What does PE.L2-3.10.6 require for CMMC Level 2?

Employees working from home or remote locations must maintain the same physical security controls. That means securing CUI devices, controlling access, and preventing unauthorized viewing or access.

What evidence do I need for PE.L2-3.10.6?

Home office policies, employee acknowledgments, documented safeguards (locked drawers, private offices, screen privacy), and periodic verification or spot-checks.

What's the most common failure for PE.L2-3.10.6?

Employees work from home or coffee shops with no controls. Laptop left open on kitchen counter. Family members or roommates can see CUI. No policy or guidance on home office security.

PE.L2-3.10.6

PE.L2-3.10.6: Alternative Work Sites

Enforce the same security safeguards at alternate work sites (home offices, remote locations) as you do at your primary facility.

Updated March 30, 2026

Remote work is standard now. Employees work from home, coffee shops, co-working spaces. If they’re handling CUI, the same controls apply. A laptop can’t sit open on a shared desk. A home office shared with a spouse needs controls. Define expectations and verify they’re met. This practice extends PE.L2-3.10.1 (facility access controls) to distributed locations and should tie to AC.L2-3.1.1 policies on authorized access.

Family Physical Protection

Practice PE.L2-3.10.6

Difficulty Hard

Key evidence Remote work policy, employee acknowledgments, home office assessments

What the assessor is actually evaluating

The assessor is checking: (1) Do you have a remote work policy that covers physical security? (2) Do employees understand it? (3) Can you show that it’s being followed? For small organizations, this might be informal. For larger ones, home office assessments are expected.

The key distinction: alternate work sites are places other than your facility. Home office, customer site, hotel room, anywhere an employee might handle CUI.

What a realistic SSP definition looks like

PE.L2-3.10.6 Security Safeguards at Alternate Work Sites

Employees working at alternate sites (home, customer premises, etc.) maintain the same physical security controls as at [Company] facilities:

Home Office Requirements:

CUI devices (laptops, monitors) are locked in place or stored securely when not in use
Work area is private (not visible to family, roommates, or visitors)
CUI is not left on desks or displayed on screens where others can see
Printers/output devices are controlled (locked room or cabinet)
Screen privacy filters are used if multiple people share the space
Visitors to the home office do not have unsupervised access to CUI

Customer Site Requirements:

CUI devices are under employee control and not left unattended
Work is done in private areas when possible
CUI is not accessed in public places (coffee shops, flights, etc.) unless business necessity requires it
Employees are trained to prevent inadvertent disclosure

Employees acknowledge the policy and understand expectations. [Company] may conduct periodic spot-checks of home offices for high-risk roles.

How to present your evidence

Gather these items:

Remote work or home office security policy
Employee acknowledgment forms signed by remote workers
Training records on remote work security expectations
Home office setup assessment form or checklist (if used)
Documentation of spot-checks or periodic verification (if conducted)
Photos of representative home office setups (if available)

Assessment room tips

Keep answers short. Show the evidence, don't describe it. Let the assessor drive. For more on how to present in the assessment room, see How to Present Evidence in the Assessment Room.

Q: "Do you have employees working from home?" A: "Yes. They're required to follow the same security controls as if they were at the office." [Pull up remote work policy]

Q: “What safeguards do they use?" A: “Laptops are locked when not in use. Work areas are private. They don’t display CUI where family or roommates can see. Monitors have privacy filters.”

Q: “How do you verify they’re following it?" A: “We have them acknowledge the policy when hired or when they start remote work. For high-risk roles, we periodically check.”

Q: “What about printing? Can they print CUI at home?" A: “If they do, it has to be in a private area, and they must shred it afterward. Better to avoid printing at home, but if necessary, the same controls apply.”

Q: “Can they work from a coffee shop?" A: “Preferably not. If they need to, they can use VPN and screen privacy. But we discourage it. CUI should be handled in controlled environments.”

Common failures

No remote work policy. Employees work from home without any security guidance. They have laptops open on kitchen counters. Family can see screens. Create a policy, even a simple one.

Vague expectations. Policy says "secure your work area" but doesn't define what that means. Employees don't know what's expected. Be specific: laptops locked, monitors private, doors closed if shared space.

No acknowledgment. You have a policy, but employees haven't read or agreed to it. Have them sign or acknowledge it. Keep the acknowledgment in personnel files.

You're good here. You have a remote work policy covering physical security. Employees acknowledge it when hired or when they start remote work. You've conducted spot-checks for high-risk roles. Assessors review the policy and acknowledgments, then move on.

Get assessment room tips in your inbox

Short, practical breakdowns of what assessors actually ask and how to answer. No compliance jargon, no sales pitch. Subscribe free on Substack.

What to include in a remote work policy

Home Office:

Laptop must be locked or stored when not in use
Monitors should not be visible to others (family, roommates, visitors)
Doors should be closed if work area is in a shared space
Printers must be in private areas; output must be shredded
CUI should not be printed at home if possible
Screen privacy filters are recommended for shared spaces
Visitors should not be present during CUI work

Mobile/Customer Sites:

Laptops should never be left unattended
CUI should not be accessed in public areas unless necessary
Privacy screens should be used on mobile devices
Work should be done in private conference rooms or offices
Information should not be discussed in public

Acknowledgment:

Employee signs or dates a form confirming they understand and will follow the policy

Practical home office checks

If you do spot-checks or assessments:

Is the work area private?
Are monitors not visible from outside the room?
Are devices locked when not in use?
How is printed CUI handled?
Are family/roommates aware of security expectations?

You don’t need to visit every employee’s home, but asking questions or having a simple home office assessment form works.

If you use an MSP/MSSP

If your MSP manages remote worker devices, ensure the policy extends to their support. MSP staff should not leave devices unattended or unsecured. Include remote work security expectations in the MSP contract. Require verification that employees are following policies.

This guide reflects CMMC Level 2 requirements as of March 2026. CMMC and NIST standards evolve. Verify current requirements with official CMMC materials and your assessor.

New practice breakdowns and assessment tips every week. Follow on Substack to stay current as the November 2026 deadline gets closer.

← RA.L2-3.11.1: Risk Assessments All Practices PE.L2-3.10.5: Manage Physical Access →