GRCWatch
Sign inStart free trial

PE.L2-3.10.6: Safeguarding CUI at Alternate Work Sites

Controlled Unclassified Information (CUI) doesn't stop being sensitive when employees work remotely. PE.L2-3.10.6 requires you to establish and enforce the same security safeguards for CUI at alternate work sites—home offices, client locations, or temporary facilities—as you maintain in your primary facility.

What this means

This control mandates that organizations extend their data protection requirements beyond the office perimeter. When authorized personnel access, process, or store CUI at alternate locations, you must implement equivalent security measures including secure access controls, physical security, encryption, monitoring, and clean-desk policies. The goal is to eliminate security gaps that remote work creates, ensuring that CUI remains protected regardless of where work occurs.

How to comply

  1. 1.Define which work locations qualify as alternate work sites and which CUI can be accessed from each location
  2. 2.Extend your access control policies to remote and alternate environments with multi-factor authentication and VPN requirements
  3. 3.Require encryption for all CUI in transit and at rest on mobile devices and home networks
  4. 4.Establish clean-desk and device-handling policies for remote workers to prevent unauthorized physical access
  5. 5.Deploy endpoint monitoring and mobile device management (MDM) tools to track CUI access from alternate locations
  6. 6.Conduct background checks and security awareness training specific to remote work risks before authorizing alternate-site access
  7. 7.Document and audit all alternate work sites where CUI is accessible, including approval and compliance validation
  8. 8.Implement physical security requirements such as secure workspaces, locked storage, and visitor controls at alternate sites

Evidence auditors look for

  • Remote access policy explicitly authorizing specific alternate work sites and CUI classification levels
  • VPN configuration logs showing encrypted connections for all remote CUI access
  • Endpoint protection reports confirming MDM and antivirus deployment on remote devices
  • User acknowledgment forms for clean-desk and secure handling procedures at alternate locations
  • Access control audit trails documenting which employees accessed CUI from which alternate sites and when
  • Physical security assessments or employee attestations confirming secure workspaces (locked doors, cable locks, privacy screens)
  • Encryption verification reports for mobile devices and cloud storage used at alternate work sites
  • Training completion records for remote work security and CUI handling specific to your organization

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch tracks CUI access from alternate work sites in real-time, automatically logs remote device compliance status, and flags unauthorized access attempts—eliminating manual audits and reducing the risk of undetected remote-work breaches.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PE.L2-3.10.1 Physical EntryPE.L2-3.10.2 Facility Security PlanAC.L2-3.1.1 AuthorizationAC.L2-3.1.2 Access EnforcementSC.L2-3.13.1 Transmission ConfidentialitySC.L2-3.13.2 Transmission IntegritySI.L2-3.14.1 Flaw RemediationSI.L2-3.14.2 Malicious Code Protection