Skip to main content
NetStable
Level 2 PE.L2-3.10.6

Enforce safeguarding measures for CUI at alternate work sites

What It Means Why It Matters How to Implement Evidence SSP Guidance Assessment Common Mistakes

📖 What This Means

This control requires ensuring that Controlled Unclassified Information (CUI) is protected when employees work from alternate locations, such as home offices, co-working spaces, or temporary sites. It means implementing physical security measures equivalent to those at primary work locations. For example, if employees access CUI from home, they must use secure storage solutions like locked cabinets and ensure their workspace is free from unauthorized access. Another example is when traveling; employees must use privacy screens and secure laptops to prevent shoulder surfing. The goal is to maintain the same level of physical protection for CUI, regardless of location.

🎯 Why It Matters

Failing to protect CUI at alternate work sites increases the risk of unauthorized access, theft, or exposure. For instance, in 2019, a defense contractor employee left a laptop containing sensitive data unattended in a coffee shop, leading to a data breach. Such incidents can result in significant financial penalties, loss of contracts, and reputational damage. From the DoD/CMMC perspective, safeguarding CUI at all locations is critical to maintaining national security and ensuring contractor trustworthiness. This control mitigates risks associated with remote work and ensures compliance with federal regulations.

How to Implement

  1. 1. Use virtual desktops (e.g., AWS Workspaces, Azure Virtual Desktop) to centralize CUI access.
  2. 2. Enforce multi-factor authentication (MFA) for remote access to cloud resources.
  3. 3. Implement endpoint protection (e.g., Microsoft Defender, CrowdStrike) to secure devices accessing CUI.
  4. 4. Configure VPNs with encryption for secure remote connections.
  5. 5. Monitor remote access logs and alert on suspicious activity.
⏱️
Estimated Effort
Implementation: 2-3 days (Intermediate skill). Ongoing maintenance: 2-4 hours/month.

📋 Evidence Examples

Remote Work Policy

Format: PDF/DOCX
Frequency: Annually
Contents: Guidelines for securing CUI at alternate sites
Collection: Export from HR or IT policy repository

Encryption Configuration Screenshots

Format: PNG/JPG
Frequency: Quarterly
Contents: Proof of full disk encryption on devices
Collection: Capture screenshots from device settings

Remote Access Logs

Format: CSV/Log
Frequency: Monthly
Contents: Records of VPN or virtual desktop connections
Collection: Export from VPN or cloud provider

Training Records

Format: PDF/XLSX
Frequency: Annually
Contents: Proof of employee training on remote security
Collection: Export from LMS or HR system

Workspace Inspection Reports

Format: PDF/DOCX
Frequency: Quarterly
Contents: Results of remote workspace checks
Collection: Complete template after inspections

📝 SSP Guidance

Use this guidance when writing the System Security Plan (SSP) narrative for this control.

How to Write the SSP Narrative

For PE.L2-3.10.6 ("Enforce safeguarding measures for CUI at alternate work sites"), your SSP narrative should specifically describe: (1) the tools and technologies you use to implement this control, (2) the configuration or process that enforces it, (3) who is responsible for maintaining it, and (4) what evidence proves it's working. Describe the physical security controls protecting CUI systems, including badge access, visitor management, physical access logging, and alternate work site requirements. Be specific -- name your actual products, settings, and responsible personnel.

Example SSP Narratives

Cloud (Azure/AWS)

"PE.L2-3.10.6 is implemented using cloud-native controls. [Organization] uses [specific cloud service/feature] to enforce safeguarding measures for cui at alternate work sites. The configuration is managed through [Azure Policy/AWS Config/Terraform] and monitored via [SIEM tool]. Responsible party: [IT Security Manager]. Evidence: [specific artifact, e.g., 'Azure AD Conditional Access policy screenshot, CloudTrail logs']."

On-Premise

"PE.L2-3.10.6 is implemented through on-premise infrastructure controls. [Organization] uses [Active Directory/Group Policy/specific tool] to enforce safeguarding measures for cui at alternate work sites. Configuration is documented in [location] and audited [frequency]. Responsible party: [System Administrator]. Evidence: [specific artifact, e.g., 'Group Policy export, Windows Event logs']."

Hybrid

"PE.L2-3.10.6 is implemented across both cloud and on-premise environments. [Organization] uses [Azure AD Connect/hybrid tool] to ensure consistent enforcement. Cloud resources are managed via [cloud tool] and on-premise systems via [on-prem tool]. Both environments report to [centralized SIEM]. Responsible party: [IT Director]. Evidence: [artifacts from both environments]."

System Boundary Considerations

  • Identify all physical locations where CUI is processed or stored
  • Document physical access control mechanisms (badge readers, locks, cameras)
  • Specify CUI area boundaries within each facility
  • Ensure this control covers all systems within your defined CUI boundary where enforce safeguarding measures for cui at alternate work sites applies
  • Document any systems where this control is not applicable and explain why

Key Documentation to Reference in SSP

  • 📄 Physical Protection Policy
  • 📄 Badge access logs
  • 📄 Visitor logs
  • 📄 Alternate work site approval forms
  • 📄 Evidence artifacts specific to PE.L2-3.10.6
  • 📄 POA&M entry if control is not fully implemented

What the Assessor Looks For

The assessor will physically inspect CUI areas, test badge access controls, review visitor logs, and verify that terminated employees' badges are deactivated promptly.

💬 Self-Assessment Questions

Use these questions to assess your compliance. Each "NO" answer provides specific remediation guidance.

Question 1: Do you have a documented remote work policy?

✅ YES → Proceed to Q2
❌ NO → GAP: Draft a policy using templates from NIST SP 800-171. Timeline: 1 week.

Question 2: Are all devices used remotely encrypted?

✅ YES → Proceed to Q3
❌ NO → GAP: Enable BitLocker or VeraCrypt on all devices. Timeline: 1 week.

Question 3: Are privacy screens provided for laptops?

✅ YES → Proceed to Q4
❌ NO → GAP: Purchase and distribute privacy screens. Timeline: 2 weeks.

Question 4: Are VPNs required for remote access?

✅ YES → Proceed to Q5
❌ NO → GAP: Configure VPNs and update access policies. Timeline: 1 week.

Question 5: Are remote access logs monitored regularly?

✅ YES → Compliant
❌ NO → GAP: Set up log monitoring with tools like Splunk. Timeline: 2 weeks.

⚠️ Common Mistakes (What Auditors Flag)

1. No remote work policy

Why this happens: Overlooking the need for formal guidelines
How to avoid: Draft and enforce a comprehensive policy

2. Unencrypted devices

Why this happens: Assuming default settings are secure
How to avoid: Enable full disk encryption on all devices

3. No privacy screens

Why this happens: Underestimating visual security risks
How to avoid: Provide and mandate privacy screens

4. Missing VPN enforcement

Why this happens: Lack of technical controls
How to avoid: Configure and enforce VPN usage

5. Inadequate log monitoring

Why this happens: Limited resources or expertise
How to avoid: Use centralized monitoring tools

📚 Parent Policy

This practice is governed by the Physical Protection Policy

View PE Policy →

📚 Related Controls

AC.L2-3.1.1 - Limit system access to authorized users MP.L2-3.8.1 - Protect and control media containing CUI SC.L2-3.13.1 - Monitor, control, and protect communications
Previous
PE.L2-3.10.5
Back to PE
Next
PS.L2-3.9.1