AC.L2-3.1.11 — Terminate (automatically) a user session after a defined condition.

What this control requires

Terminate (automatically) a user session after a defined condition.

Source: CMMC L2 v2.13 AC.L2-3.1.11 / NIST SP 800-171 R2 3.1.11 (official control text).

Why this matters

Unattended sessions create windows of opportunity for unauthorized individuals to exploit authenticated access, either by walking up to an unlocked workstation or hijacking idle remote connections. Automatic session termination enforces a time boundary: if a user steps away without logging out, the system cuts off access after a predictable period of inactivity. This reduces the risk of session hijacking, insider misuse, and physical breaches in shared or unsecured environments. The control applies to local logins, remote desktop sessions, web application portals, and VPNs—anywhere a user establishes a logical session with organizational systems.

What evidence assessors expect

Assessors typically look for: screenshot, configuration export, PDF. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls