Close network connections when a session ends or after a period of inactivity.
What it actually means
Network connections tied to a communications session should terminate at the end of the session or after a defined idle timeout — so abandoned sessions can't be hijacked. Practically, that means idle timeouts on your VPN, remote desktop, and any web application that handles CUI.
Pass or fail — an assessor needs a "yes" to each
- Do VPN / remote sessions terminate after a defined period of inactivity?
- Do CUI-handling applications enforce session idle timeouts?
What to have ready
- VPN / RDP / application configuration showing idle-timeout values
- Policy defining the inactivity period
Where teams trip up
- VPN sessions that stay up indefinitely
- No timeout on web apps handling CUI
See where this control puts your score
Run all 110 requirements free in about 10 minutes.
Calculate your SPRS score →