IAC-24: Session Lock
Mechanisms exist to initiate a session lock after an organization-defined time period of inactivity, or upon receiving a request from a user and retain the session lock until the user reestablishes access using established identification and authentication methods.
Control Question: Does the organization initiate a session lock after an organization-defined time period of inactivity, or upon receiving a request from a user and retain the session lock until the user reestablishes access using established identification and authentication methods?
General (32)
| Framework | Mapping Values |
|---|---|
| CIS CSC 8.1 | 4.3 |
| CIS CSC 8.1 IG1 | 4.3 |
| CIS CSC 8.1 IG2 | 4.3 |
| CIS CSC 8.1 IG3 | 4.3 |
| CSA CCM 4 | UEM-06 |
| GovRAMP Low+ | AC-11 |
| GovRAMP Moderate | AC-02(05) AC-11 |
| GovRAMP High | AC-02(05) AC-11 |
| IEC 62443-4-2 2019 | CR 2.5 (6.7.1) |
| MITRE ATT&CK 10 | T1021.001, T1563.002 |
| NIST 800-53 R4 | AC-2(5) AC-11 |
| NIST 800-53 R4 (moderate) | AC-11 |
| NIST 800-53 R4 (high) | AC-2(5) AC-11 |
| NIST 800-53 R5 (source) | AC-2(5) AC-11 |
| NIST 800-53B R5 (moderate) (source) | AC-2(5) AC-11 |
| NIST 800-53B R5 (high) (source) | AC-2(5) AC-11 |
| NIST 800-82 R3 MODERATE OT Overlay | AC-2(5) AC-11 |
| NIST 800-82 R3 HIGH OT Overlay | AC-2(5) AC-11 |
| NIST 800-171 R2 (source) | 3.1.10 |
| NIST 800-171A (source) | 3.1.10[a] 3.1.10[b] 3.1.10[c] |
| NIST 800-171 R3 (source) | 03.01.10.a 03.01.10.b |
| NIST 800-171A R3 (source) | A.03.01.10.ODP[01] A.03.01.10.ODP[02] A.03.01.10.a A.03.01.10.b |
| OWASP Top 10 2021 | A01:2021 |
| PCI DSS 4.0.1 (source) | 8.2.8 |
| PCI DSS 4.0.1 SAQ A-EP (source) | 8.2.8 |
| PCI DSS 4.0.1 SAQ C (source) | 8.2.8 |
| PCI DSS 4.0.1 SAQ D Merchant (source) | 8.2.8 |
| PCI DSS 4.0.1 SAQ D Service Provider (source) | 8.2.8 |
| UL 2900-1 2017 | 8.2 |
| SCF CORE Mergers, Acquisitions & Divestitures (MA&D) | IAC-24 |
| SCF CORE ESP Level 2 Critical Infrastructure | IAC-24 |
| SCF CORE ESP Level 3 Advanced Threats | IAC-24 |
US (15)
| Framework | Mapping Values |
|---|---|
| US CERT RMM 1.2 | TM:SG4.SP1 |
| US CJIS Security Policy 5.9.3 (source) | AC-2(5) AC-11 |
| US CMMC 2.0 Level 2 (source) | AC.L2-3.1.10 |
| US CMMC 2.0 Level 3 (source) | AC.L2-3.1.10 |
| US CMS MARS-E 2.0 | AC-11 |
| US FedRAMP R4 | AC-2(5) AC-11 |
| US FedRAMP R4 (moderate) | AC-2(5) AC-11 |
| US FedRAMP R4 (high) | AC-2(5) AC-11 |
| US FedRAMP R5 (source) | AC-2(5) AC-11 |
| US FedRAMP R5 (moderate) (source) | AC-2(5) AC-11 |
| US FedRAMP R5 (high) (source) | AC-2(5) AC-11 |
| US HIPAA HICP Small Practice | 3.S.A |
| US IRS 1075 | AC-11 |
| US NISPOM 2020 | 8-609 |
| US - TX TX-RAMP Level 2 | AC-2(5) AC-11 |
EMEA (5)
| Framework | Mapping Values |
|---|---|
| EMEA Germany C5 2020 | PSS-06 |
| EMEA Israel CDMO 1.0 | 4.16 |
| EMEA Saudi Arabia OTCC-1 2022 | 2-2-1-4 |
| EMEA Saudi Arabia SACS-002 | TPC-2 |
| EMEA UK DEFSTAN 05-138 | 2408 |
APAC (2)
| Framework | Mapping Values |
|---|---|
| APAC Australia ISM June 2024 | ISM-0428 |
| APAC New Zealand NZISM 3.6 | 16.1.45.C.01 16.1.45.C.02 |
Americas (1)
| Framework | Mapping Values |
|---|---|
| Americas Canada ITSP-10-171 | 03.01.10.A 03.01.10.B |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to initiate a session lock after an organization-defined time period of inactivity, or up on receiving a request from a user and retain the session lock until the user reestablishes access using established identification and authentication methods.
Level 1 — Performed Informally
Identification & Authentication (IAC) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Identity & Access Management (IAM) is decentralized where Active Directory (AD), or a similar technology, may be used to centrally manage identities and permissions, but asset/process owners are authorized to operate a decentralized access control program for their specific systems, applications and services.
- IAM controls are primarily administrative in nature (e.g., policies & standards) to manage accounts and permissions.
- IT personnel identify and implement IAM cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements.
Level 2 — Planned & Tracked
Identification & Authentication (IAC) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Implement and maintain an Identity & Access Management (IAM) capability for all users to implement “least privileges” Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts. o Govern IAM technologies via RBAC to prohibit privileged access by non-organizational users, unless there is an explicit support contract for privileged IT support services.
- Logical Access Control (LAC) is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
- IT/cybersecurity personnel identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for logical access control.
- IT personnel:
- Active Directory (AD), or a similar technology, is primarily used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific systems, applications and services that cannot be integrated into AD.
- IAM controls are primarily administrative in nature (e.g., policies & standards) to manage accounts and permissions.
Level 3 — Well Defined
Identification & Authentication (IAC) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- An Identity & Access Management (IAM) function, or similar function, centrally manages permissions and implements “least privileges” Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.
- The Human Resources (HR) department governs personnel management operations and notifies IAM personnel of personnel role changes for RBAC-based provisioning and deprovisioning actions.
- An IT Asset Management (ITAM) function, or similar function, categorizes endpoint devices according to the data the asset stores, transmits and/ or processes and applies the appropriate technology controls to protect the asset and data that conform to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides).
- An IT infrastructure team, or similar function, ensures that statutory, regulatory and contractual cybersecurity and data privacy obligations are addressed to ensure secure configurations are designed, built and maintained.
- Active Directory (AD), or a similar technology, is used to centrally manage identities and permissions. Only by exception due to a technical or business limitation are solutions authorized to operate a decentralized access control program for systems, applications and services.
Level 4 — Quantitatively Controlled
See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to initiate a session lock after an organization-defined time period of inactivity, or up on receiving a request from a user and retain the session lock until the user reestablishes access using established identification and authentication methods.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to initiate a session lock after an organization-defined time period of inactivity, or up on receiving a request from a user and retain the session lock until the user reestablishes access using established identification and authentication methods.
Assessment Objectives
- IAC-24_A01 the period of inactivity after which the system initiates a session lock is defined.
- IAC-24_A02 access to the system and viewing of data is prevented by initiating a session lock after the defined period of inactivity.
- IAC-24_A03 previously visible information is concealed via a pattern-hiding display after the defined period of inactivity.
- IAC-24_A04 the time period of expected inactivity or description of when to log out is defined.
- IAC-24_A05 users are required to log out when organization-defined time period of expected inactivity or description of when to log out.
- IAC-24_A06 the time period of inactivity after which a device lock is initiated is defined (if selected).
- IAC-24_A07 access to the system is prevented by <A.03.01.10.ODP[01]: SELECTED PARAMETER VALUES>.
- IAC-24_A08 the device lock is retained until the user reestablishes access using established identification and authentication procedures.
- IAC-24_A09 one or more of the following PARAMETER VALUES are selected: {a device lock is initiated after <A.03.01.10.ODP[02]: time period> of inactivity; the user is required to initiate a device lock before leaving the system unattended}.
Technology Recommendations
Micro/Small
- Secure Baseline Configurations (SBC)
Small
- Secure Baseline Configurations (SBC)
Medium
- Secure Baseline Configurations (SBC)
Large
- Secure Baseline Configurations (SBC)
Enterprise
- Secure Baseline Configurations (SBC)