NIST 800-171 • LEVEL 2 • PHYSICAL PROTECTION
3.10.6 — Alternate Work Site
Determine alternate work sites allowed for use by employees. Employ the following security requirements at alternate work sites: {{ insert: param, A.03.10.06.ODP.01 }}.
CMMC Practice Mapping
NIST 800-53 Controls
Assessment Objectives
- alternate work sites allowed for use by employees are determined.
- the following security requirements are employed at alternate work sites: {{ insert: param, A.03.10.06.ODP.01 }}.
Practitioner Notes
If your employees work from home or other locations outside your main office, those alternate work sites need security controls too. CUI does not stop being sensitive just because someone is working from their kitchen table.
Example 1: Create a telework or remote work policy that defines minimum security requirements for home offices: the work area must be in a private space (not a coffee shop), the laptop must have BitLocker enabled, the home Wi-Fi must use WPA3 or WPA2 with a strong passphrase, and the employee must connect to company resources only through the VPN. Have employees sign an acknowledgment form agreeing to these requirements.
Example 2: Use Microsoft Intune compliance policies to enforce security requirements on devices used at alternate work sites. Create a compliance policy that checks for BitLocker encryption, up-to-date antivirus definitions, OS patch level, and active firewall. Mark non-compliant devices as "not compliant" in Conditional Access so they cannot access CUI in SharePoint, Teams, or other M365 services until they meet the baseline.