AC-11 - Session Lock

Control requirements

The information system:

AC-11 (a): Prevents further access to the system by initiating a session lock after [IBM Assignment: fifteen (15) minutes] of inactivity or upon receiving a request from a user; and
AC-11 (b): Retains the session lock until the user reestablishes access using established identification and authentication procedures.

Implementation guidance

See the resources that follow to learn more about how to implement this control.

IBM Cloud account setup

IBM Cloud for Financial Services profile

The rules related to this control that follow are part of the IBM Cloud for Financial Services v1.2.0 profile in IBM Cloud® Security and Compliance Center.

Rules for AC-11 in IBM Cloud for Financial Services v1.2.0 profile
Requirement ID	Rules
AC-11 (a)	Check that sign out due to inactivity is set to # seconds or less for IBM Cloud accounts
AC-11 (b)	IBM Cloud retains the session lock until access is reestablished by signing in

NIST supplemental guidance

Session locks are temporary actions taken when users stop work and move away from the immediate vicinity of information systems but do not want to log out because of the temporary nature of their absences. Session locks are implemented where session activities can be determined. This is typically at the operating system level, but can also be at the application level. Session locks are not an acceptable substitute for logging out of information systems, for example, if organizations require users to log out at the end of workdays.