NIST 800-53 REV 5 • ACCESS CONTROL
AC-11 — Device Lock
Prevent further access to the system by {{ insert: param, ac-11_odp.01 }} ; and Retain the device lock until the user reestablishes access using established identification and authentication procedures.
Supplemental Guidance
Device locks are temporary actions taken to prevent logical access to organizational systems when users stop work and move away from the immediate vicinity of those systems but do not want to log out because of the temporary nature of their absences. Device locks can be implemented at the operating system level or at the application level. A proximity lock may be used to initiate the device lock (e.g., via a Bluetooth-enabled device or dongle). User-initiated device locking is behavior or policy-based and, as such, requires users to take physical action to initiate the device lock. Device locks are not an acceptable substitute for logging out of systems, such as when organizations require users to log out at the end of workdays.
Practitioner Notes
Devices must lock after a period of inactivity. This prevents someone from walking up to an unattended, unlocked computer and accessing data they should not see.
Example 1: Configure the screensaver lock via GPO at User Configuration → Policies → Administrative Templates → Control Panel → Personalization. Set "Screen saver timeout" to 900 seconds (15 minutes), "Enable screen saver" to Enabled, and "Password protect the screen saver" to Enabled.
Example 2: In Intune, create a device configuration profile under Devices → Configuration profiles → Device restrictions. Set Maximum minutes of inactivity until screen locks to 15. This applies to both Windows and macOS enrolled devices.