AC-11 / A.8.3 / CIS-4.3 NIST SP 800-53 Rev 5

Screen lock + idle timeout

Demonstrate that all endpoint devices automatically lock after a documented period of inactivity and require user reauthentication to unlock.

Description

What this control does

This control enforces automatic session locking on workstations, servers, and mobile devices after a defined period of user inactivity, requiring reauthentication to resume access. The timeout threshold is typically set between 5 and 15 minutes depending on data sensitivity and operational context. Screen lock prevents unauthorized physical access to active sessions when users leave devices unattended, reducing exposure to insider threats and tailgating attacks.

Control objective

What auditing this proves

Demonstrate that all endpoint devices automatically lock after a documented period of inactivity and require user reauthentication to unlock.

Associated risks

Risks this control addresses

Unauthorized personnel gain physical access to unlocked workstations in unattended offices or public spaces
Malicious insiders exploit unattended sessions to exfiltrate data, install malware, or escalate privileges
Cleaning staff, visitors, or contractors access sensitive information displayed on abandoned screens
Attackers perform 'evil maid' attacks on laptops left open in hotel rooms or conference areas
Session hijacking via physical proximity when legitimate users temporarily step away without manually locking
Compliance violations due to lack of technical enforcement of session timeout policies in regulated environments
Data breaches stemming from shoulder surfing combined with prolonged unattended session windows

Testing procedure

How an auditor verifies this control

Obtain the organization's endpoint security policy documenting required idle timeout thresholds for different device types and user roles
Export Group Policy Objects (GPO), Mobile Device Management (MDM) profiles, or endpoint configuration management policies governing screen lock and timeout settings
Select a representative sample of at least 15 devices spanning Windows workstations, macOS laptops, Linux servers, and mobile devices across multiple departments
Physically or remotely access each sampled device and review local configuration settings for screen lock timeout values via Control Panel, System Preferences, or configuration files
Simulate inactivity on three randomly selected devices by leaving them idle and recording the time elapsed before automatic lock engages
Review audit logs or endpoint management console reports to verify no administrative overrides or local policy bypasses exist on sampled devices
Interview IT administrators to confirm processes for enforcing timeout settings on newly provisioned devices and detecting policy drift
Cross-reference findings against policy requirements to identify any devices with timeout values exceeding documented maximums or with screen lock disabled

Evidence required Collect GPO exports showing 'Interactive logon: Machine inactivity limit' or equivalent MDM configuration profiles with timeout values. Obtain screenshots of local device settings, timestamped photos or screen recordings demonstrating automatic lock activation after idle periods, and endpoint management console reports listing compliance status per device. Include policy documentation defining timeout thresholds and any approved exception records.

Pass criteria All sampled devices demonstrate automatic screen lock activation within the policy-defined idle timeout threshold, with no local overrides or unapproved exceptions detected.

Where this control is tested

Audit programs including this control

Workstation Hardening Quick Check

Are your laptops actually hardened — disk encryption, local admin, screen lock, USB control?