NIST SP 800-171
Control 3.1.10
Session Lock
CMMC-RP Certified Team
24+ Years Experience
2,500+ Clients Served
Official Requirement
Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.
What This Means in Plain English
Computers and devices should automatically lock after a period of inactivity so that a passerby cannot see or access CUI on an unattended screen. The lock screen should not display any sensitive information.
How Petronella Implements This Control
Petronella Technology Group implements this control through:
- Group Policy enforcing screen lock after 15 minutes of inactivity across all Windows workstations
- Microsoft Entra Conditional Access requiring re-authentication after session timeout
- Mobile Device Management (MDM) policies enforcing auto-lock on tablets and smartphones
- Screensaver policies configured to blank the screen (no data previews) on lock
- Sophos XDR endpoint compliance checks verifying lock screen policies are active
Assessment Guidance
Assessors will verify that GPO settings enforce session lock within the defined inactivity period, test that locked screens do not display CUI, check that mobile devices auto-lock, and confirm that users cannot bypass the lock screen timeout.
Common Implementation Gaps
- Screen lock timeout set too long (over 15 minutes) or disabled entirely
- Screensavers displaying document previews or email snippets
- Mobile devices not subject to auto-lock policies
- Users disabling screen lock through local settings
- No enforcement mechanism to prevent policy override
Cross-Framework Mapping
| Framework | Mapped Controls |
|---|---|
| NIST SP 800-53 | AC-11, AC-11(1) |
| HIPAA | 164.312(a)(2)(iii) - Automatic Logoff |
| PCI DSS | Req 8.1.8 - Set the idle session timeout to 15 minutes or less |
Need Help Implementing 3.1.10?
Our CMMC-RP certified team can assess your current compliance posture and build a remediation plan.
Schedule a Compliance Assessment