Control: The information system prevents further access to the system by initiating a session lock after [Assignment: organization-defined time period] of inactivity, and the session lock remains in effect until the user reestablishes access using appropriate identification and authentication procedures.

Supplemental Guidance: Users can directly initiate session lock mechanisms. A session lock is not a substitute for logging out of the information system. Organization-defined time periods of inactivity comply with federal policy; for example, in accordance with OMB Memorandum 06-16, the organization-defined time period is no greater than thirty minutes for remote access and portable devices.

Control Enhancements: (0) None.

Baseline: LOW Not Selected MOD AC-11 HIGH AC-11

Family: Access Control

Class: Technical

ISO 17799 mapping: 11.3.2

COBIT 4.1 mapping: None.

PCI-DSS v2 mapping: 8.5.14