diff --git a/scripts/policy/frameworks/cluster/controller/config.zeek b/scripts/policy/frameworks/cluster/controller/config.zeek
index 5605bd39a6..335d485f79 100644
--- a/scripts/policy/frameworks/cluster/controller/config.zeek
+++ b/scripts/policy/frameworks/cluster/controller/config.zeek
@@ -32,6 +32,9 @@ export {
 	# controller both redef this. Used during logging.
 	const role = ClusterController::Types::NONE &redef;
 
+	# The timeout for client request state.
+	const request_timeout = 15sec &redef;
+
 	# Agent and controller currently log only, not via the data cluster's
 	# logger. (This might get added later.) For now, this means that
 	# if both write to the same log file, it gets garbled. The following
diff --git a/scripts/policy/frameworks/cluster/controller/request.zeek b/scripts/policy/frameworks/cluster/controller/request.zeek
index 21fcad1117..0e7cfc86cd 100644
--- a/scripts/policy/frameworks/cluster/controller/request.zeek
+++ b/scripts/policy/frameworks/cluster/controller/request.zeek
@@ -1,4 +1,5 @@
 @load ./types
+@load ./config
 
 module ClusterController::Request;
 
@@ -8,8 +9,10 @@ export {
 		parent_id: string &optional;
 	};
 
-	# API-specific state. XXX we may be able to generalize after this
-	# has settled a bit more.
+	# API-specific state. XXX we may be able to generalize after this has
+	# settled a bit more. It would also be nice to move request-specific
+	# state out of this module -- we could for example redef Request in
+	# main.zeek as needed.
 
 	# State specific to the set_configuration request/response events
 	type SetConfigurationState: record {
@@ -44,12 +47,25 @@ export {
 	global lookup: function(reqid: string): Request;
 	global finish: function(reqid: string): bool;
 
+	global request_expired: event(req: Request);
+
 	global is_null: function(request: Request): bool;
 	global to_string: function(request: Request): string;
 }
 
-# XXX this needs a mechanism for expiring stale requests
-global g_requests: table[string] of Request;
+function requests_expire_func(reqs: table[string] of Request, reqid: string): interval
+	{
+	event ClusterController::Request::request_expired(reqs[reqid]);
+	return 0secs;
+	}
+
+# This is the global request-tracking table. The table maps from request ID
+# strings to corresponding Request records. Entries time out after the
+# ClusterController::request_timeout interval. Upon expiration, a
+# request_expired event triggers that conveys the request state.
+global g_requests: table[string] of Request
+    &create_expire=ClusterController::request_timeout
+    &expire_func=requests_expire_func;
 
 function create(reqid: string): Request
 	{