Description: 

Session locks are temporary actions taken when users stop work and move away from the immediate vicinity of the system but do not want to log out because of the temporary nature of their absences. Session locks are implemented where session activities can be determined, typically at the operating system level (but can also be at the application level). Session locks are not an acceptable substitute for logging out of the system, for example, if organizations require users to log out at the end of the workday.  Pattern-hiding displays can include static or dynamic images, for example, patterns used with screen savers, photographic images, solid colors, clock, battery life indicator, or a blank screen, with the additional caveat that none of the images convey controlled unclassified information. 


Priority: Medium


Category: Centralized Controls Management 


Services Associated with AWS: 

  • AWS Work Spaces, Amazon App Stream 2.0


Objective Evidence: 

  • Administrative: documented policies, standards & procedures 
  • Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations 
  • Technical: screen shot of configuration settings


Possible Technology Considerations: 

  • Secure Baseline Configurations (SBC) 


What needs to be answered: 

Do computers lock after being idle?


  • Ensure Implementation of Session Lock
    Description: This check verifies that session locks are implemented to secure the system when users stop work and move away from the immediate vicinity of the system but do not want to log out.
  • Validate Usage of Session Lock vs. System Log Out
    Description: This check confirms that session locks are not being used as a substitute for logging out of the system when required, such as at the end of the workday.
  • Check Implementation of Pattern-Hiding Displays
    Description: This check ensures that pattern-hiding displays, which can include static or dynamic images that do not convey controlled unclassified information, are used in conjunction with session locks.


More details: Access to systems containing CUI logs off automatically after 15 minutes of inactivity.