Terminate network connections associated with communications sessions at the end of the sessions
π What This Means
This control requires that any network connection established for a communication session is properly terminated once the session ends. Think of it like hanging up a phone call when you're done talkingβleaving the line open could allow unauthorized access or eavesdropping. In practical terms, this means ensuring that VPNs, remote desktop sessions, or other network connections are closed immediately after use. For example, if an employee logs into a remote server to complete a task, the connection should automatically disconnect when the task is done. This prevents lingering connections that could be exploited by attackers.
π― Why It Matters
Leaving network connections open after a session ends creates a security risk. Attackers can exploit these idle connections to gain unauthorized access to systems or steal sensitive data. For instance, in the 2021 Colonial Pipeline ransomware attack, attackers exploited an unused VPN connection to breach the network. The potential impact includes data breaches, financial loss, and reputational damage. From a DoD/CMMC perspective, this control is critical for protecting Controlled Unclassified Information (CUI) and ensuring secure communications in defense contractor environments.
β How to Implement
- 1. Configure session timeout policies in your cloud platform (e.g., AWS, Azure, GCP).
- 2. Use Identity and Access Management (IAM) tools to enforce session termination.
- 3. Enable logging and monitoring for cloud sessions to detect lingering connections.
- 4. Implement automated scripts to terminate idle sessions after a set period.
- 5. Regularly review and update session management configurations.
π Evidence Examples
Session timeout policy document
Firewall/VPN configuration screenshot
Session termination logs
Testing results
Training records
π SSP Guidance
Use this guidance when writing the System Security Plan (SSP) narrative for this control.
How to Write the SSP Narrative
For SC.L2-3.13.9 ("Terminate network connections associated with communications sessions at the end of the sessions"), your SSP narrative should specifically describe: (1) the tools and technologies you use to implement this control, (2) the configuration or process that enforces it, (3) who is responsible for maintaining it, and (4) what evidence proves it's working. Describe your network security architecture, including segmentation, encryption standards, VPN configuration, session management, key management, and monitoring capabilities. Be specific -- name your actual products, settings, and responsible personnel.
Example SSP Narratives
"SC.L2-3.13.9 is implemented using cloud-native controls. [Organization] uses [specific cloud service/feature] to terminate network connections associated with communications sessions at the end.... The configuration is managed through [Azure Policy/AWS Config/Terraform] and monitored via [SIEM tool]. Responsible party: [IT Security Manager]. Evidence: [specific artifact, e.g., 'Azure AD Conditional Access policy screenshot, CloudTrail logs']."
"SC.L2-3.13.9 is implemented through on-premise infrastructure controls. [Organization] uses [Active Directory/Group Policy/specific tool] to terminate network connections associated with communications sessions at the end.... Configuration is documented in [location] and audited [frequency]. Responsible party: [System Administrator]. Evidence: [specific artifact, e.g., 'Group Policy export, Windows Event logs']."
"SC.L2-3.13.9 is implemented across both cloud and on-premise environments. [Organization] uses [Azure AD Connect/hybrid tool] to ensure consistent enforcement. Cloud resources are managed via [cloud tool] and on-premise systems via [on-prem tool]. Both environments report to [centralized SIEM]. Responsible party: [IT Director]. Evidence: [artifacts from both environments]."
System Boundary Considerations
- β’ Document network architecture with CUI boundary clearly marked
- β’ Identify all encryption mechanisms (at rest and in transit)
- β’ Specify network monitoring and IDS/IPS deployment
- β’ Ensure this control covers all systems within your defined CUI boundary where terminate network connections associated with communications sessions at the end of the sessions applies
- β’ Document any systems where this control is not applicable and explain why
Key Documentation to Reference in SSP
- π System and Communications Protection Policy
- π Network architecture diagram
- π Firewall rule documentation
- π Encryption configuration documentation
- π Evidence artifacts specific to SC.L2-3.13.9
- π POA&M entry if control is not fully implemented
What the Assessor Looks For
The assessor will review network diagrams for proper segmentation, test encryption settings, verify VPN split tunneling is disabled, and check FIPS 140-2 validation of cryptographic modules.
π¬ Self-Assessment Questions
Use these questions to assess your compliance. Each "NO" answer provides specific remediation guidance.
Question 1: Do you have a documented session timeout policy?
Question 2: Are session timeout settings configured on all network devices?
Question 3: Are logs maintained for session terminations?
Question 4: Is training provided to employees on session termination?
Question 5: Is session termination regularly tested?
β οΈ Common Mistakes (What Auditors Flag)
1. Missing session timeout policies.
2. Inconsistent timeout settings across devices.
3. Inadequate logging.
4. Failure to train employees.
5. No testing of session termination.
π Parent Policy
This practice is governed by the System and Communications Protection Policy