This post explains how to build a practical, auditable checklist to secure Controlled Unclassified Information (CUI) at home offices and satellite locations to meet NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 control PE.L2-3.10.6, with concrete implementation steps, technical specifics, and small-business scenarios.
\n\nAt a high level, PE.L2-3.10.6 is focused on preventing unauthorized physical access to CUI outside primary facilities — which includes home offices, remote workers, and satellite/coworking locations. The key objectives are: (1) ensure CUI is stored and processed only where approved controls exist, (2) provide defense-in-depth so physical weaknesses do not expose digital data, and (3) produce auditable evidence that controls were implemented and are monitored.
\n\nFor Compliance Framework alignment, treat each home/satellite location as a \"facility\" in your system security plan (SSP) and map controls to the requirement. Document baseline configurations, owner/responsible parties, and evidence types (photos of safes/locks, MDM/NAC logs, EDR alerts, training records). Where possible, incorporate evidence into your continuous monitoring feed so attestations are based on real telemetry rather than one-off checks.
\n\nStart with a physical-control checklist you can use during onboarding and audits. Items to include: locked storage (approved safe or lockable filing cabinet bolt‑anchored if in a shared space); secure printing policies (no unattended printed CUI); visible privacy practices (privacy films/screens for laptops used in public settings); cable locks for laptops; secure disposal (cross-cut shredder or secure pickup for printed CUI); and visitor restrictions in satellite offices (visitor sign-in, escorted access to CUI areas). For each item, note responsible person, verification method, and frequency (e.g., weekly spot-checks or quarterly audits).
\n\nTechnical controls should directly support physical protections: require whole-disk encryption (AES-256) on all endpoints storing or accessing CUI—BitLocker (Windows) with TPM 2.0 + secure boot, FileVault2 for macOS; enforce strong authentication with MFA for remote access and cloud portals; use enterprise VPNs with split-tunnel disabled for CUI flows or zero-trust access solutions; deploy an MDM/EDR solution to enforce device hygiene (patch levels, anti-malware, disk encryption status) and allow remote wipe. For small businesses, use vendor-managed offerings (e.g., Microsoft Intune + Defender, Jamf + endpoint protection) to reduce operational overhead and produce logs for assessments.
\n\nRequire endpoints to have TPM-backed BitLocker encryption enabled, Secure Boot turned on, OS and agent auto-update configured, and antivirus with tamper protection. On the network side, use WPA3 for home Wi‑Fi where possible, require unique strong passwords, and recommend or enforce use of a separate SSID/VLAN for guest devices at satellite offices. If employees use personal routers, include approved configuration templates (admin password, firmware updates, disable UPnP) in the telework policy and require a periodic screenshot or MDM attestation as evidence.
\n\nAdministrative controls are often the weakest link but easiest to implement: add telework and satellite office language to your SSP and policies, sign addenda to subcontractor agreements requiring compliance, and maintain a CUI handling SOP that covers marking, storage, printing, transfer, and destruction. Train staff annually and at onboarding with scenarios focused on home-office risks (package theft, family members accessing devices, working in public spaces). Require employees to self-attest monthly that their home-office controls remain in place and capture those attestations as evidence.
\n\nImplement logging and evidence collection as part of the checklist: check MDM/EDR dashboards for device compliance daily, archive VPN and conditional access logs for 90 days, and record quarterly physical inspections (photos of locks/safes). Maintain an asset inventory that links device serial numbers to user, location, and CUI access level. For lifecycle: define processes for onboarding (checklist + configuration), change control (approved exceptions documented), and decommissioning (verified wipe and physical recovery or disposal of devices storing CUI).
\n\nExample 1: A 20-person subcontractor with 5 remote workers — Week 1: inventory remote locations and devices; Week 2–4: enable BitLocker/FileVault, enroll devices in MDM, deploy VPN and MFA; Month 2: distribute safes or require locked cabinets for paper CUI and train staff; Month 3: begin weekly MDM compliance checks and quarterly physical checks. Example 2: Small team in a coworking satellite — implement access-controlled room booking, provide a lockable cabinet for CUI, require guests to be escorted, and ensure the coworking provider signs a non-disclosure and basic physical security addendum.
\n\nFailing to implement these controls increases risk of data leakage, loss of DoD contracts, and regulatory fines. A typical breach scenario: an unenforced home-office without encryption results in a stolen laptop containing CUI — this can lead to compromise of prime-contractor data, mandatory breach notification, damage to reputation, a lost contract, and adding deficiencies to your CMMC assessment. From a compliance perspective, lack of documented controls, evidence, or continuous monitoring will cause deficiencies under CMMC Level 2 and prevent certification.
\n\nKeep evidence simple and automated where possible: screenshots of MDM compliance reports, VPN logs, photos of physical controls, signed policies stored in your compliance system. Use a POA&M to track exceptions and remediation dates. Prefer managed services with FedRAMP or DoD SRG-aligned offerings for cloud storage of CUI. Conduct at least one tabletop exercise per year that simulates loss of a CUI-bearing device in a home or satellite office and validate incident response and notification steps.
\n\nSummary: Treat each remote location as a mini-facility — document, apply layered physical and technical controls, automate evidence collection, train staff, and monitor continuously. Using the checklists and timelines above, a small business can create auditable controls that satisfy NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 PE.L2-3.10.6 and materially reduce the risk of CUI exposure at home offices and satellite locations.
", "plain_text": "This post explains how to build a practical, auditable checklist to secure Controlled Unclassified Information (CUI) at home offices and satellite locations to meet NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 control PE.L2-3.10.6, with concrete implementation steps, technical specifics, and small-business scenarios.\n\nWhat PE.L2-3.10.6 requires and key objectives\nAt a high level, PE.L2-3.10.6 is focused on preventing unauthorized physical access to CUI outside primary facilities — which includes home offices, remote workers, and satellite/coworking locations. The key objectives are: (1) ensure CUI is stored and processed only where approved controls exist, (2) provide defense-in-depth so physical weaknesses do not expose digital data, and (3) produce auditable evidence that controls were implemented and are monitored.\n\nImplementation notes (Compliance Framework-specific)\nFor Compliance Framework alignment, treat each home/satellite location as a \"facility\" in your system security plan (SSP) and map controls to the requirement. Document baseline configurations, owner/responsible parties, and evidence types (photos of safes/locks, MDM/NAC logs, EDR alerts, training records). Where possible, incorporate evidence into your continuous monitoring feed so attestations are based on real telemetry rather than one-off checks.\n\nActionable checklist — physical controls and handling\nStart with a physical-control checklist you can use during onboarding and audits. Items to include: locked storage (approved safe or lockable filing cabinet bolt‑anchored if in a shared space); secure printing policies (no unattended printed CUI); visible privacy practices (privacy films/screens for laptops used in public settings); cable locks for laptops; secure disposal (cross-cut shredder or secure pickup for printed CUI); and visitor restrictions in satellite offices (visitor sign-in, escorted access to CUI areas). For each item, note responsible person, verification method, and frequency (e.g., weekly spot-checks or quarterly audits).\n\nActionable checklist — technical controls\nTechnical controls should directly support physical protections: require whole-disk encryption (AES-256) on all endpoints storing or accessing CUI—BitLocker (Windows) with TPM 2.0 + secure boot, FileVault2 for macOS; enforce strong authentication with MFA for remote access and cloud portals; use enterprise VPNs with split-tunnel disabled for CUI flows or zero-trust access solutions; deploy an MDM/EDR solution to enforce device hygiene (patch levels, anti-malware, disk encryption status) and allow remote wipe. For small businesses, use vendor-managed offerings (e.g., Microsoft Intune + Defender, Jamf + endpoint protection) to reduce operational overhead and produce logs for assessments.\n\nDevice and network specifics\nRequire endpoints to have TPM-backed BitLocker encryption enabled, Secure Boot turned on, OS and agent auto-update configured, and antivirus with tamper protection. On the network side, use WPA3 for home Wi‑Fi where possible, require unique strong passwords, and recommend or enforce use of a separate SSID/VLAN for guest devices at satellite offices. If employees use personal routers, include approved configuration templates (admin password, firmware updates, disable UPnP) in the telework policy and require a periodic screenshot or MDM attestation as evidence.\n\nAdministrative controls, training, and contractual considerations\nAdministrative controls are often the weakest link but easiest to implement: add telework and satellite office language to your SSP and policies, sign addenda to subcontractor agreements requiring compliance, and maintain a CUI handling SOP that covers marking, storage, printing, transfer, and destruction. Train staff annually and at onboarding with scenarios focused on home-office risks (package theft, family members accessing devices, working in public spaces). Require employees to self-attest monthly that their home-office controls remain in place and capture those attestations as evidence.\n\nMonitoring, evidence collection, and lifecycle management\nImplement logging and evidence collection as part of the checklist: check MDM/EDR dashboards for device compliance daily, archive VPN and conditional access logs for 90 days, and record quarterly physical inspections (photos of locks/safes). Maintain an asset inventory that links device serial numbers to user, location, and CUI access level. For lifecycle: define processes for onboarding (checklist + configuration), change control (approved exceptions documented), and decommissioning (verified wipe and physical recovery or disposal of devices storing CUI).\n\nReal-world small business scenarios and timelines\nExample 1: A 20-person subcontractor with 5 remote workers — Week 1: inventory remote locations and devices; Week 2–4: enable BitLocker/FileVault, enroll devices in MDM, deploy VPN and MFA; Month 2: distribute safes or require locked cabinets for paper CUI and train staff; Month 3: begin weekly MDM compliance checks and quarterly physical checks. Example 2: Small team in a coworking satellite — implement access-controlled room booking, provide a lockable cabinet for CUI, require guests to be escorted, and ensure the coworking provider signs a non-disclosure and basic physical security addendum.\n\nRisk of not implementing PE.L2-3.10.6 and compliance consequences\nFailing to implement these controls increases risk of data leakage, loss of DoD contracts, and regulatory fines. A typical breach scenario: an unenforced home-office without encryption results in a stolen laptop containing CUI — this can lead to compromise of prime-contractor data, mandatory breach notification, damage to reputation, a lost contract, and adding deficiencies to your CMMC assessment. From a compliance perspective, lack of documented controls, evidence, or continuous monitoring will cause deficiencies under CMMC Level 2 and prevent certification.\n\nCompliance tips and best practices\nKeep evidence simple and automated where possible: screenshots of MDM compliance reports, VPN logs, photos of physical controls, signed policies stored in your compliance system. Use a POA&M to track exceptions and remediation dates. Prefer managed services with FedRAMP or DoD SRG-aligned offerings for cloud storage of CUI. Conduct at least one tabletop exercise per year that simulates loss of a CUI-bearing device in a home or satellite office and validate incident response and notification steps.\n\nSummary: Treat each remote location as a mini-facility — document, apply layered physical and technical controls, automate evidence collection, train staff, and monitor continuously. Using the checklists and timelines above, a small business can create auditable controls that satisfy NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 PE.L2-3.10.6 and materially reduce the risk of CUI exposure at home offices and satellite locations." }, "metadata": { "description": "Step-by-step checklist and practical guidance to secure Controlled Unclassified Information (CUI) at home offices and satellite locations in alignment with NIST SP 800-171 Rev.2 and CMMC 2.0 Level 2 PE.L2-3.10.6.", "permalink": "/how-to-build-a-checklist-to-secure-controlled-unclassified-information-at-home-offices-and-satellite-locations-nist-sp-800-171-rev2-cmmc-20-level-2-control-pel2-3106.json", "categories": [], "tags": [] } }