.
800-171 Description
Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity.
800-171 Discussion
This requirement applies to internal and external networks. Terminating network connections associated with communications sessions include de-allocating associated TCP/IP address or port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. Time periods of user inactivity may be established by organizations and include time periods by type of network access or for specific network accesses.
Other Source Discussion
N/A
CIS Control References
NIST 800-53 Control Ref.
NIST SP 800-53 Rev 4 SC-10
CMMC Derived
NIST CSF Control References
NIST 800-171 References
NIST SP 800-171 Rev 1 3.13.9
Applicable FAR Clause
NIST CSF Control Reference
CERT RMM Reference
Modification of NIST 800-171B Reference
NIST 800-171B Reference
UK NCSCCyber Reference
AS ACSC Reference
Sub-Criterias
Assessment Sub-Criteria 1
SC.3.186.[a] a period of inactivity to terminate network connections associated with communications sessions is defined;
Assessment Sub-Criteria 2
SC.3.186.[b] network connections associated with communications sessions are terminated at the end of the sessions; and
Assessment Sub-Criteria 3
SC.3.186.[c] network connections associated with communications sessions are terminated after the defined period of inactivity.