1. Home
  2. FedRAMP
  3. AC-11

BRACKETOLOGY | FEDRAMP

AC-11: SESSION LOCK

  • FedRAMP Baseline Membership AC-11:
  • MODERATE
  • HIGH

FedRAMP Bracketology

Use the FedRAMP Control Membership information above to determine if a control or control enhancement is required for each Impact Baseline — LOW, MODERATE, or HIGH

Click on the panel below each control or control enhancement to review the FedRAMP Impact Baseline-specific control configuration requirements for each of the [BRACKETS] in each control and/or control enhancement.

Review and use Additional Requirements and Guidance to build FedRAMP-compliant controls for your risk-based cybersecurity program.

To change the baseline view in the panel, click on LOW, MODERATE, or HIGH when the panel is open

Panels only appear where there are [BRACKETS] in the control or enhancement or where there is FedRAMP-specific requirements or guidance available.

The information system:

    • a. Prevents further access to the system by initiating a session lock after [Assignment: organization-defined time period] of inactivity or upon receiving a request from a user; and
    • b. Retains the session lock until the user reestablishes access using established identification and authentication procedures.

Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.

There are no FedRAMP-specific requirements if this control is used for a Low Impact system.

AC-11 a.: Prevents further access to the system by initiating a session lock after fifteen (15) minutes of inactivity or upon receiving a request from a user.

AC-11 a.: Prevents further access to the system by initiating a session lock after fifteen (15) minutes of inactivity or upon receiving a request from a user.


SUPPLEMENTAL GUIDANCE

Session locks are temporary actions taken when users stop work and move away from the immediate vicinity of information systems but do not want to log out because of the temporary nature of their absences. Session locks are implemented where session activities can be determined. This is typically at the operating system level, but can also be at the application level. Session locks are not an acceptable substitute for logging out of information systems, for example, if organizations require users to log out at the end of workdays.

CONTROL ENHANCEMENTS

AC-11 (1) SESSION LOCK | PATTERN-HIDING DISPLAYS
  • FedRAMP Baseline Membership AC-11 (1):
  • MODERATE
  • HIGH

The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image.

Supplemental Guidance:

Publicly viewable images can include static or dynamic images, for example, patterns used with screen savers, photographic images, solid colors, clock, battery life indicator, or a blank screen, with the additional caveat that none of the images convey sensitive information.

REFERENCES:

  • OMB Memorandum 06-16