System and Communications Protection 3.13.9 (3.13.9)

What Is This CMMC Control?

This control requires organizations to automatically terminate network connections when communication sessions end or after a defined period of user inactivity. This applies to both internal and external network connections and can be implemented at the operating system level (TCP/IP connections) or application level (application sessions). The goal is to prevent unauthorized access through abandoned or idle sessions and reduce the attack surface by closing unused network pathways.

Control Intent

Prevent unauthorized access and reduce security risks by ensuring that network connections do not remain open indefinitely when not actively in use, thereby limiting opportunities for session hijacking, unauthorized access through abandoned sessions, and unnecessary exposure of network resources.

Who This Control Applies To

• •All systems that establish network connections for user sessions, including workstations, servers, and network devices
• •Web applications and cloud services that maintain user sessions
• •Remote access solutions including VPN, RDP, SSH, and terminal services
• •Database management systems and application servers
• •Network infrastructure devices such as firewalls, routers, and switches with administrative interfaces
• •Wireless access points and controllers
• •Multi-user systems where multiple users may access the same resources
• •Any system or application that maintains stateful connections with users or other systems

Expected Evidence

Organizations should maintain documentation and evidence demonstrating compliance with this control. This may include policy documentation, configuration records, audit logs, access reviews, and other relevant artifacts that show how the control is implemented and maintained.

Plan of Action & Milestones (POA&M)

If session timeout controls are not currently implemented, prioritize systems with the highest risk exposure: internet-facing applications, remote access solutions, and systems processing CUI For systems that cannot support automatic session termination due to technical limitations, document the limitation, assess the risk, and implement compensating controls such as enhanced monitoring, network segmentation, or additional authentication requirements If timeout periods are currently set too high (e.g., several hours or days), develop a phased approach to reduce them to acceptable levels while managing user impact and communication When multiple systems require timeout configuration, group them by type (e.g., all Windows servers, all web applications) and implement standardized configurations to improve efficiency If users complain about timeout settings causing productivity issues, investigate whether the timeout periods are appropriate for the work being performed and whether auto-save or session persistence features can mitigate data loss concerns For legacy systems that cannot be configured with session timeouts, consider implementing network-level controls (firewall idle timeout) as a compensating control while planning for system replacement or upgrade Document any business-justified exceptions to standard timeout periods (e.g., long-running batch processes, specific operational requirements) and ensure appropriate compensating controls are in place If timeout settings exist but are not consistently enforced, investigate whether keep-alive mechanisms, application bugs, or misconfigurations are preventing proper timeout behavior Consider implementing a timeout warning notification to users before session termination to reduce unexpected logouts and improve user acceptance Ensure that timeout settings are included in system hardening standards, configuration baselines, and deployment checklists to prevent regression