>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

AC-11Device Lock

IL4 Mod
IL4 High
IL5
IL6

>Control Description

a

Prevent further access to the system by [Selection (one or more): initiating a device lock after organization-defined time period of inactivity; requiring the user to initiate a device lock before leaving the system unattended]; and

b

Retain the device lock until the user reestablishes access using established identification and authentication procedures.

>DoD Impact Level Requirements

FedRAMP Parameter Values

AC-11 (a) [fifteen (15) minutes]; requiring the user to initiate a device lock before leaving the system unattended

>Discussion

Device locks are temporary actions taken to prevent logical access to organizational systems when users stop work and move away from the immediate vicinity of those systems but do not want to log out because of the temporary nature of their absences. Device locks can be implemented at the operating system level or at the application level. A proximity lock may be used to initiate the device lock (e.g., via a Bluetooth-enabled device or dongle).

User-initiated device locking is behavior or policy-based and, as such, requires users to take physical action to initiate the device lock. Device locks are not an acceptable substitute for logging out of systems, such as when organizations require users to log out at the end of workdays.

>Programmatic Queries

Beta

Related Services

WorkSpaces
AppStream
SSM

CLI Commands

Check WorkSpaces timeout settings
aws workspaces describe-workspace-directories --query 'Directories[*].{Id:DirectoryId,Timeout:WorkspaceCreationProperties}'
Get AppStream fleet idle timeout
aws appstream describe-fleets --query 'Fleets[*].{Name:Name,IdleTimeout:IdleDisconnectTimeoutInSeconds,MaxSession:MaxUserDurationInSeconds}'
Check EC2 instance hibernation support
aws ec2 describe-instances --query 'Reservations[*].Instances[*].{Id:InstanceId,Hibernate:HibernationOptions.Configured}'
List SSM Session Manager idle timeout
aws ssm get-document --name SSM-SessionManagerRunShell --query 'Content' --output text | grep -i timeout
Open AWS ConsoleDocumentation

>Related Controls

AC-2
AC-7
IA-11
PL-4

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What formal policies and procedures govern the implementation of AC-11 (Device Lock)?
  • Who are the designated roles responsible for implementing, maintaining, and monitoring AC-11?
  • How frequently is the AC-11 policy reviewed and updated, and what triggers policy changes?
  • What training or awareness programs ensure personnel understand their responsibilities related to AC-11?

Technical Implementation:

  • Describe the specific technical mechanisms or controls used to enforce AC-11 requirements.
  • What automated tools, systems, or technologies are deployed to implement AC-11?
  • How is AC-11 integrated into your system architecture and overall security posture?
  • What configuration settings, parameters, or technical specifications enforce AC-11 requirements?

Evidence & Documentation:

  • What documentation demonstrates the complete implementation of AC-11?
  • What audit logs, records, reports, or monitoring data validate AC-11 compliance?
  • Can you provide evidence of periodic reviews, assessments, or testing of AC-11 effectiveness?
  • What artifacts would you present during a FedRAMP assessment to demonstrate AC-11 compliance?

Ask AI

Configure your API key to use AI features.