3.13.9—System and Communications Protection - Derived
Derived Requirement
>Control Description
Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity.
>Discussion
This requirement applies to internal and external networks. Terminating network connections associated with communications sessions include de-allocating associated TCP/IP address or port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. Time periods of user inactivity may be established by organizations and include time periods by type of network access or for specific network accesses
>Cross-Framework Mappings
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What policies govern terminating network connections at session end?
- •What procedures ensure complete session termination?
- •Who is responsible for implementing session termination controls?
- •What governance ensures sessions don't persist inappropriately?
- •What training addresses proper session logout?
Technical Implementation:
- •How do you ensure network connections terminate on logout?
- •What technical mechanisms invalidate sessions fully?
- •How do you clear session state and tokens on termination?
- •What monitoring verifies sessions are properly ended?
- •What controls prevent session hijacking after logout?
Evidence & Documentation:
- •Can you demonstrate session termination implementation?
- •What logs show network connection termination on logout?
- •Can you provide testing results proving full session termination?
- •What evidence shows session state is cleared appropriately?
- •What audit findings verify session termination compliance?
Ask AI
Configure your API key to use AI features.