NIST 800-53 REV 5 • ACCESS CONTROL

AC-2(5)Inactivity Logout

Require that users log out when {{ insert: param, ac-02.05_odp }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Inactivity logout is behavior- or policy-based and requires users to take physical action to log out when they are expecting inactivity longer than the defined period. Automatic enforcement of inactivity logout is addressed by [AC-11](#ac-11).

Practitioner Notes

If someone walks away from their computer, the system should log them out or lock the screen after a set period of inactivity. This is not the same as a screensaver — the session should actually end or lock.

Example 1: Configure the GPO at Computer Configuration → Policies → Administrative Templates → Windows Components → Remote Desktop Services → Session Time Limits → "Set time limit for active but idle Remote Desktop Services sessions" to 15 minutes. This forces idle RDP sessions to disconnect.

Example 2: In M365, set the idle session timeout under Azure AD → Enterprise Applications → Microsoft Office 365 → Properties → Conditional Access → Session → Sign-in frequency to require re-authentication every 60 minutes of inactivity. This covers all browser-based M365 apps.

More Access Control Controls

AC-1 Policy and Procedures AC-2 Account Management AC-2(1) Automated System Account Management AC-2(2) Automated Temporary and Emergency Account Management