03.01.11 —

What this control requires

Source: NIST SP 800-171 R3 §03.01.11 (official control text).

Why this matters

Session termination protects CUI by automatically ending user access after periods of inactivity or when specific conditions occur. Without this control, an unattended workstation with an active session becomes an open door for unauthorized access—whether from a malicious insider, a visitor walking past an unlocked desk, or an attacker who has gained physical access. This control ensures that forgotten sessions don't persist indefinitely, reducing the window of opportunity for session hijacking, unauthorized data access, or privilege abuse. It complements screen lock requirements by actually terminating the authenticated session rather than just obscuring the display, forcing re-authentication before any further system access.

What evidence assessors expect

Assessors typically look for: configuration export, screenshot, PDF, log file. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls