NIST 800-53 REV 5 • ACCESS CONTROL
AC-12 — Session Termination
Automatically terminate a user session after {{ insert: param, ac-12_odp }}.
Supplemental Guidance
Session termination addresses the termination of user-initiated logical sessions (in contrast to [SC-10](#sc-10) , which addresses the termination of network connections associated with communications sessions (i.e., network disconnect)). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational system. Such user sessions can be terminated without terminating network sessions. Session termination ends all processes associated with a user’s logical session except for those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events that require automatic termination of the session include organization-defined periods of user inactivity, targeted responses to certain types of incidents, or time-of-day restrictions on system use.
Practitioner Notes
Sessions must be terminated after a defined period, when conditions change, or when no longer needed. Sessions should not stay open indefinitely — idle or not.
Example 1: In IIS, configure session timeouts under Session State → Cookie Settings → Time-out to 20 minutes for web applications. For RDP sessions, set the GPO "Set time limit for disconnected sessions" to 1 hour so that disconnected sessions are fully terminated rather than lingering.
Example 2: In Azure AD Conditional Access, configure Session → Sign-in frequency to require re-authentication every 8 hours for standard users and every 1 hour for privileged accounts. Under Session → Persistent browser session, set it to Never persistent for sensitive applications.