← Controls / AC

AC-11 Session Lock

Access Control

Low Moderate High

Description

The information system prevents further access to the system by initiating a session lock after [Assignment: organization-defined time period] of inactivity, and the session lock remains in effect until the user reestablishes access using appropriate identification and authentication procedures.

Supplemental Guidance

Users can directly initiate session lock mechanisms. A session lock is not a substitute for logging out of the information system. Organization-defined time periods of inactivity comply with federal policy; for example, in accordance with OMB Memorandum 06-16, the organization-defined time period is no greater than thirty minutes for remote access and portable devices.

Changes from Rev 4

Title changed from ' the control to focus on device versus session Changes parameter to selection list Amplifies how a device lock can be performed

Enhancements

(0) None.

MITRE ATT&CK Techniques (2)

ATT&CK v16.1

Techniques mitigated by this control, mapped via CTID.

Lateral Movement 2

Compliance Mappings

ISO 27001:2022

A.7.7

ISO 27002:2022

5.157.7

COBIT 2019

DSS05

CIS Controls v8

CIS 4.10CIS 4.3

CSA CCM v4

HRS-03UEM-06

CSA AICM v1

HRS-03UEM-06

NIS2 Directive

Art. 21(2)(i)

MAS TRM

9

BSI IT-Grundschutz

ORP.4

ANSSI

SecNumCloud.10.6

FINMA Circular 2023/1

IV.B.d(59)IV.C(61)

OSFI B-13

B-13.3.2

EU GDPR

Art.32(1)(b)

EU DORA

Art.9(4)(c)

BIO2

5.157.7

RBI CSF

Annex1.8

FISC Security Guidelines

FISC.T2

HKMA TM-E-1

TME1.8.4

SWIFT CSCF

SWIFT.2.6

SAMA CSF

3.1

NCA ECC

2-2

UAE IA

T9

CBB TM

TM-6

Qatar NIA

AC

CBUAE

CR-4

CBE CSF

CTO-1

SA JS2

JS2-7.1JS2-8.1

CBN CSF

Part3.2

BoG CISD

CISD-VIII

BoM CTRM

3.3

IOSCO Cyber Resilience

PROT-1

CPMI-IOSCO PFMI

CG.PR

FFIEC IS

II.C.15

HIPAA Security Rule

§164.310(b)§164.310(c)§164.312(a)(1)§164.312(a)(2)(iii)

ECB CROE

CROE.2.3.1

EBA ICT Guidelines

3.4.2

SEBI CSCRF

PR.AA

BOT Cyber Resilience

Ch2.2

CMMC 2.0

AC

IEEE 1686-2022

5.8

Common Criteria

CC Part 2 — FRU/FTA/FTP

Solvency II

EIOPA-ICT-4.4

Lloyd's Minimum Standards

MS8.3

NAIC Insurance Data Security

4-access

HITRUST CSF v11

01.c

FDA 21 CFR Part 11

§11.10(d)§11.200(a)(1)(i)§11.200(a)(1)(ii)

ISO 27799

9.4

ISO 17799 (legacy)

11.3.2

COBIT 4.1 (legacy)

None.