Access Control 3.1.11 (3.1.11)

Terminate (automatically) a user session after a defined condition.

Get Full Guidance

What Is This CMMC Control?

Organizations must automatically end user sessions after specific conditions are met, such as periods of inactivity, security incidents, or time-based restrictions. This protects against unauthorized access when users leave workstations unattended or when sessions should no longer be active based on organizational policy.

Control Intent

Prevent unauthorized access to organizational systems and CUI by ensuring user sessions do not remain active indefinitely or beyond authorized timeframes, reducing the window of opportunity for session hijacking, unauthorized use of unattended systems, and access outside approved hours.

Who This Control Applies To

  • All systems that process, store, or transmit CUI
  • Workstations and laptops used to access CUI
  • Remote access solutions (VPN, RDP, virtual desktops)
  • Web applications and SaaS platforms handling CUI
  • Database management systems containing CUI
  • Administrative consoles and privileged access workstations
  • Mobile devices accessing organizational systems
  • Cloud-based infrastructure and platform services
  • Network devices with administrative interfaces
  • Application servers hosting CUI-related applications

Not Applicable When

  • Systems that do not support user sessions or interactive logons
  • Embedded systems or IoT devices without user session capabilities
  • Batch processing systems without interactive user access
  • Systems exclusively accessed through service accounts without human interaction
  • Network infrastructure devices that only support console access with physical presence requirements
  • Systems in isolated environments with continuous physical monitoring and no remote access capability

Key Objectives

  • 1User sessions are automatically terminated after defined periods of inactivity to prevent unauthorized access to unattended systems.
  • 2Session termination mechanisms respond to security incidents or anomalous conditions to limit potential damage.
  • 3User access is restricted to authorized time periods through automatic session termination outside approved hours.
  • 4All user-initiated logical sessions are terminated without requiring manual intervention when trigger conditions are met.

Sample Self-Assessment Questions (Partial)

Does your organization have a defined inactivity timeout period for user sessions?

Are user sessions automatically locked or terminated after a period of inactivity?

Implementation Approaches (High-Level)

Operating System Inactivity Timeout

Configure built-in operating system features to automatically lock or log out users after a defined period of inactivity, typically enforced through Group Policy (Windows) or configuration profiles (macOS/Linux).

Remote Access Session Timeout

Configure automatic session termination for remote access solutions including VPN, Remote Desktop Protocol (RDP), SSH, and virtual desktop infrastructure (VDI) based on inactivity or maximum session duration.

Web Application Session Management

Implement server-side session timeout mechanisms in web applications and SaaS platforms that automatically invalidate user sessions after inactivity or maximum duration, requiring re-authentication.

Database Session Timeout

Configure automatic termination of idle database connections and sessions to prevent unauthorized access through abandoned or hijacked database sessions.

Privileged Access Management (PAM) Session Control

Implement dedicated session management for privileged accounts through PAM solutions that enforce strict timeout policies, session recording, and automatic termination for high-risk administrative access.

Time-Based Access Restrictions

Implement automatic session termination based on time-of-day or day-of-week restrictions, ensuring users cannot maintain active sessions outside approved access hours.

Cloud Service Session Policies

Configure session timeout and termination policies within cloud service provider platforms and SaaS applications using native identity and access management features.

Evidence & Assessment Notes

Expected Evidence

Organizations should maintain documentation and evidence demonstrating compliance with this control. This may include policy documentation, configuration records, audit logs, access reviews, and other relevant artifacts that show how the control is implemented and maintained.

Plan of Action & Milestones (POA&M)

If session timeout cannot be immediately implemented on all systems, prioritize based on risk: privileged access systems first, then remote access, then systems processing CUI, then general user workstations For systems with technical limitations preventing automatic session termination, document compensating controls such as enhanced monitoring, physical security, or manual session review processes If timeout values must be longer than policy due to operational requirements, document business justification and obtain risk acceptance from appropriate authority Create phased implementation plan starting with most critical systems and expanding to full environment over defined timeline (typically 3-6 months) For legacy systems that cannot support session timeout, include system replacement or upgrade in POA&M with realistic timeline Document any exceptions to standard timeout policies with risk-based justification and compensating controls Include user communication and training plan in POA&M to minimize operational disruption from new timeout policies For cloud services where session timeout is not configurable, document provider limitations and any available alternative controls Ensure POA&M includes validation testing to confirm timeout enforcement after implementation Consider interim manual processes (e.g., daily review of active sessions, mandatory logoff procedures) while automated controls are being implemented

Related CMMC Controls

3.1.13.1.103.1.123.1.203.3.83.5.13.5.33.13.11

Frequently Asked Questions

What is the difference between session lock (3.1.10) and session termination (3.1.11)?

Session lock (3.1.10) requires a password to resume an existing session after inactivity, but the session remains active. Session termination (3.1.11) completely ends the session, requiring full re-authentication and starting a new session. Both controls work together: session lock provides immediate protection for brief absences, while session termination ensures sessions don't remain active indefinitely. Most organizations implement session lock at shorter intervals (e.g., 15 minutes) and session termination at longer intervals (e.g., 8 hours) or end of business day.

What are appropriate session timeout values for CMMC compliance?

CMMC does not prescribe specific timeout values; organizations must define appropriate values based on risk assessment. Common industry practices include: 15-30 minutes idle timeout for workstations, 30-60 minutes for remote access sessions, 10-15 minutes for privileged access, and 8-12 hours maximum session duration. Shorter timeouts provide better security but may impact user productivity, so values should balance security requirements with operational needs. Document your rationale for chosen timeout values based on system sensitivity, user role, and access method.

Do session timeout requirements apply to service accounts and automated processes?

No, this control specifically addresses user-initiated logical sessions, not automated processes or service accounts. Service accounts that run scheduled tasks or automated processes are not subject to session termination requirements. However, any interactive sessions initiated by administrators using service account credentials would be subject to timeout requirements. Organizations should minimize interactive use of service accounts and implement separate controls for service account management and monitoring.

Can we have different timeout values for different types of users or systems?

Yes, risk-based timeout values are appropriate and expected. Privileged users typically require shorter timeouts (10-15 minutes) than standard users (15-30 minutes). Systems processing highly sensitive CUI may warrant shorter timeouts than systems with less sensitive data. Remote access sessions often have different timeout requirements than local access. Document the rationale for different timeout values based on risk factors such as user privilege level, data sensitivity, access method, and threat environment.

What happens if a user has unsaved work when their session is automatically terminated?

Session termination will end the session and may result in loss of unsaved work, which is why organizations must balance security with operational needs when setting timeout values. Users should be trained to save work frequently and be aware of timeout policies. Some systems provide warnings before termination, giving users opportunity to save work and extend the session. For critical long-running processes, organizations may implement compensating controls such as application-level auto-save features, longer timeouts with enhanced monitoring, or dedicated systems for long-running tasks with appropriate security controls.

How do we handle session termination for users who need 24/7 access or work across multiple time zones?

Time-based session termination (end of business day) may not be appropriate for organizations with 24/7 operations or global teams. In these cases, focus on idle timeout and maximum session duration rather than time-of-day restrictions. Implement risk-based controls such as enhanced monitoring for after-hours access, shorter idle timeouts during off-hours, or additional authentication requirements for extended sessions. Document business justification for any deviations from standard time-based restrictions and implement compensating controls to address the increased risk of extended session availability.

How ConformatIQ Helps With CMMC Readiness

ConformatIQ is an AI-assisted CMMC readiness platform designed to help organizations prepare for assessments more efficiently. The platform supports document generation such as SSPs and POA&Ms, guided readiness workflows, centralized evidence tracking, and interview preparation for assessments.

Learn More About ConformatIQ

Ready to Get Full Guidance?

Access complete implementation details, detailed assessment questions, evidence requirements, and expert guidance for this control.

Request Full Guidance

Information sourced from NIST SP 800-171 Rev. 2. See full disclaimer.