NIST 800-53 REV 5 • ACCESS CONTROL

AC-12(1)User-initiated Logouts

Provide a logout capability for user-initiated communications sessions whenever authentication is used to gain access to {{ insert: param, ac-12.01_odp }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Information resources to which users gain access via authentication include local workstations, databases, and password-protected websites or web-based services.

Practitioner Notes

Users should be able to log out themselves at any time. Every application must provide a clearly visible logout option that actually terminates the session, not just closes the window.

Example 1: Ensure every web application has a visible Sign Out button that invalidates the server-side session and clears the authentication cookie. Test that after clicking logout, pressing the browser back button does not restore the authenticated session.

Example 2: For Windows users, train them to use Start → Sign out or Ctrl+Alt+Del → Sign out rather than just closing their laptop lid. Configure the power button and lid close actions via GPO to lock the device rather than sleep, under Computer Configuration → Administrative Templates → System → Power Management.

More Access Control Controls

AC-1 Policy and Procedures AC-2 Account Management AC-2(1) Automated System Account Management AC-2(2) Automated Temporary and Emergency Account Management