CMMC Level 2
Control 3.13.9
Terminate Network Connections at End of Sessions
CMMC-RP Certified Team
24+ Years Experience
2,500+ Clients Served
Official Requirement
Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity.
What This Means in Plain English
Network connections should be terminated when sessions end or after a period of inactivity. This prevents abandoned sessions from being hijacked by attackers.
How Petronella Implements This Control
Petronella Technology Group implements this control through:
- FortiGate VPN session timeout configured at 30 minutes of inactivity
- Web application session timeouts enforced at the application layer
- TCP connection timeouts configured on firewalls for idle connections
- RDP and SSH session timeouts enforced via Group Policy and server configuration
- Arctic Wolf monitoring for abnormally long-lived network sessions
Assessment Guidance
Assessors will test session timeout enforcement on VPN, web applications, and remote access, verify that network connections terminate after the defined period, check firewall timeout configurations, and review policies defining timeout periods.
Common Implementation Gaps
- No session timeout on VPN connections
- Web applications with sessions that never expire
- TCP connections persisting indefinitely on firewalls
- No defined timeout periods for different connection types
- Keep-alive mechanisms preventing proper session termination
Cross-Framework Mapping
| Framework | Mapped Controls |
|---|---|
| NIST SP 800-53 | SC-10 |
| PCI DSS | Req 8.1.8 - Idle session timeout |
Need Help Implementing 3.13.9?
Our CMMC-RP certified team can assess your current compliance posture and build a remediation plan.
Schedule a Compliance Assessment