PE.L2-3.10.6

PE.L2-3.10.6: Alternative Work Sites

Enforce the same security safeguards at alternate work sites (home offices, remote locations) as you do at your primary facility.

Remote work is standard now. Employees work from home, coffee shops, co-working spaces. If they’re handling CUI, the same controls apply. A laptop can’t sit open on a shared desk. A home office shared with a spouse needs controls. Define expectations and verify they’re met. This practice extends PE.L2-3.10.1 (facility access controls) to distributed locations and should tie to AC.L2-3.1.1 policies on authorized access.

Family Physical Protection
Practice PE.L2-3.10.6
Difficulty Hard
Key evidence Remote work policy, employee acknowledgments, home office assessments

What the assessor is actually evaluating

The assessor is checking: (1) Do you have a remote work policy that covers physical security? (2) Do employees understand it? (3) Can you show that it’s being followed? For small organizations, this might be informal. For larger ones, home office assessments are expected.

The key distinction: alternate work sites are places other than your facility. Home office, customer site, hotel room, anywhere an employee might handle CUI.

What a realistic SSP definition looks like

PE.L2-3.10.6 Security Safeguards at Alternate Work Sites

Employees working at alternate sites (home, customer premises, etc.) maintain the same physical security controls as at [Company] facilities:

Home Office Requirements:

  • CUI devices (laptops, monitors) are locked in place or stored securely when not in use
  • Work area is private (not visible to family, roommates, or visitors)
  • CUI is not left on desks or displayed on screens where others can see
  • Printers/output devices are controlled (locked room or cabinet)
  • Screen privacy filters are used if multiple people share the space
  • Visitors to the home office do not have unsupervised access to CUI

Customer Site Requirements:

  • CUI devices are under employee control and not left unattended
  • Work is done in private areas when possible
  • CUI is not accessed in public places (coffee shops, flights, etc.) unless business necessity requires it
  • Employees are trained to prevent inadvertent disclosure

Employees acknowledge the policy and understand expectations. [Company] may conduct periodic spot-checks of home offices for high-risk roles.

How to present your evidence

Gather these items:
  • Remote work or home office security policy
  • Employee acknowledgment forms signed by remote workers
  • Training records on remote work security expectations
  • Home office setup assessment form or checklist (if used)
  • Documentation of spot-checks or periodic verification (if conducted)
  • Photos of representative home office setups (if available)

Common failures

What gets flagged

No remote work policy. Employees work from home without any security guidance. They have laptops open on kitchen counters. Family can see screens. Create a policy, even a simple one.

Vague expectations. Policy says "secure your work area" but doesn't define what that means. Employees don't know what's expected. Be specific: laptops locked, monitors private, doors closed if shared space.

No acknowledgment. You have a policy, but employees haven't read or agreed to it. Have them sign or acknowledge it. Keep the acknowledgment in personnel files.

What makes assessors move on satisfied

You're good here. You have a remote work policy covering physical security. Employees acknowledge it when hired or when they start remote work. You've conducted spot-checks for high-risk roles. Assessors review the policy and acknowledgments, then move on.

If you use an MSP/MSSP

Tip

If your MSP manages remote worker devices, ensure the policy extends to their support. MSP staff should not leave devices unattended or unsecured. Include remote work security expectations in the MSP contract. Require verification that employees are following policies.

Get assessment room tips in your inbox

Short, practical breakdowns of what assessors actually ask and how to answer. No compliance jargon, no sales pitch. Subscribe free on Substack.

Assessment room tips

Keep answers short. Show the evidence, don't describe it. Let the assessor drive. For more on how to present in the assessment room, see How to Present Evidence in the Assessment Room.

Q&A: What the assessor asks

Q: "Do you have employees working from home?" A: "Yes. They're required to follow the same security controls as if they were at the office." [Pull up remote work policy]

Q: “What safeguards do they use?" A: “Laptops are locked when not in use. Work areas are private. They don’t display CUI where family or roommates can see. Monitors have privacy filters.”

Q: “How do you verify they’re following it?" A: “We have them acknowledge the policy when hired or when they start remote work. For high-risk roles, we periodically check.”

Q: “What about printing? Can they print CUI at home?" A: “If they do, it has to be in a private area, and they must shred it afterward. Better to avoid printing at home, but if necessary, the same controls apply.”

Q: “Can they work from a coffee shop?" A: “Preferably not. If they need to, they can use VPN and screen privacy. But we discourage it. CUI should be handled in controlled environments.”

This guide reflects CMMC Level 2 requirements as of March 2026. CMMC and NIST standards evolve. Verify current requirements with official CMMC materials and your assessor.

New practice breakdowns and assessment tips every week. Follow on Substack to stay current as the November 2026 deadline gets closer.

← RA.L2-3.11.1: Risk Assessments All Practices PE.L2-3.10.5: Manage Physical Access →