NIST 800-53 REV 5 • PHYSICAL AND ENVIRONMENTAL PROTECTION
PE-17 — Alternate Work Site
Determine and document the {{ insert: param, pe-17_odp.01 }} allowed for use by employees; Employ the following controls at alternate work sites: {{ insert: param, pe-17_odp.02 }}; Assess the effectiveness of controls at alternate work sites; and Provide a means for employees to communicate with information security and privacy personnel in case of incidents.
Supplemental Guidance
Alternate work sites include government facilities or the private residences of employees. While distinct from alternative processing sites, alternate work sites can provide readily available alternate locations during contingency operations. Organizations can define different sets of controls for specific alternate work sites or types of sites depending on the work-related activities conducted at the sites. Implementing and assessing the effectiveness of organization-defined controls and providing a means to communicate incidents at alternate work sites supports the contingency planning activities of organizations.
Practitioner Notes
If employees work from alternate locations — home offices, satellite offices, or temporary work sites — those locations need appropriate security controls too. Your data does not stop being sensitive just because it left your building.
Example 1: Create a telework security agreement that employees sign before working remotely. Include requirements for: locking the workstation when unattended, using VPN for all connections, encrypting the hard drive (BitLocker), securing printed documents, and reporting any security incidents immediately.
Example 2: Provide remote workers with company-managed equipment (laptops, monitors) pre-configured with security controls. Require home office setups in a private space where screens are not visible to others. Use Microsoft Intune or similar MDM to ensure remote devices remain compliant with security policies.