Information resources shall be protected from excessive concurrent sessions by the same user account, based on a risk determination by the information resource owner.
Multiple sessions could be run under the same user account, allowing an attacker to launch a concurrent session without the user’s knowledge.
The information system limits the number of concurrent sessions for each [Assignment: organization-defined account and/or account type] to [Assignment: organization-defined number].
