In Episode 10 of my NIST SP 800-53 Rev. 5 Access Control series, I break down AC-10 (Concurrent Session Control) and simplify what the control is really asking for. AC-10 is an access control mechanism that limits how many sessions a user can have at the same time on a single application. When a user who is already authenticated tries to authenticate again, the system can either invalidate the existing session and create a new one, or allow both sessions to run concurrently—depending on how your organization defines it. I also explain where AC-10 applies and where it doesn’t. This control is mostly enforced for privileged/admin access, and it focuses on concurrent sessions for a system account on the same application—not a single user accessing multiple different applications. I use Netflix as a simple example: if your plan allows one stream, you can’t log in somewhere else and start another session at the same time. Finally, I walk through how I assess/test AC-10 during an SCA or self-assessment: review the access control policy/procedures, confirm the implementation statement in the SSP (including allowed sessions for regular vs. privileged users), and validate configuration evidence or attempt a login that exceeds the maximum to confirm the system blocks it.