SC.L2-3.13.9 — Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity.
What this control requires
Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity.
Source: CMMC L2 v2.13 SC.L2-3.13.9 / NIST SP 800-171 R2 3.13.9 (official control text).
Why this matters
Idle or abandoned sessions create windows for attackers to hijack authenticated connections, escalate privileges, or exfiltrate data without triggering fresh authentication challenges. Automatic session termination ensures that dormant network connections—whether from VPN tunnels, remote desktop sessions, web applications, or SSH—cannot be exploited after a user steps away. This control reduces the attack surface by forcing periodic re-authentication and prevents unauthorized actors from resuming sessions on unattended devices or inheriting stale credentials from long-lived TCP connections.
What evidence assessors expect
Assessors typically look for: screenshot, configuration export, CSV export. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.
Related controls
See your live posture on SC.L2-3.13.9.
FORCE shows where you stand on this control and walks you through closing it.
Start a free trial tenant →