800-53 AC-2(5) Logout Versus Lock

old.reddit.com / @/u/TrueStoriesIpromise, https://old.reddit.com/user/TrueStoriesIpromise

https://csf.tools/reference/nist-sp-800-53/r5/ac/ac-2/ac-2-5/

Require that users log out when [Assignment: organization-defined time period of expected inactivity or description of when to log out].

Supplemental Guidance

Inactivity logout is behavior- or policy-based and requires users to take physical action to log out when they are expecting inactivity longer than the defined period. Automatic enforcement of inactivity logout is addressed by AC-11.

However, AC-11 is not about Log out, it's about Device Lock!

https://csf.tools/reference/nist-sp-800-53/r5/ac/ac-11/

Prevent further access to the system by [Assignment (one or more): initiating a device lock after [Assignment: organization-defined time period] of inactivity, requiring the user to initiate a device lock before leaving the system unattended]; and

Retain the device lock until the user reestablishes access using established identification and authentication procedures.

So my question is this. Is AC-2(5) actually asking for us to put in place a policy that users log out their computer at the end of the day, or would it be sufficient to say that users must lock their computer when they walk away from it?

submitted by /u/TrueStoriesIpromise
[link] [comments]

published about 2 months ago


Previous

What has actually changed in the updated 2024 NIST framework ref to passwords
published about 2 months ago

Next

SAP says its reached NIST CSF Tier 3
published about 2 months ago
See all items from the same source