What does SC.L2-3.13.9 require for CMMC Level 2?

Network connections and sessions should terminate automatically after a period of inactivity or at the end of a user's session. This prevents unauthorized access if a device is left unattended.

What evidence do I need for SC.L2-3.13.9?

Session timeout policy, system configuration showing timeout settings, Group Policy screenshots, and verification that sessions actually disconnect after inactivity.

What's the most common failure for SC.L2-3.13.9?

No session timeout configured, or timeout is set too long (e.g., 8 hours). Sessions should timeout within 15-30 minutes of inactivity.

SC.L2-3.13.9

SC.L2-3.13.9: Network Disconnect

Terminate network connections at end of session or after inactivity.

Updated March 30, 2026

An abandoned terminal is a security risk. SC.L2-3.13.9 requires that sessions terminate after inactivity or when a user logs off. The assessor will check your session timeout policies and verify they are enforced. Part of your broader AC.L2-3.1.1 access control strategy.

Family System and Communications Protection

Practice SC.L2-3.13.9

Difficulty Easy

Key evidence Session timeout policy, Group Policy screenshots, configuration verification

What the assessor is actually evaluating

The assessor will check:

Documented session timeout policy: Your policy should specify the timeout period (typically 15-30 minutes for inactivity).
Technical implementation: Group Policy settings, registry settings, or application configurations should enforce the timeout.
Verification: The assessor may test by leaving a session idle and observing whether it times out, or they will review configuration screenshots.

What a realistic SSP definition looks like

Policy: “The organization terminates idle sessions automatically. Interactive sessions timeout after 20 minutes of inactivity. RDP and remote access sessions timeout after 30 minutes of inactivity. Session timeout is enforced via Group Policy and system configuration.”

Supporting details:

Interactive session timeout: Group Policy sets “Interactive Logon: Machine inactivity limit” to 1200 seconds (20 minutes). At timeout, the session is locked or terminated.
RDP session timeout: Remote Desktop Services policy sets idle session timeout to 30 minutes.
Screen lock at timeout: When a session times out, the workstation is locked and the user must reauthenticate.
Enforcement: The timeout settings are deployed via Group Policy to all in-scope systems.

How to present your evidence

Session timeout policy document: Describes the timeout requirements and technical implementation.
Group Policy screenshots: Show the “Interactive Logon: Machine inactivity limit” policy and its value. Show RDP session timeout settings if applicable.
System configuration verification: On a sampled system, show the registry key or system setting that enforces the timeout (e.g., Registry Editor showing the HKLM inactivity limit value).
Testing evidence: If possible, leave a session idle for the timeout period and document that it disconnects or locks.

Assessment room tips

Keep answers short. Show the evidence, don't describe it. Let the assessor drive. For more on how to present in the assessment room, see How to Present Evidence in the Assessment Room.

Assessor: “What is your session timeout policy? How long can a user’s session be idle before it disconnects?”

You: “Sessions timeout after 20 minutes of inactivity. This is set via Group Policy on all systems.” [Pull up the Group Policy screenshot showing the inactivity timeout value]

Assessor: “Show me the configuration on a system.”

You: [Open Group Policy Editor or Registry Editor on a system and show the timeout setting is applied]

Assessor: “What happens after the timeout?”

You: “The session locks, and the user must reauthenticate.” [If time permits, demonstrate by leaving a terminal idle]

Common failures

No session timeout configured: Sessions remain active indefinitely. A user walks away from their computer and an attacker could use it.

Timeout is too long: A policy exists, but timeout is 2-8 hours. This is too long for adequate security. 15-30 minutes is the standard.

Timeout is configured but not enforced: Group Policy exists, but it is not applied to all systems. Some systems have no timeout, or users have disabled it.

Clear session timeout policy: All in-scope systems timeout after 15-30 minutes of inactivity. The timeout is enforced via Group Policy and cannot be bypassed.

Consistent implementation: Configuration is verified on multiple systems showing the timeout is consistently applied.

Get assessment room tips in your inbox

Short, practical breakdowns of what assessors actually ask and how to answer. No compliance jargon, no sales pitch. Subscribe free on Substack.

If you use an MSP/MSSP

If your MSP manages systems, ensure the MSP is enforcing session timeout policies. Request evidence that Group Policy is applied to all managed systems. Verify that the timeout duration aligns with your requirements.

This guide is for reference only and does not replace official CMMC documentation or professional compliance advice.

New practice breakdowns and assessment tips every week. Follow on Substack to stay current as the November 2026 deadline gets closer.

← SC.L2-3.13.10: Key Management All Practices SC.L2-3.13.8: CUI in Transit →