control_freak | Controls | AC-11

a. Prevent further access to the system by ac-11_odp.01 ; and

b. Retain the device lock until the user reestablishes access using established identification and authentication procedures.

Parameter ID	Definition
ac-11_odp.01	Selection (one-or-more): initiating a device lock after {{ insert: param ac-11_odp.02 }} of inactivity requiring the user to initiate a device lock before leaving the system unattended
ac-11_odp.02	time period

Parameter ID

Definition

ac-11_odp.01

Selection (one-or-more):

initiating a device lock after {{ insert: param
ac-11_odp.02 }} of inactivity
requiring the user to initiate a device lock before leaving the system unattended

ac-11_odp.02

time period

Baselines

Guidance

Device locks are temporary actions taken to prevent logical access to organizational systems when users stop work and move away from the immediate vicinity of those systems but do not want to log out because of the temporary nature of their absences. Device locks can be implemented at the operating system level or at the application level. A proximity lock may be used to initiate the device lock (e.g., via a Bluetooth-enabled device or dongle). User-initiated device locking is behavior or policy-based and, as such, requires users to take physical action to initiate the device lock. Device locks are not an acceptable substitute for logging out of systems, such as when organizations require users to log out at the end of workdays.

Control Enhancements 1

AC-11(01) Pattern-hiding Displays L M H P

Related controls 4

AC-02 Account Management L M H P
AC-07 Unsuccessful Logon Attempts L M H P
IA-11 Re-authentication L M H P
PL-04 Rules of Behavior L M H P

AC-11 Device Lock

Baselines

Guidance

Control Enhancements 1

Related controls 4