Session Termination (NIST SP 800-171 3.1.11)
Session termination is a critical access control that automatically logs users out after inactivity or defined conditions, reducing the window for unauthorized access. This NIST 800-171 control prevents unattended systems from being exploited by requiring your organization to enforce automatic session timeout policies across all systems handling controlled unclassified information (CUI).
What this means
You must automatically terminate user sessions when specific conditions are met—such as inactivity timeout, end of business day, or role change. This prevents unauthorized access to unattended workstations and reduces the risk of credential misuse. Session termination applies to all system access points, including remote access, local workstations, and application logins.
How to comply
- 1.Define session timeout thresholds (e.g., 15-30 minutes inactivity) based on system sensitivity and risk assessment
- 2.Configure automatic logout mechanisms in all systems, applications, and remote access tools (VPN, RDP, SSH)
- 3.Set maximum session duration limits to force re-authentication even during active use
- 4.Implement session termination for privilege changes, role updates, or access revocation events
- 5.Document session termination policies and communicate to all users
- 6.Test session timeout functionality across all platforms and access methods
- 7.Monitor and log all session terminations for audit trail purposes
Evidence auditors look for
- System configuration documentation showing inactivity timeout settings (15-30 minutes typical)
- Active Directory or IAM policy screenshots displaying automatic session termination rules
- Application server logs showing session timeout events and timestamps
- VPN/remote access configuration files with session duration limits
- Firewall or proxy rules enforcing session timeout across network access
- User access policy documentation referencing automatic logoff requirements
- Screenshots of system administrative interfaces with timeout settings enabled
- Testing reports validating session termination works as configured
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automatically collects session termination logs from your systems, validates timeout configurations match your policy, and generates audit-ready evidence—eliminating manual log review and compliance reconciliation.
See how GRCWatch handles this control automatically
Start free trial