Mapped to NIST 800-171 Requirement: 3.13.11
CMMC Assessment Objective: SC.L2-3.13.11
What This Control Means
You must configure your systems so that:
• Sessions end automatically after a user or system completes the task
• Idle sessions are timed out after a defined period (e.g., 15 minutes, 30 minutes)
• Connections are closed securely to prevent hijacking or misuse
This applies to:
• Remote access sessions (VPN, SSH, RDP, VDI)
• Web application sessions
• Internal system-to-system communications involving CUI
• Admin and privileged sessions
Why It Matters
If sessions stay open:
• Unauthorized users can hijack an idle or abandoned session
• Session credentials or cookies can be stolen or replayed
• CUI can be accessed by someone other than the intended user
• You fail compliance controls requiring session management and timeout enforcement
This control protects both data confidentiality and session integrity.
How to Implement It
1. Configure Session Timeout Settings
• Apply timeouts on:
◦ VPN connections
◦ Web applications and portals
◦ RDP/remote desktop sessions
◦ SSH sessions
◦ Cloud consoles (e.g., AWS, Azure)
2. Define Inactivity Periods
• Common settings:
◦ 15 minutes for user sessions
◦ 30 minutes for administrative sessions
• Base your limits on risk and operational needs
3. Secure Session Termination
• Ensure:
◦ Logout processes clear credentials and session tokens
◦ VPNs drop connections without keep-alive signals
◦ Applications force re-authentication after timeout
4. Monitor Session Termination Events
• Log session start and end times
• Alert on sessions exceeding inactivity thresholds without termination
Evidence the Assessor Will Look For
• System configurations enforcing session timeout and termination
• Remote access policy or session management policy defining limits
• Logs showing session termination events
• Screenshots or config files showing inactivity timeouts applied
• Documentation describing secure session closure procedures
Common Gaps
• Sessions stay open indefinitely if idle
• Timeout settings not standardized across systems
• Users responsible for manually logging out (no enforcement)
• Critical sessions (e.g., cloud management consoles) left exposed
How Cuick Trac Helps
Cuick Trac supports this requirement by:
• Tracking session timeout and termination settings across systems
• Logging session end events tied to users and devices
• Alerting if sessions exceed inactivity thresholds without closure
• Mapping timeout policies to specific CUI-handling systems
• Providing audit-ready documentation of session management practices
With Cuick Trac, your CUI sessions are secure, short-lived, and safely terminated when they should be.
Final CTA
Don’t let idle sessions become active threats.
Schedule a Cuick Trac demo to manage and enforce secure session termination across your CUI environment.