03.01.10 — (a) Prevent access to the system by {{ insert: param, A.03.01.10.ODP.01 }}. (b) Retain the device lock until the user reestablishes access using established identification and authentication procedures. (c) Conceal, via the device lock, information previously visible on the display with a publicly viewable image.

What this control requires

(a) Prevent access to the system by {{ insert: param, A.03.01.10.ODP.01 }}. (b) Retain the device lock until the user reestablishes access using established identification and authentication procedures. (c) Conceal, via the device lock, information previously visible on the display with a publicly viewable image.

Source: NIST SP 800-171 R3 §03.01.10 (official control text).

Why this matters

Device lock controls prevent unauthorized individuals from accessing sensitive information when users temporarily step away from their workstations. Without automatic screen locks, an unattended computer becomes an open door—anyone passing by can view, copy, or manipulate controlled unclassified information displayed on screen. This control protects against both opportunistic insider threats and physical intruders who might exploit momentary absences. The requirement to conceal previously visible information ensures that even locked screens don't inadvertently expose sensitive data through visible document content, email previews, or application windows. Proper device lock implementation is a fundamental physical security layer that complements logical access controls.

What evidence assessors expect

Assessors typically look for: configuration export, screenshot, PDF. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls