NIST 800-171 Control 3.1.10: Session Lock
Session lock is a critical access control that prevents unauthorized use of unattended systems. This control requires automated session termination or locking after a defined period of inactivity, with display patterns that obscure sensitive information. Proper implementation protects your systems from opportunistic access while maintaining a frictionless user experience.
What this means
Session lock automatically locks or terminates user sessions when a system remains inactive for a specified period. The locked display must use a pattern-hiding mechanism (such as a screensaver or blank screen) that prevents casual viewing of sensitive data. Users must re-authenticate to resume work. This control assumes systems will occasionally be left unattended and establishes a time-based safety net against unauthorized access.
How to comply
- 1.Define an inactivity timeout period appropriate to your risk profile (typically 15-30 minutes for systems handling CUI)
- 2.Configure operating systems and applications to automatically lock sessions after the defined inactivity threshold
- 3.Implement a pattern-hiding display mechanism (screensaver, blank screen, or lock screen) that renders displayed content unreadable
- 4.Require user re-authentication (password, MFA, or similar) to unlock and resume the session
- 5.Test timeout functionality across all systems and applications in your environment
- 6.Document timeout policies and communicate requirements to end users
- 7.Monitor and audit session lock events to ensure consistent enforcement
Evidence auditors look for
- Screenshots of Windows Group Policy or macOS configuration showing inactivity timeout settings
- Application-level session timeout configurations documented in system administration guides
- Screensaver or lock screen policies enforced across user devices
- Audit logs demonstrating session locks triggered by inactivity thresholds
- User access records showing successful re-authentication after session lock events
- System documentation outlining inactivity timeout periods and pattern-hiding mechanisms
- Compliance testing results validating lock activation after configured idle time
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates session lock policy configuration across your endpoints and aggregates lock event logs for audit evidence—eliminating manual timeout configuration and manual log collection across dozens of systems.
See how GRCWatch handles this control automatically
Start free trial