CMMC Practice AC.L2-3.1.10

Session Lock: Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.

Monarch ISC Guidance

The easiest way to comply with this practice is to enable locking screen savers on user workstations. If you use Active Directory, you can use group policy to enable this setting, dictate how long the session can be idle before the screen saver kicks in, and require users to re-enter their password to unlock their workstation. Don't forget to train your users to manually lock their workstations when they walk away too!

Discussion From Source

NIST SP 800-171 R2 Session locks are temporary actions taken when users stop work and move away from the immediate vicinity of the system but do not want to log out because of the temporary nature of their absences. Session locks are implemented where session activities can be determined, typically at the operating system level (but can also be at the application level). Session locks are not an acceptable substitute for logging out of the system, for example, if organizations require users to log out at the end of the workday. Pattern-hiding displays can include static or dynamic images, for example, patterns used with screen savers, photographic images, solid colors, clock, battery life indicator, or a blank screen, with the additional caveat that none of the images convey controlled unclassified information.

References