STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← AC-11 (1) — Device Lock

CCI-000060

Definition

Conceal, via the device lock, information previously visible on the display with a publicly viewable image.

Parent Control

AC-11 (1)Device LockAccess Control

Linked STIG Checks (109)

V-268087CAT IINixOS must provide the capability for users to directly initiate a session lock for all connection types.Anduril NixOS Security Technical Implementation Guide V-254597CAT IIApple iOS/iPadOS 16 must be configured to not display notifications when the device is locked.Apple iOS-iPadOS 16 Security Technical Implementation Guide V-254598CAT IIApple iOS/iPadOS 16 must not display notifications (calendar information) when the device is locked.Apple iOS-iPadOS 16 Security Technical Implementation Guide V-250938CAT IIApple iOS/iPadOS 15 must be configured to not display notifications when the device is locked.Apple iOS/iPadOS 15 Security Technical Implementation Guide V-250939CAT IIApple iOS/iPadOS 15 must not display notifications (calendar information) when the device is locked.Apple iOS/iPadOS 15 Security Technical Implementation Guide V-257114CAT IIApple iOS/iPadOS 16 must be configured to not display notifications when the device is locked.Apple iOS/iPadOS 16 BYOAD Security Technical Implementation Guide V-257115CAT IIApple iOS/iPadOS 16 must not display notifications (calendar information) when the device is locked.Apple iOS/iPadOS 16 BYOAD Security Technical Implementation Guide V-259771CAT IIApple iOS/iPadOS 17 must be configured to not display notifications when the device is locked.Apple iOS/iPadOS 17 MDFPP 3.3 BYOAD Security Technical Implementation Guide V-259772CAT IIApple iOS/iPadOS 17 must not display notifications (calendar information) when the device is locked.Apple iOS/iPadOS 17 MDFPP 3.3 BYOAD Security Technical Implementation Guide V-258329CAT IIApple iOS/iPadOS 17 must be configured to not display notifications when the device is locked.Apple iOS/iPadOS 17 Security Technical Implementation Guide V-258330CAT IIApple iOS/iPadOS 17 must not display notifications (calendar information) when the device is locked.Apple iOS/iPadOS 17 Security Technical Implementation Guide V-267998CAT IIApple iOS/iPadOS 18 must be configured to not display notifications when the device is locked.Apple iOS/iPadOS 18 Security Technical Implementation Guide V-267999CAT IIApple iOS/iPadOS 18 must not display notifications (calendar information) when the device is locked.Apple iOS/iPadOS 18 Security Technical Implementation Guide V-278758CAT IIApple iOS/iPadOS 26 must be configured to not display notifications when the device is locked.Apple iOS/iPadOS 26 Security Technical Implementation Guide V-278759CAT IIApple iOS/iPadOS 26 must not display notifications (calendar information) when the device is locked.Apple iOS/iPadOS 26 Security Technical Implementation Guide V-252441CAT IIIThe macOS system must conceal, via the session lock, information previously visible on the display with a publicly viewable image.Apple macOS 12 (Monterey) Security Technical Implementation Guide V-252442CAT IIThe macOS system must be configured to disable hot corners.Apple macOS 12 (Monterey) Security Technical Implementation Guide V-257147CAT IIThe macOS system must conceal, via the session lock, information previously visible on the display with a publicly viewable image.Apple macOS 13 (Ventura) Security Technical Implementation Guide V-257148CAT IIThe macOS system must be configured to disable hot corners.Apple macOS 13 (Ventura) Security Technical Implementation Guide V-259422CAT IIThe macOS system must disable hot corners.Apple macOS 14 (Sonoma) Security Technical Implementation Guide V-268424CAT IIThe macOS system must disable hot corners.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268425CAT IIThe macOS system must prevent AdminHostInfo from being available at LoginWindow.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-277032CAT IIThe macOS system must disable hot corners.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277033CAT IIThe macOS system must prevent AdminHostInfo from being available at LoginWindow.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-276386CAT IIApple visionOS 2 must be configured to not display notifications when the device is locked.Apple visionOS 2 Security Technical Implementation Guide V-282795CAT IIApple visionOS 26 must be configured to not display notifications when the device is locked.Apple visionOS 26 Security Technical Implementation Guide V-205058CAT IIThe ALG providing user access control intermediary services must conceal, via the session lock, information previously visible on the display with a publicly viewable image.Application Layer Gateway Security Requirements Guide V-219304CAT IIThe Ubuntu operating system must be configured for users to directly initiate a session lock for all connection types.Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide V-238200CAT IIThe Ubuntu operating system must allow users to directly initiate a session lock for all connection types.Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide V-260553CAT IIUbuntu 22.04 LTS must allow users to directly initiate a session lock for all connection types.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-270674CAT IIUbuntu 24.04 LTS must allow users to directly initiate a session lock for all connection types.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-274871CAT IIUbuntu 24.04 LTS must conceal, via the session lock, information previously visible on the display with a publicly viewable image.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-269103CAT IIAlmaLinux OS 9 must automatically lock graphical user sessions after 15 minutes of inactivity.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269104CAT IIAlmaLinux OS 9 must conceal, via the session lock, information previously visible on the display with a publicly viewable image.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269105CAT IIAlmaLinux OS 9 must prevent a user from overriding the session idle-delay setting for the graphical user interface.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-235825CAT IIThe Lifetime Minutes and Renewal Threshold Minutes Login Session Controls must be set to 10 and 0 respectively in Docker Enterprise.Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide V-270904CAT IIDragos must configure idle timeouts at 10 minutes.Dragos Platform 2.x Security Technical Implementation Guide V-203601CAT IIThe operating system must conceal, via the session lock, information previously visible on the display with a publicly viewable image.General Purpose Operating System Security Requirements Guide V-258483CAT IIGoogle Android 13 must be configured to not display the following (work profile) notifications when the device is locked: [selection: a. email notifications b. calendar appointments c. contact associated with phone call notification d. text message notification e. other application-based notifications f. all notifications].Google Android 13 BYOAD Security Technical Implementation Guide V-254773CAT IIGoogle Android 13 must be configured to not display the following (work profile) notifications when the device is locked: [selection: a. email notifications b. calendar appointments c. contact associated with phone call notification d. text message notification e. other application-based notifications f. all notifications].Google Android 13 COPE Security Technical Implementation Guide V-258386CAT IIGoogle Android 14 must be configured to not display the following (work profile) notifications when the device is locked: [selection: a. email notifications b. calendar appointments c. contact associated with phone call notification d. text message notification e. other application-based notifications f. all notifications].Google Android 14 COBO Security Technical Implementation Guide V-258417CAT IIGoogle Android 14 must be configured to not display the following (work profile) notifications when the device is locked: [selection: a. email notifications b. calendar appointments c. contact associated with phone call notification d. text message notification e. other application-based notifications f. all notifications].Google Android 14 COPE Security Technical Implementation Guide V-260133CAT IIGoogle Android 14 must be configured to not display the following (work profile) notifications when the device is locked: [selection: a. email notifications b. calendar appointments c. contact associated with phone call notification d. text message notification e. other application-based notifications f. all notifications].Google Android 14 MDFPP 3.3 BYOAD Security Technical Implementation Guide V-267439CAT IIGoogle Android 15 must be configured to not display the following (work profile) notifications when the device is locked: [selection: a. email notifications b. calendar appointments c. contact associated with phone call notification d. text message notification e. other application-based notifications f. all notifications].Google Android 15 COBO Security Technical Implementation Guide V-267534CAT IIGoogle Android 15 must be configured to not display the following (work profile) notifications when the device is locked: [selection: a. email notifications b. calendar appointments c. contact associated with phone call notification d. text message notification e. other application-based notifications f. all notifications].Google Android 15 COPE Security Technical Implementation Guide V-276757CAT IIGoogle Android 16 must be configured to not display the following (work profile) notifications when the device is locked: [selection: a. email notifications b. calendar appointments c. contact associated with phone call notification d. text message notification e. other application-based notifications f. all notifications].Google Android 16 COBO Security Technical Implementation Guide V-276859CAT IIGoogle Android 16 must be configured to not display the following (work profile) notifications when the device is locked: [selection: a. email notifications b. calendar appointments c. contact associated with phone call notification d. text message notification e. other application-based notifications f. all notifications].Google Android 16 COPE Security Technical Implementation Guide V-274290CAT IIHoneywell Android 13 must be configured to not display the following (work profile) notifications when the device is locked: [selection: a. email notifications b. calendar appointments c. contact associated with phone call notification d. text message notification e. other application-based notifications f. all notifications].Honeywell Android 13 COBO Security Technical Implementation Guide V-274385CAT IIHoneywell Android 13 must be configured to not display the following (work profile) notifications when the device is locked: [selection: a. email notifications b. calendar appointments c. contact associated with phone call notification d. text message notification e. other application-based notifications f. all notifications].Honeywell Android 13 COPE Security Technical Implementation Guide V-215212CAT IIAIX CDE must conceal, via the session lock, information previously visible on the display with a publicly viewable image.IBM AIX 7.x Security Technical Implementation Guide V-223575CAT IIIBM z/OS must employ a session manager that conceal, via the session lock, information previously visible on the display with a publicly viewable image.IBM z/OS ACF2 Security Technical Implementation Guide V-223794CAT IIThe IBM z/OS must employ a session manager that conceals, via the session lock, information previously visible on the display with a publicly viewable image.IBM z/OS RACF Security Technical Implementation Guide V-224032CAT IIIBM z/OS must employ a session manager to conceal, via the session lock, information previously visible on the display with a publicly viewable image.IBM z/OS TSS Security Technical Implementation Guide V-205440CAT IIThe Mainframe Product must conceal, via the session lock, information previously visible on the display with a publicly viewable image.Mainframe Product Security Requirements Guide V-253424CAT IIWindows Ink Workspace must be configured to disallow access above the lock.Microsoft Windows 11 Security Technical Implementation Guide V-205633CAT IIWindows Server 2019 machine inactivity limit must be set to 15 minutes or less, locking the system with the screen saver.Microsoft Windows Server 2019 Security Technical Implementation Guide V-254456CAT IIWindows Server 2022 machine inactivity limit must be set to 15 minutes or less, locking the system with the screen saver.Microsoft Windows Server 2022 Security Technical Implementation Guide V-278206CAT IIWindows Server 2025 machine inactivity limit must be set to 15 minutes or less, locking the system with the screen saver.Microsoft Windows Server 2025 Security Technical Implementation Guide V-272180CAT IIMotorola Solutions Android 13 must be configured to not display the following (work profile) notifications when the device is locked: [selection: a. email notifications b. calendar appointments c. contact associated with phone call notification d. text message notification e. other application-based notifications f. all notifications].Motorola Solutions Android 13 COBO Security Technical Implementation Guide V-272317CAT IIMotorola Solutions Android 13 must be configured to not display the following (work profile) notifications when the device is locked: [selection: a. email notifications b. calendar appointments c. contact associated with phone call notification d. text message notification e. other application-based notifications f. all notifications].Motorola Solutions Android 13 COPE Security Technical Implementation Guide V-202006CAT IIThe network device must conceal, via the session lock, information previously visible on the display with a publicly viewable image.Network Device Management Security Requirements Guide V-254121CAT IINutanix AOS must disconnect a session after 15 minutes of idle time for all connection types.Nutanix AOS 5.20.x OS Security Technical Implementation Guide V-279529CAT IINutanix OS must set the value of "lock-after-time" to 890 seconds for remote access sessions.Nutanix Acropolis GPOS Security Technical Implementation Guide V-248672CAT IIOL 8 must initiate a session lock for graphical user interfaces when the screensaver is activated.Oracle Linux 8 Security Technical Implementation Guide V-248680CAT IIOL 8 must automatically lock graphical user sessions after 15 minutes of inactivity.Oracle Linux 8 Security Technical Implementation Guide V-248682CAT IIOL 8 must prevent a user from overriding the session lock-delay setting for the graphical user interface.Oracle Linux 8 Security Technical Implementation Guide V-248683CAT IIOL 8 must prevent a user from overriding the session idle-delay setting for the graphical user interface.Oracle Linux 8 Security Technical Implementation Guide V-248684CAT IIOL 8 must prevent a user from overriding the session lock-enabled setting for the graphical user interface.Oracle Linux 8 Security Technical Implementation Guide V-271674CAT IIOL 9 must automatically lock graphical user sessions after 15 minutes of inactivity.Oracle Linux 9 Security Technical Implementation Guide V-271676CAT IIOL 9 must conceal, via the session lock, information previously visible on the display with a publicly viewable image.Oracle Linux 9 Security Technical Implementation Guide V-271682CAT IIOL 9 must prevent a user from overriding the session idle-delay setting for the graphical user interface.Oracle Linux 9 Security Technical Implementation Guide V-281278CAT IIRHEL 10 must automatically lock graphical user sessions after 15 minutes of inactivity.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281279CAT IIRHEL 10 must prevent a user from overriding the session idle-delay setting for the graphical user interface.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281280CAT IIRHEL 10 must initiate a session lock for graphical user interfaces when the screensaver is activated.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281281CAT IIRHEL 10 must prevent a user from overriding the session lock-delay setting for the graphical user interface.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281282CAT IIRHEL 10 must conceal, via the session lock, information previously visible on the display with a publicly viewable image.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-258023CAT IIRHEL 9 must automatically lock graphical user sessions after 10 minutes of inactivity.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-258024CAT IIRHEL 9 must prevent a user from overriding the session idle-delay setting for the graphical user interface.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-258027CAT IIRHEL 9 must conceal, via the session lock, information previously visible on the display with a publicly viewable image.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-275642CAT IIUbuntu OS must allow users to directly initiate a session lock for all connection types.Riverbed NetIM OS Security Technical Implementation Guide V-238497CAT IIIf TLS optimization is used, the Riverbed Optimization System (RiOS) providing Signed SMB and/or Encrypted MAPI must ensure the integrity and confidentiality of data transmitted over the WAN.Riverbed SteelHead CX v8 ALG Security Technical Implementation Guide V-261276CAT IISLEM 5 must use vlock to allow for session locking.SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide V-217107CAT IIThe SUSE operating system must be able to lock the graphical user interface (GUI).SUSE Linux Enterprise Server 12 Security Technical Implementation Guide V-217108CAT IIIThe SUSE operating system must utilize vlock to allow for session locking.SUSE Linux Enterprise Server 12 Security Technical Implementation Guide V-217111CAT IIIThe SUSE operating system must conceal, via the session lock, information previously visible on the display with a publicly viewable image in the graphical user interface.SUSE Linux Enterprise Server 12 Security Technical Implementation Guide V-260450CAT IISamsung Android must be configured to not display the following (Work Environment) notifications when the device is locked: All notifications.Samsung Android 14 MDFPP 3.3 BYOAD Security Technical Implementation Guide V-272583CAT IISamsung Android must be configured to not display the following (Work Environment) notifications when the device is locked: All notifications.Samsung Android 15 MDFPP 3.3 BYOAD Security Technical Implementation Guide V-276558CAT IISamsung Android must be configured to not display the following (Work Environment) notifications when the device is locked: All notifications.Samsung Android 16 COBO Security Technical Implementation Guide V-276666CAT IISamsung Android must be configured to not display the following (Work Environment) notifications when the device is locked: All notifications.Samsung Android 16 COPE Security Technical Implementation Guide V-255127CAT IISamsung Android must be configured to not display the following (Work Environment) notifications when the device is locked: All notifications.Samsung Android OS 13 with Knox 3.x COBO Security Technical Implementation Guide V-255156CAT IISamsung Android must be configured to not display the following (Work Environment) notifications when the device is locked: All notifications.Samsung Android OS 13 with Knox 3.x COPE Security Technical Implementation Guide V-258646CAT IISamsung Android must be configured to not display the following (Work Environment) notifications when the device is locked: All notifications.Samsung Android OS 14 with Knox 3.x COBO Security Technical Implementation Guide V-258682CAT IISamsung Android must be configured to not display the following (Work Environment) notifications when the device is locked: All notifications.Samsung Android OS 14 with Knox 3.x COPE Security Technical Implementation Guide V-268933CAT IISamsung Android must be configured to not display the following (Work Environment) notifications when the device is locked: All notifications.Samsung Android OS 15 with Knox 3.x COBO Security Technical Implementation Guide V-269032CAT IISamsung Android must be configured to not display the following (Work Environment) notifications when the device is locked: All notifications.Samsung Android OS 15 with Knox 3.x COPE Security Technical Implementation Guide V-216364CAT IIThe operating system session lock mechanism, when activated on a device with a display screen, must place a publicly viewable pattern onto the associated display, hiding what was previously visible on the screen.Solaris 11 SPARC Security Technical Implementation Guide V-216127CAT IIThe operating system session lock mechanism, when activated on a device with a display screen, must place a publicly viewable pattern onto the associated display, hiding what was previously visible on the screen.Solaris 11 X86 Security Technical Implementation Guide V-234047CAT IIThe Tanium application must retain the session lock until the user reestablishes access using established identification and authentication procedures.Tanium 7.3 Security Technical Implementation Guide V-254897CAT IIMultifactor authentication must be enabled and enforced on the Tanium Server for all access and all accounts.Tanium 7.x Application on TanOS Security Technical Implementation Guide V-253814CAT IIThe Tanium application must retain the session lock until the user reestablishes access using established identification and authentication procedures.Tanium 7.x Security Technical Implementation Guide V-252948CAT IITOSS must retain a user's session lock until that user reestablishes access using established identification and authentication procedures.Tri-Lab Operating System Stack (TOSS) 4 Security Technical Implementation Guide V-282377CAT IITOSS 5 must automatically lock graphical user sessions after 10 minutes of inactivity.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-282378CAT IITOSS 5 must prevent a user from overriding the session idle-delay setting for the graphical user interface.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-282382CAT IITOSS 5 must conceal via the session lock information previously visible on the display with a publicly viewable image.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-234276CAT IIThe UEM server must conceal, via the session lock, information previously visible on the display with a publicly viewable image.Unified Endpoint Management Server Security Requirements Guide V-207349CAT IIThe VMM must conceal, via the session lock, information previously visible on the display with a publicly viewable image.Virtual Machine Manager Security Requirements Guide V-270131CAT IIZebra Android 13 must be configured to not display the following (work profile) notifications when the device is locked: [selection: a. email notifications b. calendar appointments c. contact associated with phone call notification d. text message notification e. other application-based notifications f. all notifications].Zebra Android 13 COPE Security Technical Implementation Guide V-283514CAT IIZebra Android 14 must be configured to not display the following (work profile) notifications when the device is locked: [selection: a. email notifications b. calendar appointments c. contact associated with phone call notification d. text message notification e. other application-based notifications f. all notifications].Zebra Technologies Android 14 COBO Security Technical Implementation Guide V-283616CAT IIZebra Android 14 must be configured to not display the following (work profile) notifications when the device is locked: [selection: a. email notifications b. calendar appointments c. contact associated with phone call notification d. text message notification e. other application-based notifications f. all notifications].Zebra Technologies Android 14 COPE Security Technical Implementation Guide