NIST SP 800-171
Control 3.1.11
Terminate Sessions
CMMC-RP Certified Team
24+ Years Experience
2,500+ Clients Served
Official Requirement
Terminate (automatically) a user session after a defined condition.
What This Means in Plain English
User sessions should automatically end after defined conditions are met, such as inactivity timeouts, end of business hours, or when a session has been open for too long. This prevents stale sessions from being hijacked.
How Petronella Implements This Control
Petronella Technology Group implements this control through:
- Microsoft 365 session lifetime policies terminating browser sessions after 8 hours
- VPN sessions configured to disconnect after 30 minutes of inactivity on FortiGate
- Remote Desktop session limits enforced via Group Policy (disconnect after 2 hours idle)
- Web application session tokens expiring after defined periods with forced re-authentication
- Arctic Wolf monitoring for abnormally long sessions as potential indicators of compromise
Assessment Guidance
Assessors will test session timeout enforcement on VPN, web applications, and remote desktop, verify that session termination conditions are documented and configured, and check that expired sessions require full re-authentication.
Common Implementation Gaps
- No session timeout configured on VPN connections
- Web applications with sessions that never expire
- Remote desktop sessions left connected indefinitely
- No defined conditions for automatic session termination
- Session tokens that persist after browser close
Cross-Framework Mapping
| Framework | Mapped Controls |
|---|---|
| NIST SP 800-53 | AC-12 |
| HIPAA | 164.312(a)(2)(iii) - Automatic Logoff |
| PCI DSS | Req 8.1.8 - Idle session timeout |
Need Help Implementing 3.1.11?
Our CMMC-RP certified team can assess your current compliance posture and build a remediation plan.
Schedule a Compliance Assessment