SC-23(1)—Session Authenticity | Invalidate Session Identifiers at Logout
IL5
IL6
>Control Description
Invalidate session identifiers upon user logout or other session termination.
>DoD Impact Level Requirements
No specific parameter values or requirements for this impact level.
>Discussion
Invalidating session identifiers at logout curtails the ability of adversaries to capture and continue to employ previously valid session IDs.
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What policies govern the implementation of invalidate session identifiers at logout?
- •How are system and communications protection requirements defined and maintained?
- •Who is responsible for configuring and maintaining the security controls specified in SC-23(1)?
Technical Implementation:
- •How is invalidate session identifiers at logout technically implemented in your environment?
- •What systems, tools, or configurations enforce this protection requirement?
- •How do you ensure that invalidate session identifiers at logout remains effective as the system evolves?
- •How are session timeouts and termination controls configured?
Evidence & Documentation:
- •What documentation demonstrates the implementation of SC-23(1)?
- •Can you provide configuration evidence or system diagrams showing this protection control?
- •What logs or monitoring data verify that this control is functioning correctly?
- •Can you show session management configuration settings?
Ask AI
Configure your API key to use AI features.