STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← AC-11 — Device Lock

CCI-000056

Definition

Retain the device lock until the user reestablishes access using established identification and authentication procedures.

Parent Control

AC-11Device LockAccess Control

Linked STIG Checks (79)

V-268087CAT IINixOS must provide the capability for users to directly initiate a session lock for all connection types.Anduril NixOS Security Technical Implementation Guide V-252436CAT IIThe macOS system must be configured to prevent Apple Watch from terminating a session lock.Apple macOS 12 (Monterey) Security Technical Implementation Guide V-252437CAT IIThe macOS system must retain the session lock until the user reestablishes access using established identification and authentication procedures.Apple macOS 12 (Monterey) Security Technical Implementation Guide V-252438CAT IIThe macOS system must initiate the session lock no more than five seconds after a screen saver is started.Apple macOS 12 (Monterey) Security Technical Implementation Guide V-257142CAT IIThe macOS system must be configured to prevent Apple Watch from terminating a session lock.Apple macOS 13 (Ventura) Security Technical Implementation Guide V-257143CAT IIThe macOS system must retain the session lock until the user reestablishes access using established identification and authentication procedures.Apple macOS 13 (Ventura) Security Technical Implementation Guide V-257144CAT IIThe macOS system must initiate the session lock no more than five seconds after a screen saver is started.Apple macOS 13 (Ventura) Security Technical Implementation Guide V-259418CAT IIThe macOS system must prevent Apple Watch from terminating a session lock.Apple macOS 14 (Sonoma) Security Technical Implementation Guide V-259419CAT IIThe macOS system must enforce screen saver password.Apple macOS 14 (Sonoma) Security Technical Implementation Guide V-259420CAT IIThe macOS system must enforce session lock no more than five seconds after screen saver is started.Apple macOS 14 (Sonoma) Security Technical Implementation Guide V-259517CAT IIThe macOS system must disable TouchID for unlocking the device.Apple macOS 14 (Sonoma) Security Technical Implementation Guide V-268420CAT IIThe macOS system must prevent Apple Watch from terminating a session lock.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268421CAT IIThe macOS system must enforce screen saver password.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268422CAT IIThe macOS system must enforce session lock no more than five seconds after screen saver is started.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268516CAT IIThe macOS system must disable TouchID for unlocking the device.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-277028CAT IIThe macOS system must prevent Apple Watch from terminating a session lock.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277029CAT IIThe macOS system must enforce screen saver password.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277030CAT IIThe macOS system must enforce session lock no more than five seconds after screen saver is started.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277125CAT IIThe macOS system must disable TouchID for unlocking the device.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-205054CAT IIThe ALG providing user access control intermediary services must retain the session lock until the user reestablishes access using established identification and authentication procedures.Application Layer Gateway Security Requirements Guide V-38703CAT IIBlackBerry PlayBook OS must retain the lock work space until the user reestablishes access using established identification and authentication procedures.BlackBerry PlayBook OS V2.1 Security Technical Implementation Guide V-38704CAT IIBlackBerry PlayBook OS must retain the device lock until the user reestablishes access using established identification and authentication procedures.BlackBerry PlayBook OS V2.1 Security Technical Implementation Guide V-219302CAT IIThe Ubuntu operating system must retain a users session lock until that user reestablishes access using established identification and authentication procedures.Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide V-238199CAT IIThe Ubuntu operating system must retain a user's session lock until that user reestablishes access using established identification and authentication procedures.Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide V-260537CAT IIUbuntu 22.04 LTS must retain a user's session lock until that user reestablishes access using established identification and authentication procedures.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-270679CAT IIUbuntu 24.04 LTS must prevent a user from overriding the disabling of the graphical user interface automount function.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-274873CAT IIUbuntu 24.04 LTS must prevent a user from overriding the disabling of the graphical user smart card removal action.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-269109CAT IIAlmaLinux OS 9 must be able to directly initiate a session lock for all connection types using smart card when the smart card is removed.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269110CAT IIAlmaLinux OS 9 must prevent a user from overriding the disabling of the graphical user smart card removal action.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-203598CAT IIThe operating system must retain a users session lock until that user reestablishes access using established identification and authentication procedures.General Purpose Operating System Security Requirements Guide V-215187CAT IIAIX must provide the lock command to let users retain their session lock until users are reauthenticated.IBM AIX 7.x Security Technical Implementation Guide V-215188CAT IIAIX must provide xlock command in the CDE environment to let users retain their sessions lock until users are reauthenticated.IBM AIX 7.x Security Technical Implementation Guide V-223573CAT IIIBM z/OS must employ a session manager to manage retaining a users session lock until that user reestablishes access using established identification and authentication procedures.IBM z/OS ACF2 Security Technical Implementation Guide V-223797CAT IIIBM z/OS must employ a session manager to manage retaining a users session lock until that user reestablishes access using established identification and authentication procedures.IBM z/OS RACF Security Technical Implementation Guide V-224034CAT IIIBM z/OS must employ a session manager to manage retaining a users session lock until that user reestablishes access using established identification and authentication procedures.IBM z/OS TSS Security Technical Implementation Guide V-205443CAT IIThe Mainframe Product must retain the session lock until the user reestablishes access using established identification and authentication procedures.Mainframe Product Security Requirements Guide V-220869CAT IIWindows 10 must be configured to prevent Windows apps from being activated by voice while the system is locked.Microsoft Windows 10 Security Technical Implementation Guide V-253422CAT IIWindows 11 must be configured to prevent Windows apps from being activated by voice while the system is locked.Microsoft Windows 11 Security Technical Implementation Guide V-205633CAT IIWindows Server 2019 machine inactivity limit must be set to 15 minutes or less, locking the system with the screen saver.Microsoft Windows Server 2019 Security Technical Implementation Guide V-254456CAT IIWindows Server 2022 machine inactivity limit must be set to 15 minutes or less, locking the system with the screen saver.Microsoft Windows Server 2022 Security Technical Implementation Guide V-278206CAT IIWindows Server 2025 machine inactivity limit must be set to 15 minutes or less, locking the system with the screen saver.Microsoft Windows Server 2025 Security Technical Implementation Guide V-202009CAT IIThe network device must retain the session lock until the administrator reestablishes access using established identification and authentication procedures.Network Device Management Security Requirements Guide V-279529CAT IINutanix OS must set the value of "lock-after-time" to 890 seconds for remote access sessions.Nutanix Acropolis GPOS Security Technical Implementation Guide V-221657CAT IIThe Oracle Linux operating system must enable a user session lock until that user re-establishes access using established identification and authentication procedures.Oracle Linux 7 Security Technical Implementation Guide V-248671CAT IIOL 8 must enable a user session lock until that user reestablishes access using established identification and authentication procedures for graphical user sessions.Oracle Linux 8 Security Technical Implementation Guide V-248678CAT IIOL 8 must enable a user session lock until that user reestablishes access using established identification and authentication procedures for command line sessions.Oracle Linux 8 Security Technical Implementation Guide V-248679CAT IIOL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed.Oracle Linux 8 Security Technical Implementation Guide V-271681CAT IIOL 9 must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface.Oracle Linux 9 Security Technical Implementation Guide V-271684CAT IIOL 9 must prevent a user from overriding the disabling of the graphical user smart card removal action.Oracle Linux 9 Security Technical Implementation Guide V-271690CAT IIOL 9 must be able to directly initiate a session lock for all connection types using smart card when the smart card is removed.Oracle Linux 9 Security Technical Implementation Guide V-281276CAT IIRHEL 10 must prevent a user from overriding the disabling of the graphical user smart card removal action.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281277CAT IIRHEL 10 must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-204396CAT IIThe Red Hat Enterprise Linux operating system must enable a user session lock until that user re-establishes access using established identification and authentication procedures.Red Hat Enterprise Linux 7 Security Technical Implementation Guide V-230347CAT IIRHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-230351CAT IIRHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-258019CAT IIRHEL 9 must be able to initiate directly a session lock for all connection types using smart card when the smart card is removed.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-258020CAT IIRHEL 9 must prevent a user from overriding the disabling of the graphical user smart card removal action.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-258021CAT IIRHEL 9 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-258022CAT IIRHEL 9 must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-275628CAT IIUbuntu OS must retain a user's session lock until that user reestablishes access using established identification and authentication procedures.Riverbed NetIM OS Security Technical Implementation Guide V-261276CAT IISLEM 5 must use vlock to allow for session locking.SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide V-217107CAT IIThe SUSE operating system must be able to lock the graphical user interface (GUI).SUSE Linux Enterprise Server 12 Security Technical Implementation Guide V-217108CAT IIIThe SUSE operating system must utilize vlock to allow for session locking.SUSE Linux Enterprise Server 12 Security Technical Implementation Guide V-216336CAT IIThe system must require users to re-authenticate to unlock a graphical desktop environment.Solaris 11 SPARC Security Technical Implementation Guide V-216101CAT IIThe system must require users to re-authenticate to unlock a graphical desktop environment.Solaris 11 X86 Security Technical Implementation Guide V-241005CAT IICommon Access Card (CAC)-based authentication must be enabled and enforced on the Tanium Server for all access and all accounts.Tanium 7.0 Security Technical Implementation Guide V-234066CAT IICommon Access Card (CAC)-based authentication must be enabled and enforced on the Tanium Server for all access and all accounts.Tanium 7.3 Security Technical Implementation Guide V-254897CAT IIMultifactor authentication must be enabled and enforced on the Tanium Server for all access and all accounts.Tanium 7.x Application on TanOS Security Technical Implementation Guide V-253828CAT IIMultifactor authentication must be enabled and enforced on the Tanium Server for all access and all accounts.Tanium 7.x Security Technical Implementation Guide V-252948CAT IITOSS must retain a user's session lock until that user reestablishes access using established identification and authentication procedures.Tri-Lab Operating System Stack (TOSS) 4 Security Technical Implementation Guide V-282372CAT IITOSS 5 must directly initiate a session lock for all connection types when the smart card is removed.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-282373CAT IITOSS 5 must prevent a user from overriding the disabling of the graphical user smart card removal action.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-282374CAT IITOSS 5 must enable a user session lock until that user reestablishes access using established identification and authentication procedures for graphical user sessions.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-282375CAT IITOSS 5 must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-282376CAT IITOSS 5 must have the tmux package installed.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-234279CAT IIThe MDM server must retain the session lock until the user reestablishes access using established identification and authentication procedures.Unified Endpoint Management Server Security Requirements Guide V-207346CAT IIThe VMM must retain the session lock until the user reestablishes access using established identification and authentication procedures.Virtual Machine Manager Security Requirements Guide V-92961CAT IIWindows Server 2019 machine inactivity limit must be set to 15 minutes or less, locking the system with the screen saver.Windows Server 2019 Security Technical Implementation Guide V-269572CAT IXylok Security Suite must expire a session upon browser closing.Xylok Security Suite 20.x Security Technical Implementation Guide