In Episode 12 of my NIST SP 800-53 Rev 5 Access Control series, I break down AC-12 (Session Termination) and simplify what the control is really asking you to do. I explain session termination as the automatic ending of a user-initiated logical session—think of you opening a remote database or cloud app, minimizing it, and then the system killing that session after the maximum allowed idle time is reached. The key point is: AC-12 is about terminating the logical session and the processes tied to it, not necessarily dropping the network connection (that’s more in line with SC-10). This control helps reduce unnecessary idle sessions to sensitive servers and applications. I also walk through common triggers and “organization-defined conditions,” like inactivity timeouts, shift changes, time-of-day restrictions, or terminating a concurrent session when the same credentials are used elsewhere. Then I cover how I like to assess/test AC-12 during an SCA or continuous monitoring: review the access control policy/procedures, confirm the implementation in the SSP, and validate the actual configuration settings (screenshots or logs). Since AC-12 is a technical control, I usually only need to verify one effective configuration to gain confidence it applies across the user population.