Getting your Trinity Audio player ready...


Cybersecurity, in our digitized era, is akin to a game of chess. As the opponent evolves, so too must the defenses. Among the various guidelines and controls stipulated by the National Institute of Standards and Technology’s (NIST) Special Publication (SP) 800-171, Control 3.13.12 stands out for its emphasis on session protection. This often-overlooked aspect can make or break an organization’s cybersecurity posture.

A Deep Dive into NIST 3.13.12

Control 3.13.12 states: “Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.” It might seem like a straightforward control, but it serves as a line of defense against unauthorized access when a device is temporarily unattended.

The Vital Need for Session Protection

Imagine this scenario: An employee accesses a confidential file on their computer and then leaves their desk to attend a meeting. The data, though on a secure network, is left open and vulnerable. Without session protection, this lapse could lead to unauthorized access, data manipulation, or even theft.

This is where Control 3.13.12 comes into play. By implementing a session lock after a stipulated period of inactivity, the risk of unauthorized access during these short windows of vulnerability is mitigated. The pattern-hiding display ensures that even if the screen is locked, no residual images or readable content is discernible.

Elements of Effective Session Protection

1. Timely Locks: The duration of inactivity before a session lock activates should be minimal. The optimal time may vary based on the sensitivity of the data and the workplace environment.

2. Pattern-Hiding Displays: Using screensavers or blur effects can obscure the underlying data, ensuring that even a quick glance won’t reveal sensitive information.

3. Multi-factor Reauthentication: Upon returning, users should ideally use more than one method to authenticate their identity. This could be a combination of something they know (password), something they have (a smart card or token), or something they are (biometric verification).

Implementing NIST 3.13.12

1. Assess Current Protocols: Before making changes, it’s essential to understand the current session protection measures in place, if any.

2. Choose Suitable Lock Mechanisms: Depending on the organization’s needs and infrastructure, determine whether to use password-protected locks, biometric locks, or smart card locks.

3. Train Employees: It’s vital that all members of the organization understand the importance of this control and the potential risks of leaving sessions open. Regular training and reminders can reinforce this.

4. Monitor and Adjust: Regularly review the set inactivity duration and adjust as needed. Periodic audits can ensure the control is working as intended.

Challenges and Best Practices

While the control is straightforward, its implementation can come with challenges. Some employees might find frequent session locks disruptive, especially if they’re set after short intervals of inactivity. It’s essential to strike a balance between security and productivity.

Best practices include:

  • Grace Periods: Offering a brief grace period where a simple swipe or movement can unlock the session without requiring reauthentication.
  • Adaptive Locks: Implement mechanisms that understand the context. For instance, a computer might not lock if there’s an ongoing video conference.
  • Emergency Access: In cases where immediate access is required (for example, critical operations), ensure there’s a protocol for bypassing the lock without compromising security.


NIST 3.13.12, with its focus on session protection, offers a pragmatic approach to addressing a common vulnerability in many workplaces. By ensuring that sessions are protected during periods of inactivity and that screens don’t betray any information, organizations can significantly boost their cybersecurity defenses.

In the grand chessboard of cybersecurity, it’s often the overlooked pawns that determine the outcome of the game. Implementing Control 3.13.12 ensures that these pawns stand steadfast, guarding the frontlines against potential threats.

The challenge with passing a NIST audit for control 3.13.12 is with applications such as Microsoft Teams or Zoom that request access to the endpoint camera and microphone. In the past, there was no way to effectively satisfy 3.13.12.

Petronella has partnered with the patent holder of a brand new security solution to NIST control 3.13.12 that gives the user control over which applications are permitted to access and use the camera and microphone.; and can terminate access at any time. The technology also notifies you when there is a software request to access the microphone and camera. This has been effective at combating the new eavesdropping malware threats. Call 919-422-2607 to learn more!

Comments are closed.