As part of CivicPlus’s ongoing efforts to implement security and privacy controls in line with the National Institute of Standards and Technology (NIST) 800-53 requirements, CivicClerk has implemented a session inactivity timeout feature. This feature will allow system administrators to configure a session inactivity timeout in CivicClerk in accordance with local access control policies. The minimum allowed configuration is 3 minutes and the maximum allowed timeout is 120 minutes. By default, this feature is configured at 120 minutes.
What does this mean for our users?
- System administrators may either leave the timeout at the default configuration of 120 minutes or they can follow the configuration instructions to set a custom session timeout. Users who are completely inactive in CivicClerk for the designated period of time will receive a warning message alerting them that they have been inactive and notifying them that they will be automatically logged out in two minutes. If the user acknowledges by clicking the “OK” button, it will reset the user’s activity clock and allow them to remain logged in to CivicClerk. If the user does not acknowledge and the two minute period elapses, the user will be logged out and unsaved changes will be lost. The user’s browser will display a message telling the user that they have been logged out of CivicClerk due to inactivity and giving a link to log back in. Upon login, they will land on the same page they were prior to logout.
If a user is automatically logged out due to inactivity, will their changes be saved?
- CivicClerk does not autosave work in Agendas, Events, Items, or Analytics, so work in any of these modules will NOT be saved before session inactivity timeout. Autosave is enabled in the Live Meeting Manager.
To remind users to periodically save their work, we have implemented an “Unsaved Changes” alert that will remind users working on Items that they have unsaved changes. This alert will appear if a user has made a change to an agenda item and has not yet saved the changes.
Can we opt-out or disable this feature?
- This feature will be rolled out to all CivicClerk 8 clients, there is no ability to opt-out. However, if you choose not to configure default, the timeout for your site will be set at 120 minutes.
In regard to any security controls, we advise that you look to NIST 800-53 Rev 4 for more information. As it relates to this feature in CivicClerk, the control in question would be AC-12. While NIST defines this control, it’s up to individual system administrators to set internal organizational policy. This feature is intended to allow administrators the ability to configure CivicClerk to adhere to their policy up to 120 minutes, which is the maximum allowed duration.