NIST 800-171 • LEVEL 2 • ACCESS CONTROL
3.1.10 — Device Lock
Prevent access to the system by {{ insert: param, A.03.01.10.ODP.01 }}. Retain the device lock until the user reestablishes access using established identification and authentication procedures. Conceal, via the device lock, information previously visible on the display with a publicly viewable image.
CMMC Practice Mapping
Assessment Objectives
- access to the system is prevented by {{ insert: param, A.03.01.10.ODP.01 }}.
- information previously visible on the display is concealed via device lock with a publicly viewable image.
- the device lock is retained until the user reestablishes access using established identification and authentication procedures.
Practitioner Notes
If someone walks away from their computer, the screen needs to lock automatically so nobody else can sit down and access CUI. The lock screen should hide whatever was on the display — not just dim it.
Example 1: Configure the screen lock via GPO at User Configuration → Administrative Templates → Control Panel → Personalization → "Enable screen saver" = Enabled, "Screen saver timeout" = 900 seconds (15 minutes), and "Password protect the screen saver" = Enabled. For a more reliable lock, also set Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options → "Interactive logon: Machine inactivity limit" to 900 seconds.
Example 2: For macOS devices managed through Jamf Pro, create a Configuration Profile under Computers → Configuration Profiles → Security & Privacy. Set "Require password after sleep or screen saver begins" to "Immediately" and configure the screen saver to activate after 15 minutes of inactivity. Push the profile to all managed Macs.