3.1.10 — Lock the Screen

The One-Liner

Screens lock after 5-15 minutes of inactivity. The lock screen hides everything. Managed centrally, not by each user.

What It Says

Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.

What It Actually Means

Three things happening together:

1. Auto-lock after inactivity — define the timeout (5-15 minutes is standard), enforce it centrally via Group Policy or Intune
2. Lock screen hides data — no document previews, no email notifications, no data visible on the locked screen
3. Users can’t override it — the timeout is enforced by policy, not left to individual screensaver settings

The assessor will walk through your office and check screens. If someone’s workstation is sitting unlocked with CUI visible, that’s a finding.

---

Pass or Fail

Your assessor needs a “yes” to every row:

#	Question	What “yes” looks like
1	Is the inactivity period defined?	A documented timeout — typically 5-15 minutes
2	Does the system lock after that period?	Auto-lock is configured and enforced centrally
3	Does the lock screen hide data?	No previews, no notifications, no visible information

---

What to Have Ready on Assessment Day

Documents they’ll review: Access control policy, session lock procedures, system configuration (GPO/Intune settings), system security plan

People they’ll talk to: Sysadmins, information security staff, system developers

Live demos they’ll ask for: “Wait [X] minutes — show me the screen locks. Show me the lock screen hides what was displayed.”

---

The Assessor’s Playbook

These are the actual questions. Have answers ready.

• “What is your defined inactivity timeout?”
• “Does the lock screen hide previously visible information?”
• “Is the timeout managed centrally or do users set it?”
• “Show me the Group Policy or Intune configuration.”

Real-World Example

A contractor uses Intune device compliance to enforce a 5-minute screen lock on all managed devices — Windows, Mac, and mobile. The lock screen displays only the company logo and a clock. Notification previews are disabled via policy. The assessor asks to see the Intune compliance dashboard showing 100% of devices meet the policy.

---

Where Companies Trip Up

Timeout too long. 30 or 60 minutes defeats the purpose. The standard is 5-15 minutes.

Lock screen leaks data. Email preview notifications, document titles, or chat messages visible on the lock screen.

Not centrally managed. Relying on each user to configure their own screensaver. Users will disable it for convenience.

Missing on some platforms. Enforced on Windows but not on Mac, Linux, or mobile devices.

---

How to Talk About This

To a CEO or Board

All workstations lock after five minutes. The lock screen shows nothing. It’s enforced centrally — users can’t override it.

To an Engineering Team

Intune device compliance: 5-minute lock timeout, notification previews disabled, lock screen shows company logo only. GPO backup for domain-joined devices. 100% compliance tracked in Intune dashboard.

---

Connected Requirements

Requirement	Why it matters here
3.1.11 — End the Session	Session termination after longer inactivity
3.10.6 — Home Office Security	Physical security at alternate work sites

---

Implementation

🔒

Step-by-step guides for Microsoft 365, AWS, Azure, and GCP are available to Ancitus clients.

Start a conversation →

---

CMMC Practice ID: AC.L2-3.1.10 | SPRS Weight: 1 point | POA&M Eligible: Yes