NIST 800-53 REV 5 • ACCESS CONTROL

AC-12(3)Timeout Warning Message

Display an explicit message to users indicating that the session will end in {{ insert: param, ac-12.03_odp }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

To increase usability, notify users of pending session termination and prompt users to continue the session. The pending session termination time period is based on the parameters defined in the [AC-12](#ac-12) base control.

Practitioner Notes

Before the system terminates a session, warn the user that their time is running out. This gives them a chance to save work and extend the session if appropriate.

Example 1: In your web application, implement a JavaScript timer that pops up a warning dialog 5 minutes before the session timeout: "Your session will expire in 5 minutes. Click Continue to stay logged in." If the user clicks Continue, the session timer resets. If not, the session ends.

Example 2: On Citrix Virtual Apps, configure the Session Pre-launch and Session Lingering settings along with idle timeout warnings in Citrix Studio. Users see a countdown notification before disconnection, giving them time to save their work.

More Access Control Controls

AC-1 Policy and Procedures AC-2 Account Management AC-2(1) Automated System Account Management AC-2(2) Automated Temporary and Emergency Account Management