CMMC L 2 - Control AC. L2-3.1.10: Workstation Lockout [M365 environment]

Objective: Prevent unauthorized access to unattended systems by enforcing automatic workstation lockout after a defined period of inactivity.

Overview of the Control

CMMC Level 2 requires organizations to implement technical safeguards that ensure unattended workstations automatically lock after a specified period of inactivity. This control maps to:

  • NIST 800-171 Reference:
    • 3.1.10[a], [b], [c] – Access Control
    • 3.13.15 – System and Communications Protection

Implementation Plan

🔹 Step 1: Define Organizational Policy

Create or update your Workstation Configuration Policy to include:

  • Lockout after 15 minutes of inactivity
  • Applies to all endpoints handling CUI
  • Enforcement via Microsoft Intune for both Windows and macOS
  • Manual lockout behavior encouraged through user training

🔹 Step 2: Configure Windows Devices via Intune

Tool: Microsoft Intune Settings Catalog
Platform: Windows 10/11 and later

       Configuration Steps:

  1. Sign in to Microsoft Intune Admin Center
  2. Navigate to:
    Devices > Windows > Configuration profiles > + Create profile
  3. Select:
    • Platform: Windows 10 and later
    • Profile type: Settings catalog
  4. Name the profile:
    "CMMC L2 – Workstation Lockout (15 min)"
  5. Under Configuration settings:
    • Click + Add settings
    • Search: "inactivity" or "lock"
    • Select: Device Lock > Maximum minutes of inactivity until screen locks
    • Set value: 15
  6. Assign to: CUI-handling device groups
  7. Review and Create the policy

🔹 Step 3: Configure macOS Devices via Intune

Tool: Microsoft Intune Settings Catalog
Platform: macOS

*No need to upload .mobileconfig files - the modern Settings Catalog supports direct configuration.

      Configuration Steps:

  1. Sign in to Microsoft Intune Admin Center
  2. Navigate to:
    Devices > macOS > Configuration profiles > + Create profile
  3. Select:
    • Platform: macOS
    • Profile type: Settings catalog
  4. Name the profile:
    "CMMC L2 – macOS Workstation Lockout (15 min)"
  5. Under Configuration settings:
    • Click + Add settings
    • Search: "screensaver" or "idle time"
    • Select: User Experience > Screensaver User > Idle Time
    • Set value: 900 (seconds = 15 minutes)
  6. Assign to: macOS device groups
  7. Review and Create the policy

Evidence Collection

Platform Evidence Type Description
Windows Screenshot Intune policy showing Maximum minutes of inactivity = 15
Windows Assignment Log Confirmation of policy assignment to CUI-handling devices
macOS Screenshot Intune policy showing Idle Time = 900 seconds
macOS Assignment Log Confirmation of policy assignment to macOS group
Both Policy Document Workstation Configuration Policy referencing lockout settings
Both SSP Reference Paragraph in your System Security Plan (SSP) citing this control
Both Training Record Users are instructed to manually lock workstations when unattended

SSP Paragraph (Example)

Control 3.1.10 – Workstation Lockout
All organizational workstations are configured to automatically lock after 15 minutes of inactivity. This is enforced via Microsoft Intune Settings Catalog profiles for both Windows and macOS endpoints. Manual lockout behavior is reinforced through user training. Remote sessions are also configured to terminate after inactivity, aligning with control 3.13.15. These settings are reviewed quarterly and tested during internal audits.

Final Checklist

  • [x] Workstation Configuration Policy updated and approved
  • [x] Intune policy created for Windows (15 min inactivity lock)
  • [x] Intune policy created for macOS (900 seconds idle time)
  • [x] Policies assigned to correct device groups
  • [x] Screenshots and logs captured for evidence
  • [x] SSP paragraph written and linked
  • [x] User training record updated
  • [x] Folder created in SharePoint or local repository for 3.1.10

Suggested Folder Structure

CMMC Evidence Repository
└── 3.1 Access Control
    └── 3.1.10 Workstation Lockout
        ├── Windows - Intune Policy Screenshot.png
        ├── macOS - Intune Policy Screenshot.png
        ├── Assignment Logs.pdf
        ├── Workstation Configuration Policy.pdf
        ├── SSP Paragraph - 3.1.10.docx
        ├── User Training Record.pdf
        └── POAM (if needed).docx


Comments

Post a Comment

Popular posts from this blog

NIST CSF 2.0 to CMMC Level 1: A Practical Crosswalk for Audit-Ready Compliance

NIST CSF 2.0 Meets CMMC Level 1: A Practical Crosswalk for Compliance Architects By Rana Jahandad Khan Cybersecurity frameworks often feel like parallel universes, each with its own language, structure, and expectations. But what if you could align two major frameworks with a single set of controls? That’s exactly what I set out to do with this crosswalk between NIST Cybersecurity Framework 2.0 and CMMC Level 1 . Whether you're preparing for a defense audit or building a scalable security program, this mapping helps you satisfy both frameworks without duplicating effort.      Why This Crosswalk Matters NIST CSF 2.0 introduces a new Govern function, elevating cybersecurity to a strategic, enterprise-level concern. CMMC Level 1 focuses on foundational security practices for contractors handling Federal Contract Information (FCI). By aligning the two, you can build once and comply twice, saving time, reducing risk, and strengthening audit posture. NIST CSF 2.0 →...
Read more

How to Upgrade from Windows 11 Home to Pro (Step-by-Step)

Image
  Upgrading from Windows 11 home edition to 11 Pro   Go to   Settings   System (Left panel)   Activation (type in Find a setting)   Select Activation Settings (like in window below)       Then, upgrade your edition of Windows, shown below     N ext , if you have a 25-digit Activation key, click the first  option on picture below and change the Key     Otherwise, Select the second option to Open Store     This would upgrade your current OS to pro.  
Read more

The Ultimate Compliance Folder Structure: How I Built an Audit-Ready System from Scratch

  How I Built a Bulletproof Compliance Folder—From Chaos to Clarity Introduction In the world of compliance, clarity is currency. Scattered evidence, reactive documentation, and unclear roles don’t just slow audits—they erode trust. As a systems architect and compliance lead, I’ve spent years refining a folder structure that transforms chaos into clarity. This post outlines the architecture behind my CMMC Level 1 evidence system, designed to be scalable, hash-verifiable, and audit-ready. The Problem: Fragmented Evidence and Reactive Workflows Most compliance environments suffer from: Disorganized folders with no naming conventions Evidence stored in multiple formats across disconnected locations Lack of cross-referencing between policies, screenshots, and enforcement logs No hash integrity or tamper-proof tracking These issues lead to failed audits, user confusion, and leadership frustration. The Solution: A Nested, Referenced, and Role-Aware Folder System I designe...
Read more