GRCWatch
Sign inStart free trial

SC.L2-3.13.9: Connections Termination — CMMC Level 2 Control

Network connections left open after user inactivity create security vulnerabilities and unauthorized access risks. SC.L2-3.13.9 requires you to automatically terminate idle connections, reducing exposure to session hijacking and lateral movement attacks. This control is essential for SMBs handling sensitive contractor data under CMMC compliance.

What this means

This control mandates that your organization automatically disconnect network communications sessions when users remain inactive for a defined period. Instead of relying on manual logoff, systems must enforce automatic termination to prevent abandoned sessions from being exploited by threat actors. The 'defined period' should be risk-appropriate—typically 15-30 minutes for sensitive systems—and consistently applied across all network-accessible resources.

How to comply

  1. 1.Establish and document an inactivity timeout policy specifying the maximum allowed idle time (typically 15-30 minutes depending on system sensitivity)
  2. 2.Configure automatic session termination settings on all network devices, servers, and applications handling CUI or sensitive data
  3. 3.Implement timeout controls on remote access solutions (VPN, RDP, SSH) to automatically disconnect idle user sessions
  4. 4.Enable session monitoring and logging to track when connections are terminated due to inactivity
  5. 5.Test timeout configurations regularly to ensure they function correctly across different user connection types
  6. 6.Communicate the inactivity timeout policy to all users so they understand session behavior and save work accordingly
  7. 7.Review and adjust timeout periods annually based on operational needs and security assessments

Evidence auditors look for

  • Network device configuration screenshots showing idle timeout settings enabled and configured with specific time intervals
  • System logs documenting automatic session terminations triggered by inactivity thresholds
  • Screenshots from remote access tools (VPN, RDP servers) displaying active timeout policies
  • Policy documentation defining inactivity periods for different system classifications or user roles
  • Test results demonstrating successful termination of idle connections after the configured timeout period
  • Application server configurations with session timeout parameters documented and enabled
  • Audit logs showing enforced connection closures with timestamps and reasons recorded

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch monitors all active network connections across your infrastructure and automatically flags sessions exceeding your inactivity thresholds, giving you real-time visibility into compliance gaps for SC.L2-3.13.9 without manual log reviews.

See how GRCWatch handles this control automatically

Start free trial

Related controls

SC.L1-3.13.8 — Session LockSC.L2-3.1.1 — Authorized AccessSC.L2-3.1.2 — Access EnforcementAU.L2-3.3.1 — Audit EventsIA.L1-3.5.1 — Identification and Authentication