ISM-0428

Services are configured with a session lock that:
• activates after a maximum of 15 minutes of user inactivity, a maximum of 12 hours of overall session time or when manually activated by users
• blocks access to all session content
• requires users to re-authenticate using all authentication factors to unlock the session
• denies users the ability to disable the session locking mechanism.

Topic
Session locking
Applicable to
Non Classified, Official, Protected, Secret, Top Secret

History

Priority
must
Mar 2025
Services are configured with a session lock that:
• activates after a maximum of 15 minutes of user inactivity, a maximum of 12 hours of overall session time or when manually activated by users
• blocks access to all session content
• requires users to re-authenticate using all authentication factors to unlock the session
• denies users the ability to disable the session locking mechanism.
The existing control recommending that systems are configured with a session or screen lock that […] was amended to focus exclusively on session locking. This includes new recommendations that a maximum of 12 hours overall be adopted before session locking occurs (i.e. before forced re-authentication) and that users use all authentication factors when re-authenticating a session.
Dec 2022
Systems are configured with a session or screen lock that:
• activates after a maximum of 15 minutes of user inactivity, or if manually activated by users
• conceals all session content on the screen
• ensures that the screen does not enter a power saving state before the session or screen lock is activated
• requires users to authenticate to unlock the session
• denies users the ability to disable the session or screen locking mechanism.
Language from an existing control relating to session and screen locking was amended to ensure consistency with similar authentication-related controls.
Mar 2022
Systems are configured with a session or screen lock that:
• activates after a maximum of 15 minutes of user inactivity, or if manually activated by users
• conceals all session content on the screen
• ensures that the screen does not enter a power saving state before the session or screen lock is activated
• requires users to reauthenticate to unlock the session
• denies users the ability to disable the session or screen locking mechanism.
Miscellaneous changes were made to rationale and recommendations throughout the publication to clarify content without changing intent. This included a review from the Guidelines for System Hardening chapter through to the Guidelines for Data Transfers chapter.
Jun 2021
Systems are configured with a session or screen lock that:
• activates after a maximum of 15 minutes of user inactivity, or if manually activated by the user
• conceals all session content on the screen
• ensures that the screen does not enter a power saving state before the session or screen lock is activated
• requires the user to reauthenticate to unlock the system
• denies users the ability to disable the session or screen locking mechanism.
Security control 0428 was amended to note that only session contents needs to be concealed(instead of all contents)when a screen is locked (i.e. corporate lock screen backgrounds are acceptable).
Apr 2021
Systems are configured with a session or screen lock that:
• activates after a maximum of 15 minutes of user inactivity or if manually activated by the user
• completely conceals all information on the screen
• ensures that the screen does not enter a power saving state before the screen or session lock is activated
• requires the user to reauthenticate to unlock the system
• denies users the ability to disable the session or screen locking mechanism.
2017
Agencies must configure systems with a session or screen lock that:• activates either after a maximum of 15 minutes of user inactivity or if manually activated bythe user• completely conceals all information on the screen• ensures that the screen does not enter a power saving state before the screen or sessionlock is activated• requires the user to reauthenticate to unlock the system• denies users the ability to disable the session or screen locking mechanism.
Control Text Changed. No public explaination.
2015
Agencies must configure systems with a session or screen lock which:• activates either after a maximum of 15 minutes of user inactivity or if manually activated bythe user• completely conceals all information on the screen• ensures that the screen does not enter a power saving state before the screen or sessionlock is activated• requires the user to reauthenticate to unlock the system• denies users the ability to disable the session or screen locking mechanism.
2010
Agencies must:• configure systems with a session or screen lock• configure the lock to activate either:– after a maximum of 10 minutes of system user inactivity– if manually activated by the system user• configure the lock to completely conceal all information on the screen• ensure the screen is not turned off or enters a power saving state before the screen or sessionlock is activated• have the system user reauthenticate to unlock the system• deny system users the ability to disable the locking mechanism.