AC.L2-3.1.11 · NIST SP 800-171 3.1.11

Session Termination

Terminate (automatically) a user session after a defined condition.

1 point if not metPOA&M eligible2 assessment objectives

What an assessor scores, the objectives

AC.L2-3.1.11 is met only when every one of these 2 objectives, from NIST SP 800-171A, is satisfied. A single missed objective makes the whole requirement not met.

  • a.conditions requiring a user session to terminate are defined
  • b.a user session is automatically terminated after any of the defined conditions occur

How a C3PAO checks it

NIST SP 800-171A defines three assessment methods. For AC.L2-3.1.11, an assessor uses these:

Examine

Access control policy; procedures addressing session termination; system design documentation; system security plan; system configuration settings and associated documentation; list of conditions or trigger events requiring session disconnect; system audit logs and records; other relevant documents or records

Interview

System or network administrators; personnel with information security responsibilities; system developers

Test

Mechanisms implementing user session termination

What it means, in context

This requirement addresses the termination of user -initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., disconnecting from the network) . A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational system . Such user sessions can be terminated (and thus terminate user access) without terminating network sessions. Session termination terminates all processes associated with a user ’s logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated . Conditions or trigger events requiring automatic session termination can include organization- defined periods of user inactivity, targeted responses to certain types of incidents, and time- of-day restrictions on system use.

Configure the system to terminate user sessions based on the organization’s policy. Session termination policies can be simple or sophisticated. Examples are inactivity (end the session after a specified duration (e.g., one hour 33) of inactivity), day/time (all sessions are terminated at the end of the established workday), misbehavior (end the session due to an attempted policy violation), and maintenance (terminate sessions to prevent issues with an upgrade or service outage). If there is no automatic control of user sessions, an attacker can take advantage of an unattended session. Example 1 You manage systems containing CUI for your organization and configure the system to terminate all user sessions after 1 hour of inactivity [a]. As the session timeout approaches, the system prompts users with a warning banner asking if they want to continue the session. When the session timeout does occur, the login page pops up, and the users mu st log in to start a new session [b]. Example 2 A user is logged into a corporate database containing CUI but is not authorized to view CUI. The user has submitted a series of queries that unintentionally violate policy, as they attempt to extract CUI that the user is not authorized to view [a]. The session terminates with a warning as a result of a violation of corporate policy [b]. The user must reestablish the session before being able to submit additional legitimate queries. Potential Assessment Considerations • Are the conditions in which a user session must be terminated described (e.g., after a period of inactivity or after a defined time limit) [a]? • Are procedures documented that describe how to configure the system to enable automatic termination of user sessions after any of the defined conditions occur [b]? • Are user sessions terminated based on organization-defined conditions [a,b]?

What passing evidence looks like

The condition you defined (idle time, work hours end, risk signal) and the setting that terminates sessions when it triggers.

Common ways contractors fail AC.L2-3.1.11

  • !Session lock and session termination are different requirements. Termination ENDS the session (sign out), it does not just lock the screen.

The step by step walkthrough for Microsoft 365 GCC High, Google Workspace, and on premises setups, plus the exact evidence to capture, lives inside the Level 2 Accelerator.

Prove AC.L2-3.1.11, and the other 109

The Level 2 Accelerator walks all 110 requirements with you, generates your SSP, POA&M, and Audit Room from real evidence, includes the full Level 1 platform, and puts a credentialed officer alongside you for 180 days. Filed in 180 days, or we work free until you are.

No credit card. Phase 2 begins Nov 10, 2026, when applicable DoD solicitations start requiring a current Level 2 status to win the award.

AC.L2-3.1.11 questions, answered

How many points is CMMC requirement AC.L2-3.1.11 worth?+

AC.L2-3.1.11 is worth 1 point in the CMMC Level 2 score under 32 CFR 170.24. If it is not met, you lose 1 from your total of 110.

Can AC.L2-3.1.11 be placed on a POA&M?+

Yes. A gap on AC.L2-3.1.11 can be deferred to a Plan of Action and Milestones, provided your overall score is 88 or better and the item closes within 180 days.

What family does AC.L2-3.1.11 belong to?+

AC.L2-3.1.11 is in the Access Control (AC) family, one of the 14 families of NIST SP 800-171 that make up CMMC Level 2.

Key references
  • NIST SP 800-171 Rev. 2 3.1.11 33 Review DoD Cybersecurity FAQ Q53.2 for information on minimum values.