CMMC Practice SC.L2-3.13.9 – Connections Termination: Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity.
Links to Publicly Available Resources
This document provides assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 2. NIST resource that defines requirements for proper termination of network connections for predefined sessions time or period of inactivity. This policy describes the need to prevent unauthorized and unintended information transfer via shared system resource on NC information systems. See section SC-4 - Information in Shared Resources. This resource offers assessment guidance for a related control (NIST SP 800-53 SC-10)
Discussion [NIST SP 800-171 R2]
This requirement applies to internal and external networks. Terminating network connections associated with communications sessions include de-allocating associated TCP/IP address or port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. Time periods of user inactivity may be established by organizations and include time periods by type of network access or for specific network accesses.
Further Discussion
Prevent malicious actors from taking advantage of an open network session or an unattended computer at the end of the connection. Balance user work patterns and needs against security to determine the length of inactivity that will force a termination.
This practice, SC.L2-3.13.9, requires network connections be terminated under certain conditions, which complements AC.L2-3.1.18 that requires control of mobile device connections.