3.1.11 — End the Session

The One-Liner

Session lock (3.1.10) pauses the session. This requirement kills it. Users must re-authenticate to get back in.

What It Says

Terminate (automatically) a user session after a defined condition.

What It Actually Means

Define conditions that end a session completely:

• Inactivity — no activity for 1 hour (common threshold)
• Time of day — all sessions terminate at end of business day
• Policy violation — session killed for suspicious behavior
• Maintenance — sessions ended for system updates

Give users a warning before termination so they can save their work. When the session ends, they’re back at the login screen and must fully re-authenticate.

The difference from 3.1.10: a locked session can be resumed with just a password. A terminated session requires a full new login, including MFA.

---

Pass or Fail

Your assessor needs a “yes” to every row:

#	Question	What “yes” looks like
1	Are termination conditions defined?	Documented triggers — inactivity, time limit, policy violation
2	Do sessions terminate automatically?	The system enforces it, not the user

---

What to Have Ready on Assessment Day

Documents they’ll review: Access control policy, session termination procedures, system configuration, list of termination triggers, audit logs

People they’ll talk to: Sysadmins, information security staff, system developers

Live demos they’ll ask for: “Leave a session idle and show me it terminates after the defined period.”

---

The Assessor’s Playbook

These are the actual questions. Have answers ready.

• “What conditions trigger automatic session termination?”
• “Are procedures documented for configuring automatic termination?”
• “Show me that sessions actually terminate after the defined conditions.”

Real-World Example

A contractor configures Entra ID Conditional Access to enforce session lifetime: 1-hour sign-in frequency for CUI applications. After 1 hour, users get a prompt to re-authenticate including MFA. VPN sessions also timeout after 1 hour of inactivity. Users get a 5-minute warning before disconnection.

---

Where Companies Trip Up

No session termination. Sessions stay active until users manually log off. Some users never log off.

Workstations but not cloud. M365 sessions staying active for days because browser tokens don’t expire.

No warning. Sessions terminated without warning — users lose unsaved work and bypass the control by finding workarounds.

---

How to Talk About This

To a CEO or Board

Our sessions terminate automatically after one hour of inactivity. Users have to re-authenticate — they can’t leave a session open overnight.

To an Engineering Team

Entra Conditional Access sign-in frequency: 1 hour for CUI apps. VPN session timeout: 1 hour idle. Token lifetime policy: 1 hour. 5-minute warning before termination.

---

Connected Requirements

Requirement	Why it matters here
3.1.10 — Lock the Screen	Lock pauses; this kills the session
3.13.9 — Kill Idle Network Connections	Terminating network connections after inactivity

---

Implementation (coming soon)

Step-by-step setup for Microsoft 365 / Entra ID, AWS, Azure, and GCP — console steps, CLI commands, and evidence screenshots.

---

CMMC Practice ID: AC.L2-3.1.11 | SPRS Weight: 1 point | POA&M Eligible: Yes