Address the scope question from this comment: #1800 (comment)

5.0/en/0x12-V3-Session-management.md

@@ -93,7 +93,7 @@ Attackers start a half-open attack by attempting to lock, reset, or recover a cr
 
 ## V3.8 Session Termination
 
-Session termination may be handled either by the application itself or by the SSO provider if the SSO provider is handling session management instead of the application.
+Session termination may be handled either by the application itself or by the SSO provider if the SSO provider is handling session management instead of the application. It may be necessary to decide whether the SSO provider is in scope when considering the requirements in this section as some may be controlled by the provider.
 
 Session termination should result in requiring re-authentication and be effective across the application, federated login (if present), and any relying parties.
 
@@ -106,7 +106,7 @@ For stateful session mechanisms, this should just require invalidating the sessi
 | **3.8.3** | [MODIFIED, MOVED FROM 3.3.4] Verify that users are able to view and (having re-entered login credentials) terminate any or all currently active sessions. | | ✓ | ✓ | 613 | 7.1 |
 | **3.8.4** | [ADDED] Verify that all pages that require authentication have easy and visible access to logout functionality. | ✓ | ✓ | ✓ | | |
 | **3.8.5** | [ADDED] Verify that the application terminates all active sessions when a user account is disabled or deleted (such as an employee leaving the company). | ✓ | ✓ | ✓ | 613 | |
-| **3.8.6** | [ADDED] Verify that application administrators are able to terminate any or all currently active sessions and devices for a user or for all users. | ✓ | ✓ | ✓ | 613 | 7.1 |
+| **3.8.6** | [ADDED] Verify that application administrators are able to terminate active sessions for an individual user or for all users. | ✓ | ✓ | ✓ | 613 | 7.1 |
 
 ## References