GRCWatch
Sign inStart free trial

AC.L2-3.1.11: Session Termination

Session termination is a foundational access control that prevents unauthorized access through abandoned or dormant sessions. CMMC Level 2 requires your organization to automatically terminate user sessions after a defined period of inactivity. This control closes a critical security gap by ensuring that unattended workstations cannot be exploited by threat actors.

What this means

This control requires you to establish and enforce automatic session termination based on defined conditions—typically after a period of user inactivity (e.g., 15-30 minutes). When a session ends, the user must re-authenticate to regain access. This prevents unauthorized actors from taking over unattended systems and reduces the window of exposure if a workstation is left unlocked.

How to comply

  1. 1.Define inactivity thresholds appropriate to your risk environment (typically 15–30 minutes for sensitive systems)
  2. 2.Configure automatic session timeout in operating systems, applications, and remote access tools (RDP, SSH, VPNs)
  3. 3.Set session timeout policies via Group Policy (Windows), SSH configuration, or application-level settings
  4. 4.Test timeout enforcement across all user session types—local logins, remote access, and web applications
  5. 5.Document your session termination policy and inactivity thresholds in your security procedures
  6. 6.Implement monitoring and logging to verify sessions terminate as configured
  7. 7.Train users on session timeout behavior and the requirement to lock workstations

Evidence auditors look for

  • Screenshots of Group Policy or system configuration showing session timeout settings
  • SSH/RDP configuration files with ClientAliveInterval and IdleTimeout parameters
  • Application settings documentation confirming automatic logout after inactivity
  • System logs showing terminated sessions and re-authentication events
  • Policy documentation defining inactivity thresholds by system or sensitivity level
  • Test results demonstrating session termination after the configured idle period
  • Evidence of user training or awareness materials on session timeout procedures

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates session timeout configuration tracking and generates audit logs across Windows, Linux, and cloud environments—eliminating manual policy verification and streamlining evidence collection for your CMMC assessment.

See how GRCWatch handles this control automatically

Start free trial

Related controls

AC.L2-3.1.5 — User Access RemovalAC.L2-3.1.2 — Account ManagementSI.L2-7.1.1 — Flaw RemediationAU.L2-8.1.1 — Audit Logging