Requirement text: PE.3.136: Enforce safeguarding measures for CUI at alternate work sites.
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
Alternate work sites may include government facilities or the private residences of
employees. Organizations may define different security requirements for specific alternate
work sites or types of sites depending on the work-related activities conducted at those sites.
CMMC CLARIFICATION
Most organizations focus on securing their corporate network and devices. Today many
organizations have mobile staff who work from home or travel as part of their job. This
means the organization needs to define and implement safeguards to account for protection
of information beyond the enterprise perimeter. Safeguards may include physical
protections, such as locked file drawers, as well as electronic protections.
Example
In your organization many of the project managers work remotely as they often travel to
sponsor locations or even work from home. Since the projects they work require access to
Controlled Unclassified Information (CUI) the organization must ensure the same level of
protection is afforded as when they work in the office. Each laptop is deployed with patch
management and anti-virus software protection. Since data may be stored on the local hard
drive you have enabled full-disk encryption on their laptops. When the remote staff member
needs access to the internal network you require VPN connectivity that also disconnects the
laptop from the remote network (i.e., prevents split tunneling). The VPN requires
multifactor authentication to verify the user is who they claim to be.
References
• NIST SP 800-171 Rev 1 3.10.6
• CERT RMM v1.2 EC:SG2.SP1
• NIST SP 800-53 Rev 4 PE-17