AC.L2-3.1.10[b]

Executive Summary (For Leadership and the Board)

CMMC objective AC.L2-3.1.10[b] sits inside the Access Control domain (AC.L2-3.1.10 — Session Lock) and reads: Sessions are locked after the defined period of inactivity.. Implement automatic screen lock/session lock on all endpoints and applications that access CUI. Users must re-authenticate to resume their session. For organizations that handle Controlled Unclassified Information (CUI), this objective is part of the foundation that every downstream control depends on.

Under DFARS 252.204-7012, AC.L2-3.1.10[b] will be evaluated during a full third-party CMMC Level 2 assessment, Joint Surveillance Voluntary Assessment, or formal certification gating DoD CUI contract awards. Leadership and the board should be asking: Who owns this objective? When was it last reviewed? Where is the evidence stored? And what is our remediation plan if a C3PAO flags a gap? Failing this objective in isolation may be POA&M-able under CMMC 2.0; failing it in conjunction with related objectives in the same practice is typically not.