GRCWatch
Sign inStart free trial

Session Lock Control (AC.L2-3.1.10): CMMC Level 2 Requirements

Session lock is a critical access control that automatically locks user sessions after a period of inactivity, requiring re-authentication to resume work. This CMMC Level 2 control prevents unauthorized users from accessing unattended workstations and protects sensitive defense contractor information. Implementing session lock with pattern-hiding displays is essential for organizations handling controlled unclassified information (CUI).

What this means

AC.L2-3.1.10 requires you to enable automatic session locking after a defined period of user inactivity. When a session locks, the display must hide all sensitive information with a pattern or blank screen to prevent shoulder surfing or visual snooping. Users must authenticate again to unlock the session and regain access to their systems.

How to comply

  1. 1.Configure automatic session timeout policies across all systems (typically 15-30 minutes of inactivity)
  2. 2.Enable screen lock or screensaver with pattern-hiding displays (blank screen or animated pattern) when timeout triggers
  3. 3.Require users to re-authenticate via password, PIN, or multi-factor authentication to unlock sessions
  4. 4.Test session lock functionality across all user endpoints including desktops, laptops, and thin clients
  5. 5.Document timeout settings and pattern-hiding display configurations in your security policies
  6. 6.Monitor and audit session lock events to ensure compliance and identify policy violations

Evidence auditors look for

  • Screenshots of Windows Group Policy or macOS configuration showing session timeout set to 15-30 minutes
  • Active Directory or equivalent system logs showing failed unlock attempts and re-authentication events
  • Network firewall or endpoint management logs demonstrating session termination after inactivity
  • User terminal screenshots showing pattern-hiding screensaver or blank display during session lock
  • Security policy documentation specifying session timeout duration and pattern-hiding requirements
  • Audit reports from endpoint management tools confirming session lock deployment across all systems
  • Test results from security assessments verifying session lock and screensaver functionality

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automatically inventories all devices in your environment and verifies session lock configuration compliance in real-time, eliminating manual audits and generating CMMC-ready evidence for assessors.

See how GRCWatch handles this control automatically

Start free trial

Related controls

AC.L2-3.1.1 - Authorized Access ControlAC.L2-3.1.11 - Session TerminationAC.L2-3.1.9 - Password RequirementsSI.L2-3.14.1 - Information System Monitoring