NIST 800-53 REV 5 • ACCESS CONTROL

AC-12(2)Termination Message

Display an explicit logout message to users indicating the termination of authenticated communications sessions.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Logout messages for web access can be displayed after authenticated sessions have been terminated. However, for certain types of sessions, including file transfer protocol (FTP) sessions, systems typically send logout messages as final messages prior to terminating sessions.

Practitioner Notes

When a session is terminated (by the system, not the user), display a message explaining why. Users should know whether their session ended due to timeout, policy enforcement, or an administrative action.

Example 1: In your web applications, configure the session timeout handler to redirect users to a page that says "Your session has expired due to inactivity. Please log in again." rather than showing a generic error page or silently redirecting to the login screen.

Example 2: On Remote Desktop Session Host, configure the disconnect message via GPO. When an admin forcibly disconnects a user's session using Task Manager or PowerShell, the user sees a notification explaining the session was terminated by an administrator. Configure this in the session collection properties.

More Access Control Controls

AC-1 Policy and Procedures AC-2 Account Management AC-2(1) Automated System Account Management AC-2(2) Automated Temporary and Emergency Account Management