IA-11: Re-Authentication

NIST Baseline: Low

In addition to the re-authentication requirements associated with device locks, as described in Control AC-11, Device Lock, information resource owners may require re-authentication of individuals in certain situations, such as:
- When roles, authenticators, or credentials change,
- When security categories of systems change,
- When the execution of privileged functions occurs, or
- After a fixed time period.
The lifetime of browser cookies used for binding authenticated sessions to university information resources shall be limited to no more than seven days.
Workstations must be configured to automatically lock after 15 minutes of inactivity.
Multifactor authentication must be configured to force reauthentication every five days or less.

None. See any applicable internal procedures.