NIST 800-171 • LEVEL 2 • SYSTEM AND COMMUNICATIONS PROTECTION
3.13.9 — Network Disconnect
This requirement applies to internal and external networks. Terminating network connections associated with communications sessions includes deallocating TCP/IP addresses or port pairs at the operating system level or deallocating networking assignments at the application level if multiple application sessions are using a single network connection. Time periods of inactivity may be established by organizations and include time periods by type of network access or for specific network accesses.
CMMC Practice Mapping
NIST 800-53 Controls
Assessment Objectives
- the network connection associated with a communications session is terminated at the end of the session or after {{ insert: param, A.03.13.09.ODP.01 }} of inactivity.
Practitioner Notes
Network sessions should not stay open forever. If a user walks away from their desk or a connection sits idle, it should be terminated after a defined period to prevent unauthorized access on an unattended session.
Example 1: Configure session timeouts for Remote Desktop connections via GPO: Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Session Time Limits. Set Set time limit for disconnected sessions to 15 minutes and Set time limit for active but idle sessions to 30 minutes.
Example 2: On your firewall or VPN concentrator, configure idle session timeouts. For example, on a Palo Alto firewall, set the TCP session timeout under Device > Setup > Session > Session Timeouts to 30 minutes for general traffic. For VPN sessions, configure the idle timeout in the GlobalProtect gateway settings to disconnect users after 30 minutes of inactivity.