How to Meet AC.L2-3.1.11

Requirement

Show: AC.L2-3.1.11 – Terminate (automatically) user sessions after a defined condition.

This control comes from NIST SP 800-171 REV.2 / CMMC 2.0 Level 2.

Understanding the Requirement

This control requires you to define the conditions under which user sessions must end and ensure the system enforces termination automatically when those conditions occur. Typical conditions include a period of inactivity, time-of-day limits, network changes, or a maximum session lifetime. By cutting off stale sessions, you lower the chance an attacker can hijack an unattended or orphaned session and move within your environment.

Policies and Procedures Needed

Publish an Access Control or Session Management Policy that defines required session termination conditions and timeouts by system type (workstations, servers, VPN, RDP, SSH, cloud apps, privileged consoles). Back it with configuration standards for Windows, Linux/UNIX, network devices, VPNs, and SaaS/IdP settings so admins know exactly what to set. Include coverage in your Remote Access Policy (e.g., VPN, bastion hosts), an exception process for legitimate business needs, and a review cadence to verify settings after onboarding new systems, major changes, and at least annually.

Technical Implementation

• Decide and document timeouts per system type. A practical baseline for SMBs: terminate remote admin sessions (RDP/SSH) after 60 minutes of inactivity; terminate VPN sessions after 30–60 minutes of inactivity; set SaaS and admin consoles to 15–30 minutes of inactivity and a maximum session lifetime (e.g., 8–12 hours). Apply shorter timeouts for privileged accounts and systems with sensitive data.
• Windows servers/workstations and Remote Desktop Services (RDS). Use Group Policy: Computer Configuration → Administrative Templates → Windows Components → Remote Desktop Services → Remote Desktop Session Host → Session Time Limits. Set “Set time limit for active but idle Remote Desktop Services sessions” to 60 minutes and “End session when time limits are reached” to Enabled; set “Set time limit for disconnected sessions” to a short period (e.g., 30 minutes). Note: “Interactive logon: Machine inactivity limit” locks a console session; use it for local security, but rely on RDS settings to terminate remote sessions.
• Linux/UNIX and network devices (SSH/console). Configure SSH on servers: in /etc/ssh/sshd_config set ClientAliveInterval 300 and ClientAliveCountMax 12 (≈60 minutes), then restart sshd. Optionally set a shell timeout (e.g., TMOUT=3600 in /etc/profile) for interactive shells. On network devices, set exec-timeout (e.g., “exec-timeout 60” on Cisco IOS) on VTY and console lines to terminate idle sessions.
• VPN and remote access gateways. Set an idle timeout (30–60 minutes) and maximum session duration. Enable re-authentication on reconnect, and avoid “keepalive” pings from client software that defeat idle detection. Apply stricter timeouts for contractor and third-party access. Verify behavior for split-tunnel clients and always-on VPN configurations.
• SaaS, web apps, and identity provider (IdP) settings. In your IdP or SSO platform, configure session lifetime and inactivity timeout (e.g., 30 minutes idle, 8–12 hours max). For high-risk admin portals (cloud consoles, security tools), use shorter values. Ensure applications that maintain their own sessions also enforce idle and absolute timeouts, and require reauthentication for sensitive actions.
• Validate and monitor. Test each control path by leaving sessions idle and confirming automatic termination. Log session disconnects and timeouts; periodically sample systems to verify configurations remain in place. Document any exceptions with compensating controls (e.g., shorter lock plus just-in-time access) and a planned remediation date.

Example in a Small or Medium Business

A 120-person engineering firm formalizes a Session Management Standard that requires termination after 60 minutes of inactivity for RDP, SSH, and VPN, and 30 minutes for SaaS admin portals. The Windows admin applies RDS session time limits via Group Policy to all servers in the “Admin Access” OU. The Linux admin sets ClientAliveInterval and ClientAliveCountMax on four Ubuntu application servers and adds TMOUT to the global profile. The network team configures a 45-minute idle timeout on the remote access VPN and enforces reauthentication on reconnect. The security lead updates the IdP to a 30-minute idle timeout and a 10-hour maximum session for cloud apps, with stricter values for admin roles. They test by leaving sessions idle and confirm automatic termination across all paths. Finally, the help desk updates user guidance so staff know to save work frequently and reconnect if idle too long.

Summary

Meeting AC.L2-3.1.11 requires clear, documented conditions for when sessions must end and consistent technical enforcement across endpoints, servers, remote access, and cloud apps. By pairing a concise policy and configuration standards with concrete settings in RDP, SSH, VPN, and IdP/SaaS, SMBs can reliably terminate stale sessions and reduce the risk of session hijacking. Ongoing testing, logging, and periodic reviews ensure the control remains effective as systems change.