Require that users log out when [Assignment: organization-defined time period of expected inactivity or description of when to log out].
Inactivity logout is behavior- or policy-based and requires users to take physical action to log out when they are expecting inactivity longer than the defined period. Automatic enforcement of inactivity logout is addressed by AC-11.