03.13.09 —

What this control requires

Source: NIST SP 800-171 R3 §03.13.09 (official control text).

Why this matters

Unattended sessions are open doors for unauthorized access. An employee steps away from their desk, a contractor leaves a remote connection idle, or an application keeps a stale session alive — each scenario creates a window for credential theft, session hijacking, or lateral movement by an attacker. This control enforces automatic termination of inactive network sessions after a defined period, ensuring that idle connections cannot be exploited. It applies to every layer: operating system logins, VPN tunnels, cloud console sessions, application access, and internal network connections. By forcing re-authentication after inactivity, the organization limits exposure from abandoned sessions and reduces the attack surface available to both external threats and insider risks.

What evidence assessors expect

Assessors typically look for: screenshot, configuration export, PDF. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls