Session Management

Session management controls how user sessions are created, maintained, and terminated on your systems. Security requirements include automatically locking or terminating sessions after a period of inactivity, requiring re-authentication when sessions expire, limiting the number of concurrent sessions per user, and protecting session identifiers from theft.

For CUI systems, session management ensures that unattended workstations don't remain logged in and accessible, that session tokens can't be hijacked by attackers, and that users must periodically re-verify their identity during long sessions.

Why It Matters

Session management requirements under CMMC include screen lock after inactivity and session termination. These controls prevent unauthorized access to CUI through unattended workstations — a common and easily preventable security gap.