3.10.6 — Home Office Security

The One-Liner

If employees work from home with CUI access, their home office needs security controls too.

What It Says

Enforce safeguarding measures for CUI at alternate work sites.

What It Actually Means

Two things: safeguards are defined (documented requirements for alternate work sites) and safeguards are enforced (technical controls and employee attestation). Requirements typically include: encrypted Wi-Fi (WPA2/3), locked storage for printed CUI, privacy screen or private workspace, device encryption (BitLocker), VPN required for CUI access, no CUI on personal devices. Employees acknowledge requirements in writing. Technical controls (VPN, device compliance, encryption) are enforced regardless of location.

---

Pass or Fail

Your assessor needs a “yes” to every row:

#	Question	What “yes” looks like
1	Are safeguarding measures defined for alternate work sites?	Documented remote work security requirements
2	Are safeguarding measures enforced?	Technical controls (VPN, compliance policies, encryption) enforced; employee acknowledgment on file

---

What to Have Ready on Assessment Day

Documents they’ll review: Physical and environmental protection policy; alternate work site security requirements; employee acknowledgment forms; Intune compliance policies for remote devices; system security plan

People they’ll talk to: Personnel with physical access responsibilities; information security personnel

Live demos they’ll ask for: “Show me your alternate work site security requirements.” “How are requirements enforced technically — Intune compliance, VPN?” “Show me an employee acknowledgment form.”

---

The Assessor’s Playbook

These are the actual questions. Have answers ready.

• “Show me your alternate work site security requirements.”
• “How do you enforce these requirements technically?”
• “Do employees acknowledge the requirements? Show me.”
• “How do you handle printed CUI at home offices?”

Real-World Example

A defense contractor’s remote work policy requires: company-managed device only (no personal devices), BitLocker enabled, VPN for all CUI access, WPA2/3 Wi-Fi, privacy screen or private room, no printing CUI at home (or secure shredding if printed). Intune compliance policies enforce device encryption and OS patch level regardless of location. Conditional Access requires VPN and compliant device for CUI access. Employees sign a remote work acknowledgment annually. The assessor reviews the policy, the Intune compliance rules, and a sample acknowledgment.

---

Where Companies Trip Up

No remote work policy. Employees work from home with CUI and no defined standards. Write the policy.

No enforcement. Policy exists but Intune compliance doesn’t enforce it. Technical controls must back up the policy.

Printed CUI at home. No secure storage or shredding capability. Either prohibit printing CUI at home or provide shredding requirements.

---

How to Talk About This

To a CEO or Board

Remote workers follow defined security standards — encrypted Wi-Fi, company-managed devices, VPN required, privacy controls. Requirements are technically enforced and annually acknowledged.

To an Engineering Team

Remote work policy: company device only, BitLocker, VPN, WPA2/3, privacy screen. Intune compliance enforced. Conditional Access: compliant device + VPN for CUI. No CUI printing at home. Annual employee acknowledgment.

---

Connected Requirements

Requirement	Why it matters here
3.10.1 — Lock the Doors	Physical access controls at the primary site; this covers alternate sites
3.13.8 — Encrypt in Transit	VPN encryption for remote CUI access

---

Implementation (coming soon)

Step-by-step setup for Microsoft 365 / Entra ID, AWS, Azure, and GCP — console steps, CLI commands, and evidence screenshots.

---

CMMC Practice ID: PE.L2-3.10.6 | SPRS Weight: 1 point | POA&M Eligible: Yes