Level 5 CMMC - CMMC Practices

AC.2.010  

Reference: CMMC 1.02

Family: AC

Level Introduced: 2

Practice:
Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.

CMMC Clarification:
You can set session locks on your system. A user can enable the lock. Also, the system can enable it automatically after a preset time, for example, from one to five minutes. Session locks are a quick way to prevent unauthorized use of the systems without having a user log off.

A locked session shows pattern-hiding information on the machine screen. This masks the data on the display.

Example
You are the IT administrator in your organization. You notice that employees leave their offices without locking their computers. Sometimes their screens display sensitive company information. You remind your coworkers to lock their systems when they walk away. You set all machines to lock after five minutes of inactivity.

3.1.10

Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.

Discussion:
Session locks are temporary actions taken when users stop work and move away from the immediate vicinity of the system but do not want to log out because of the temporary nature of their absences. Session locks are implemented where session activities can be determined, typically at the operating system level (but can also be at the application level). Session locks are not an acceptable substitute for logging out of the system, for example, if organizations require users to log out at the end of the workday.

Pattern-hiding displays can include static or dynamic images, for example, patterns used with screen savers, photographic images, solid colors, clock, battery life indicator, or a blank screen, with the additional caveat that none of the images convey controlled unclassified information.

Source: NIST Special Publication 800-171 Rev. 2

AC-11

SESSION LOCK

Description:
The information system:
    a. Prevents further access to the system by initiating a session lock after [Assignment: organization-defined time period] of inactivity or upon receiving a request from a user; and
    b. Retains the session lock until the user reestablishes access using established identification and authentication procedures.

Supplemental Guidance:
Session locks are temporary actions taken when users stop work and move away from the immediate vicinity of information systems but do not want to log out because of the temporary nature of their absences. Session locks are implemented where session activities can be determined. This is typically at the operating system level, but can also be at the application level. Session locks are not an acceptable substitute for logging out of information systems, for example, if organizations require users to log out at the end of workdays. Related control: AC-7.

AC-11 (1)

SESSION LOCK | PATTERN-HIDING DISPLAYS

Description:
The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image.

Supplemental Guidance:
Publicly viewable images can include static or dynamic images, for example, patterns used with screen savers, photographic images, solid colors, clock, battery life indicator, or a blank screen, with the additional caveat that none of the images convey sensitive information.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02