AC-12 / AC-11 / A.9.1.2 / CIS-4.3 NIST SP 800-53 Rev 5

Idle timeout + reconnection requires reauth

Demonstrate that all systems and applications enforce idle timeout policies appropriate to their sensitivity classification and require full reauthentication for session resumption following timeout or disconnection.

Description

What this control does

This control enforces automatic session termination after a defined period of user inactivity and requires full reauthentication when a user attempts to resume or reconnect. Idle timeout thresholds are configured based on system sensitivity and compliance requirements, typically ranging from 15 minutes for privileged sessions to 30 minutes for standard user sessions. When the timeout threshold is exceeded, the system locks the session or terminates the connection entirely, preventing unauthorized access if a user leaves their workstation unattended or a network session is abandoned.

Control objective

What auditing this proves

Associated risks

Risks this control addresses

Unauthorized access to systems via unattended authenticated sessions when users leave workstations unlocked
Session hijacking or replay attacks exploiting long-lived inactive sessions that remain valid
Compliance violations with regulations requiring specific idle timeout periods (e.g., PCI-DSS, HIPAA)
Insider threats leveraging abandoned sessions of privileged users to perform unauthorized administrative actions
Data exfiltration through dormant application sessions left open in shared or public environments
Credential theft via physical access to devices with active but unmonitored sessions
Lateral movement by attackers maintaining persistent sessions after initial compromise without triggering reauthentication events

Testing procedure

How an auditor verifies this control

Obtain and review the organization's idle timeout policy documentation to identify required timeout thresholds by system classification and user role.
Inventory all in-scope systems, applications, remote access solutions, and privileged access management tools subject to idle timeout requirements.
Extract and review configuration files or administrative console settings for each system to verify configured idle timeout values match policy requirements.
Select a representative sample of systems across different sensitivity classifications and user populations for active testing.
For each sampled system, establish an authenticated session and allow it to remain idle for the duration of the configured timeout period while monitoring system behavior.
After timeout expiration, attempt to resume activity or reconnect and verify that the system requires full reauthentication rather than allowing automatic session restoration.
Review authentication logs and session management logs to confirm timeout events are properly recorded with timestamps and user identifiers.
Interview system administrators and end-users to validate operational enforcement and awareness of idle timeout requirements and reauthentication expectations.

Evidence required Configuration exports from operating systems, applications, VPN concentrators, and PAM solutions showing idle timeout settings in minutes. Timestamped screenshots or screen recordings demonstrating session lockout after inactivity and reauthentication prompts upon reconnection attempts. Session management and authentication logs showing timeout events and subsequent authentication transactions with correlated timestamps and user identifiers.

Pass criteria All sampled systems enforce idle timeout policies aligned with documented organizational standards, automatically lock or terminate sessions after the specified inactivity period, and require full reauthentication before granting access following timeout or disconnection.

Where this control is tested

Audit programs including this control

VPN Configuration Audit

Audit your VPN: who can connect, with what, from where, and what they can reach.