Requirement
NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - SC.L2-3.13.9 – Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity.
Understanding the Requirement
This control, from NIST SP 800-171 REV.2 / CMMC 2.0 Level 2, requires that network connections created for communications sessions must be closed when the session ends or automatically after a defined idle period. The goal is to reduce the risk that an attacker or an unattended system can reuse an open session. Practically, an organization must define inactivity thresholds and enforce them so sessions terminate at logout or after the set timeout, balancing usability (employee workflows and remote access needs) with security.
Technical Implementation
-
Document a clear session-timeout policy: define inactivity periods by connection type and risk level (e.g., VPN remote access: 60 minutes; TCP application sessions: 1,800 seconds/30 minutes; UDP/ICMP short-lived: 5 seconds; other protocols: 180 seconds). Publish this policy and include exception handling and approval processes.
-
Configure perimeter devices and VPN appliances: set idle timeout values on firewalls, VPN concentrators, and load balancers. For example, set VPN idle timeout to 60 minutes and TCP session timeout to 1,800 seconds in firewall state tables. Verify vendor defaults and adjust if they are more permissive than your policy.
-
Harden servers and endpoints: enforce session timeouts for RDP/SSH/administrative consoles (e.g., SSH TMOUT environment variable, RDP session limits), require OS screen lock after a short inactivity period (e.g., 5–15 minutes), and configure automatic logoff for privileged accounts.
-
Implement application-level session management: set web application and SSO session lifetimes, use secure session cookies with expiration, and clear sessions on logout. For APIs and services, enforce access token time-to-live (TTL) and require re-authentication for long-running tasks.
-
Log and monitor forced terminations: generate logs for session disconnects and idle timeouts, ship them to your SIEM or log server, and periodically review to detect unusual patterns (e.g., many late-night timeouts, repeated reconnections) that could indicate compromise or misconfiguration.
-
Test and train: perform periodic tests (change timeouts in a test environment, simulate idle sessions) and communicate changes to users. Coordinate changes with system/network administrators and security staff so that timeouts don’t disrupt business critical workflows.
Example in a Small or Medium Business
Acme Engineering, a 75-person SMB, maintains a mixed on-prem/cloud environment and needs to protect controlled technical data accessed remotely. The security lead writes a simple session timeout policy that sets VPN idle disconnects to 60 minutes, TCP session timeouts to 30 minutes in the firewall, and RDP/console sessions to 15 minutes of idle time before session lock. The network admin updates the VPN appliance and firewall settings, and the IT team enforces an OS screen lock policy via endpoint management so laptops lock after 10 minutes. The web-based project management tool’s session TTL is lowered to 20 minutes and SSO sessions are configured to require reauthentication for sensitive projects. Logs for session disconnects are forwarded to the central log server and reviewed weekly for anomalies. Employees receive a short notice explaining the changes and guidance on reconnecting when a session times out; an exception process is established for contractors doing long-running builds. After two weeks of monitoring, the team adjusts a few application timeouts to reduce unnecessary disruption while keeping the core policy enforced.
Summary
By defining acceptable inactivity periods in policy and implementing those timeouts across VPNs, firewalls, servers, endpoints, and applications, SMBs can ensure sessions are closed at logout or after a controlled idle period. Combine these technical controls with logging, monitoring, testing, user communication, and an exception process to maintain usability while reducing the risk that open or unattended sessions are abused.
