Requirement
Show: AC.L2-3.1.10 – Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.
This control comes from NIST SP 800-171 REV.2 / CMMC 2.0 Level 2.
Understanding the Requirement
This control requires your systems to automatically lock after a defined period of inactivity, and to hide anything previously visible on the screen once locked. In practice, that means you set a timeout (e.g., 15 minutes) after which the device engages a lock screen or screensaver that obscures sensitive information and requires the user to re-authenticate. Because users may forget to lock their screens, automation is essential to prevent unauthorized viewing or access.
Policies and Procedures Needed
Establish a Session Lock Policy that defines inactivity timeouts by device type and role (e.g., 15 minutes for standard users, 5–10 minutes for administrators or shared stations), requires pattern-hiding displays on lock, and mandates re-authentication to resume. Include procedures for enforcement via centralized tooling (e.g., GPO/MDM), handling exceptions (documented, risk-accepted, and time-bound), verification (periodic checks and automated compliance reports), and user training to reinforce manual locking when stepping away. Incorporate session lock checks into onboarding, device provisioning, quarterly access and configuration reviews, and incident response playbooks.
Technical Implementation
- Set standard timeouts and lock behavior:
- Default: 15 minutes idle timeout for user workstations; 5–10 minutes for privileged/admin accounts and shared kiosks; mobile devices 5 minutes.
- Require immediate password/PIN/biometric on wake or screensaver resume, and ensure the lock screen hides prior content.
- Windows (via Group Policy or Microsoft Intune/Endpoint Manager):
- Group Policy (User Configuration → Administrative Templates → Control Panel → Personalization): Enable “Password protect the screen saver,” set “Screen saver timeout” (e.g., 900 seconds), and optionally “Force specific screen saver” (use a blank or corporate screensaver).
- Group Policy (Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options): Set “Interactive logon: Machine inactivity limit” to 900 seconds.
- Intune: Configure Device Restriction or Settings Catalog to require a password on wake and set inactivity/lock timeout; disable lock-screen notification previews for pattern hiding.
- macOS (via MDM such as Intune or Jamf):
- Set com.apple.screensaver payload: idleTime = 900 (or per role), askForPassword = 1, askForPasswordDelay = 0 (require immediate password on wake).
- Use a blank or branded screensaver and disable lock-screen notification previews to conceal prior content.
- Linux desktops (GNOME example):
- Set org.gnome.desktop.session idle-delay = 900; org.gnome.desktop.screensaver lock-enabled = true; lock-delay = 0.
- Apply via dconf, gsettings, or enterprise tools (e.g., Ansible) and verify with compliance scripts.
- Remote access, servers, and virtual desktops:
- RDP/VDI: Configure session time limits and idle disconnects (e.g., “Set time limit for active but idle Remote Desktop Services sessions”) and require reauthentication on reconnection.
- Servers with console access: Set shorter inactivity locks on console sessions; for headless servers, ensure management consoles (iLO/DRAC, hypervisors) also enforce idle lockouts.
- VPN/portals: Apply idle session timeouts to reduce exposure if a workstation is left unattended.
- Validation and monitoring:
- Push settings centrally, then verify with compliance reports (GPO Resultant Set of Policy, Intune device compliance, MDM inventory) and spot checks.
- Log and review lock/unlock events for privileged systems; remediate noncompliant devices or carve time-bound exceptions with documented compensating controls.
Example in a Small or Medium Business
Acme Fabrication, a 120-person manufacturer, formalizes a Session Lock Policy specifying a 15-minute inactivity lock for all user endpoints, 10 minutes for finance and HR, and 5 minutes for administrator accounts and shop-floor shared stations. The IT manager implements Windows settings via Group Policy to enforce “Machine inactivity limit” and password-protected screensavers with a blank background. Their 20 Macs receive an MDM profile setting idleTime to 900 seconds and requiring an immediate password upon wake, while Linux engineering workstations get dconf profiles via Ansible. The Remote Desktop farm is configured to disconnect idle sessions after 15 minutes and require credentials on reconnection. To support pattern hiding, lock-screen notification previews are disabled on all platforms. IT validates compliance with an Intune and GPO report each month, and help desk technicians include a session-lock check in new device provisioning. During a quarterly audit, a few exceptions are discovered on lab gear; IT documents them with compensating physical controls and a 30-day remediation plan.
Summary
By defining clear timeouts, enforcing automatic session locks that hide on-screen content, and requiring re-authentication on resume, SMBs can reliably prevent unauthorized viewing and access when users step away. A concise policy with role-based timeouts, centralized configuration (GPO/MDM), coverage for remote and server sessions, and routine verification closes gaps and standardizes behavior across your fleet. Together, these policy and technical measures satisfy AC.L2-3.1.10 and materially reduce the risk of data exposure from unattended systems.
