Navigate

AC-2(5)

AC-2(5): Inactivity Logout

Require that users log out when [the time period of expected inactivity or description of when to log out is defined;].

Supplemental

Inactivity logout is behavior- or policy-based and requires users to take physical action to log out when they are expecting inactivity longer than the defined period. Automatic enforcement of inactivity logout is addressed by [AC-11](#ac-11).

CIA Levels
Confidentiality	low
Integrity	low
Availability	low

Overlays
CMMC, DAF Baseline, Privacy (high), Privacy (moderate)

CSF Categories
None

Related Controls

The controls below (if any) were marked by NIST as being related to AC-2(5).

Control	Description
AC-11	a: Prevent further access to the system by [one or more of "initiating a device lock after {{ insert: param, ac-11_odp.02 }} of inactivity"/"requiring the user to initiate a device lock before leaving the system unattended"] ; and b: Retain the device lock until the user reestablishes access using established identification and authentication procedures.

Enhancements

The controls below (if any) add on to the requirements of AC-2(5).

Control	Description
No controls

Related CCIs

The CCIs below are tied to AC-2(5).

CCI	Definition
CCI-000019	Require that users log out in accordance with the organization-defined time-period of expected inactivity or description of when to log out.
CCI-001406	Defines a time period of expected inactivity when users are required to log out.
CCI-002133	Defines other conditions when users are required to log out.