CMMC Practice AC.L2-3.1.10 – Session Lock: Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.
This document provides assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 2. When you walk away from your computer, you want to make sure to lock it so other people can’t access your machine and its data. You can, of course, manually lock your Windows 10 PC down by hitting Windows Key + L or Ctrl + Alt + Del. But sometimes you forget. The cool thing is you can make Windows 10 lock automatically after a set time of inactivity. Here is a look at a few ways you can set this up. An example of a screenlocking standard, used by academia. This article describes how to configure inactivity timeouts on Windows. This documentation from Red Hat, provides an administrator step by step instructions for configuring a lockout policy based on inactivity. In this edition of the On Call Compliance Solutions Compliance Tip of the Week, we discuss how session locks are temporary actions taken when users stop work and move away from the immediate vicinity of the system but do not want to log out because of the temporary nature of their absences. Let’s talk about NIST 800-171 Control 3.1.10 -- Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.
Session locks are temporary actions taken when users stop work and move away from the immediate vicinity of the system but do not want to log out because of the temporary nature of their absences. Session locks are implemented where session activities can be determined, typically at the operating system level (but can also be at the application level). Session locks are not an acceptable substitute for logging out of the system, for example, if organizations require users to log out at the end of the workday.
Pattern-hiding displays can include static or dynamic images, for example, patterns used with screen savers, photographic images, solid colors, clock, battery life indicator, or a blank screen, with the additional caveat that none of the images convey controlled unclassified information.
Further Discussion
Session locks can be initiated by the user or, more fundamentally, enabled automatically when the system has been idle for a period of time, for example, five minutes. Session locks are a quick way to prevent unauthorized use of the systems without having a user log off. Minimum configuration requirements are left up to the organization to define.
A locked session shows pattern-hiding information on the screen to mask the data on the display.