AC.3.019 Terminate (automatically) user sessions after a defined condition.

CMMC Practice AC.3.019: Terminate (automatically) user sessions after a defined condition.

Links to Publicly Available Resources

CMMC CLARIFICATION (Ref CMMC – Appendix B)

This practice may require security policy development if it does not exist. Configure the system to end user sessions based on the organization’s policy. Policy guidance for session termination usually includes circumstances, events, or specific triggers that require automatically terminating the session or logging off the user. If there is no automatic control of user sessions, an attacker can take advantage of an unattended session.