CMMC Practice PE.L2-3.10.6 – Alternative Work Sites: Enforce safeguarding measures for CUI at alternate work sites.
Links to Publicly Available Resources
This document provides assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 2. This NIST special publication provides information on security considerations for several types of remote access solutions. NIST resource that defines requirements for implementation and assessment of security controls at alternate work sites, for example government facilities or private residence of the employees. OPM resources that provides guides and information on security technologies used for telework. US-CERT resource that provides considerations and mitigations for implementing an effective remote work organization.
Discussion [NIST SP 800-171 R2]
Alternate work sites may include government facilities or the private residences of employees. Organizations may define different security requirements for specific alternate work sites or types of sites depending on the work-related activities conducted at those sites.
NIST SP 800-46 and NIST SP 800-114 provide guidance on enterprise and user security when teleworking.
Further Discussion
Many people work from home or travel as part of their job. Define and implement safeguards to account for protection of information beyond the enterprise perimeter. Safeguards may include physical protections, such as locked file drawers, as well as electronic protections such as encryption, audit logging, and proper access controls.