Level 2


Description:

This requirement addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., disconnecting from the network). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions. Session termination terminates all processes associated with a user’s logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events requiring automatic session termination can include organization-defined periods of user inactivity, targeted responses to certain types of incidents, and time-of-day restrictions on system use.


Priority: High 


Domain: ACCESS CONTROL (AC) 


Services Associated with AWS: 

  • AWS Identity and Access Management (IAM), AWS Work Spaces, Amazon App Stream 2.0


Services Associated with Azure:

  • Azure Active Directory (Azure AD)
  • Azure Monitor
  • Azure Automation
  • Azure Security Center


Objective Evidence: 

  • Administrative: documented policies, standards & procedures 
  • Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations 
  • Technical: screen shot of configuration settings


Possible Technology Considerations:

  • Secure Baseline Configurations (SBC) 


What needs to be answered:

Are users logged out due to inactivity in addition to screen locks? 


Checks for AWS

  • Ensure Automatic User Session Termination
    Description: This check verifies that user sessions are configured to terminate automatically under defined conditions, such as periods of inactivity, certain types of incidents, or time-of-day restrictions on system use. This includes the termination of all processes associated with a user's logical session, except those specifically created by the user to continue after the session is terminated.
  • Validate Configuration for User Inactivity Session Termination
    Description: This check confirms that sessions are set up to terminate automatically after a defined period of user inactivity, helping to secure systems from unauthorized access due to unattended sessions.
  • Check Configuration for Incident-Driven Session Termination
    Description: This check ensures that sessions are configured to terminate in response to certain types of incidents, as defined by the organization, enhancing system security in the event of a detected threat.
  • Verify Time-of-Day Restrictions for Session Termination
    Description: This check verifies that sessions are configured to terminate based on time-of-day restrictions, limiting system access to authorized hours.


Checks for Azure

  • Ensure Automatic User Session Termination in Azure Active Directory (Azure AD):
    Description: This check verifies that user sessions in Azure AD are configured to terminate automatically under defined conditions, such as periods of inactivity, certain types of incidents, or time-of-day restrictions on system use. This includes the termination of all processes associated with a user's logical session, except those specifically created by the user to continue after the session is terminated.
  • Validate Configuration for User Inactivity Session Termination in Azure Active Directory (Azure AD):
    Description: This check confirms that sessions in Azure AD are set up to terminate automatically after a defined period of user inactivity, helping to secure systems from unauthorized access due to unattended sessions.
  • Check Configuration for Incident-Driven Session Termination in Azure Active Directory (Azure AD):
    Description: This check ensures that sessions in Azure AD are configured to terminate in response to certain types of incidents, as defined by the organization. This enhances system security in the event of a detected threat by terminating user sessions and associated processes.
  • Verify Time-of-Day Restrictions for Session Termination in Azure Active Directory (Azure AD):
    Description: This check verifies that sessions in Azure AD are configured to terminate based on time-of-day restrictions. This limits system access to authorized hours, ensuring that user sessions are automatically terminated when outside the allowed time range.


More Details: Access to systems containing CUI logs off automatically after 15 minutes of inactivity.