Skip to main content
NetStable
Level 2 AC.L2-3.1.10

Use session lock with pattern-hiding displays

What It Means Why It Matters How to Implement Evidence SSP Guidance Assessment Common Mistakes

📖 What This Means

This practice requires organizations to implement session locks on devices that display sensitive information. A session lock automatically locks the device after a period of inactivity, preventing unauthorized access. Additionally, the display should hide patterns or sensitive information when locked to avoid visual exposure. For example, if an employee steps away from their computer in a shared workspace, the session lock ensures that anyone passing by cannot see or access the information on the screen. This is particularly important for defense contractors handling Controlled Unclassified Information (CUI), as it prevents accidental or intentional data breaches.

🎯 Why It Matters

Failing to implement session locks with pattern-hiding displays exposes sensitive information to unauthorized individuals, increasing the risk of data breaches. For instance, a 2021 report found that 20% of breaches occurred due to unattended devices. In the defense sector, unauthorized access to CUI can lead to significant financial losses, legal penalties, and reputational damage. The DoD emphasizes this control to protect CUI from visual and physical access by unauthorized personnel, ensuring compliance with CMMC requirements.

How to Implement

  1. 1. Configure session lock settings in your cloud platform (e.g., AWS WorkSpaces, Azure Virtual Desktop).
  2. 2. Set inactivity timeout to 15 minutes or less.
  3. 3. Enable screen saver with password protection.
  4. 4. Use pattern-hiding features like blanking the screen when locked.
  5. 5. Test the session lock functionality to ensure it works as intended.
⏱️
Estimated Effort
4-6 hours for initial setup; low skill level required.

📋 Evidence Examples

Session lock configuration

Format: Screenshot
Frequency: Annually or after changes
Contents: OS or cloud platform settings showing session lock and inactivity timeout
Collection: Take screenshots of the settings

Screen saver settings

Format: Screenshot
Frequency: Annually or after changes
Contents: Screen saver settings with password protection enabled
Collection: Take screenshots of the settings

Testing results

Format: Document
Frequency: Annually
Contents: Evidence of testing session lock functionality
Collection: Document test results

Policy document

Format: PDF
Frequency: Annually
Contents: Policy outlining session lock requirements
Collection: Review and update the policy

Training records

Format: Spreadsheet
Frequency: Annually
Contents: Employee training on session lock procedures
Collection: Maintain training records

📝 SSP Guidance

Use this guidance when writing the System Security Plan (SSP) narrative for this control.

How to Write the SSP Narrative

For AC.L2-3.1.10 ("Use session lock with pattern-hiding displays"), your SSP narrative should specifically describe: (1) the tools and technologies you use to implement this control, (2) the configuration or process that enforces it, (3) who is responsible for maintaining it, and (4) what evidence proves it's working. Describe how access to CUI systems is controlled, including the specific IAM tools, policies, and processes used. Reference your Access Control Policy and identify the systems in scope. Be specific -- name your actual products, settings, and responsible personnel.

Example SSP Narratives

Cloud (Azure/AWS)

"AC.L2-3.1.10 is implemented using cloud-native controls. [Organization] uses [specific cloud service/feature] to use session lock with pattern-hiding displays. The configuration is managed through [Azure Policy/AWS Config/Terraform] and monitored via [SIEM tool]. Responsible party: [IT Security Manager]. Evidence: [specific artifact, e.g., 'Azure AD Conditional Access policy screenshot, CloudTrail logs']."

On-Premise

"AC.L2-3.1.10 is implemented through on-premise infrastructure controls. [Organization] uses [Active Directory/Group Policy/specific tool] to use session lock with pattern-hiding displays. Configuration is documented in [location] and audited [frequency]. Responsible party: [System Administrator]. Evidence: [specific artifact, e.g., 'Group Policy export, Windows Event logs']."

Hybrid

"AC.L2-3.1.10 is implemented across both cloud and on-premise environments. [Organization] uses [Azure AD Connect/hybrid tool] to ensure consistent enforcement. Cloud resources are managed via [cloud tool] and on-premise systems via [on-prem tool]. Both environments report to [centralized SIEM]. Responsible party: [IT Director]. Evidence: [artifacts from both environments]."

System Boundary Considerations

  • Identify all access points to CUI systems (VPN, direct network, cloud portals)
  • Document which IAM system manages access (Azure AD, AWS IAM, on-prem AD)
  • Map user roles to system access levels
  • Ensure this control covers all systems within your defined CUI boundary where use session lock with pattern-hiding displays applies
  • Document any systems where this control is not applicable and explain why

Key Documentation to Reference in SSP

  • 📄 Access Control Policy
  • 📄 IAM configuration documentation
  • 📄 Access request and approval records
  • 📄 Evidence artifacts specific to AC.L2-3.1.10
  • 📄 POA&M entry if control is not fully implemented

What the Assessor Looks For

The assessor will verify that access controls are implemented as described, test whether unauthorized users are blocked, and review access logs for evidence of enforcement.

💬 Self-Assessment Questions

Use these questions to assess your compliance. Each "NO" answer provides specific remediation guidance.

Question 1: Is session lock enabled on all devices?

✅ YES → Proceed to Q2
❌ NO → GAP: Enable session lock on all devices
Remediation:
Configure session lock settings within 1 week

Question 2: Is the inactivity timeout set to 15 minutes or less?

✅ YES → Proceed to Q3
❌ NO → GAP: Adjust inactivity timeout
Remediation:
Set timeout to 15 minutes or less within 1 week

Question 3: Does the session lock hide patterns or sensitive information?

✅ YES → Proceed to Q4
❌ NO → GAP: Enable pattern-hiding features
Remediation:
Configure screen blanking within 1 week

Question 4: Have you tested the session lock functionality?

✅ YES → Proceed to Q5
❌ NO → GAP: Test session lock functionality
Remediation:
Conduct testing within 2 weeks

Question 5: Is there a documented policy for session lock requirements?

✅ YES → Compliance confirmed
❌ NO → GAP: Create or update the policy
Remediation:
Develop policy within 3 weeks

⚠️ Common Mistakes (What Auditors Flag)

1. Not setting a short enough inactivity timeout

Why this happens: Default settings are often too long
How to avoid: Set timeout to 15 minutes or less

2. Failing to enable pattern-hiding features

Why this happens: Overlooking this requirement
How to avoid: Enable screen blanking or pattern-hiding

3. Inconsistent implementation across devices

Why this happens: Lack of centralized management
How to avoid: Use GPOs or MDM tools for uniformity

4. Not documenting session lock policies

Why this happens: Assuming settings are sufficient
How to avoid: Formalize policies in writing

5. Not testing session lock functionality

Why this happens: Assuming it works without verification
How to avoid: Conduct regular testing

📚 Parent Policy

This practice is governed by the Access Control Policy

View AC Policy →

📚 Related Controls

AC.L2-3.1.11 (Session termination) AC.L2-3.1.12 (Remote access controls)
Previous
AC.L1-3.1.2
Back to AC
Next
AC.L2-3.1.11