This post shows how small businesses can create a practical, auditable remote-work security checklist for alternate work sites to protect Controlled Unclassified Information (CUI) and satisfy NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 control PE.L2-3.10.6; it focuses on concrete implementation steps, technical settings, policies, and evidence you can use in an assessment.
Why alternate work-site controls matter (and what the control expects)
Alternate work sites — home offices, hotels, coworking spaces, client sites, or temporary facilities — expand your attack surface. The intent behind PE.L2-3.10.6 is to ensure that physical and environmental controls extend to those places where personnel process or access CUI: you must be able to identify authorized locations, apply protective measures, monitor use, and maintain chain-of-custody and accountability. For a small business this means turning policy into lightweight, repeatable technical and operational controls that are easy for staff to follow and simple for assessors to verify.
Key implementation steps (high-level checklist)
Start by documenting the policy and the scope: list approved alternate work sites, define what CUI workflows are permitted off-site, and require approval for any exceptions. Then operationalize the policy with the following practical checklist steps that become part of onboarding and change-control processes: 1) require company-managed device use, 2) enforce endpoint configuration baselines (patching, EDR, disk encryption), 3) mandate corporate VPN or ZTNA with MFA, 4) require MDM/EMM with remote-wipe capability, 5) specify acceptable Wi‑Fi and router configurations, and 6) require physical protections (locked storage, privacy screens) and minimum behavioral rules (no printing in public areas, no leaving devices unattended).
Technical controls — specific settings and tools
Translate requirements into measurable technical controls. Examples: provision managed laptops with a configuration profile that enforces full-disk encryption (BitLocker with TPM+PIN on Windows, FileVault on macOS), system integrity checks, and EDR with tamper protection; require VPN or ZTNA using approved protocols (IPsec/IKEv2, OpenVPN with TLS 1.2+, or WireGuard) with AES-256 or other FIPS-approved ciphers if your contract requires FIPS-validated cryptography; enforce MFA for all remote access (authenticator app or hardware token); disable split-tunneling unless explicitly justified and logged; maintain an asset inventory with serial numbers and user assignments in your SSP and asset register.
Operational controls & documentation for small businesses
Operationalize the checklist so it's easy for staff and assessors to confirm compliance: create a short one-page "Alternate Work Site Authorization" form (site type, dates, manager approval), require employees to attest to rules annually, include alternate-site details in your System Security Plan (SSP), and capture evidence in a central repository (MDM logs, VPN connection logs, approval forms, training completion records). Implement periodic spot-checks — for example, a quarterly review of devices assigned to remote workers and a sampling of VPN sessions to verify location approvals.
Real-world scenarios and mitigation examples
Example 1 — Home office: An engineer works from home processing CUI. Steps: issue a company-managed laptop with MDM, enforce BitLocker + TPM+PIN, EDR agent, corporate VPN with MFA, and require documentation of a locked storage location for any printed material; verify home Wi‑Fi uses WPA2/WPA3, firmware is patched, and router admin password has been changed. Example 2 — Coffee shop or airport: prohibit working on sensitive spreadsheets in public; if unavoidable, require tethering to a company mobile hotspot or use of ZTNA and ensure screen privacy filters are installed. Example 3 — Coworking space: require prior approval of the location, use of privacy signage, locked storage for devices during breaks, and signage or agreements that no visitors have unsupervised access to the workspace.
What evidence to collect for CMMC/NIST assessment
Assessors want to see both policy and practice. Provide: approved alternate-site list and authorization forms, SSP excerpts describing alternate-site control mappings, device inventory with encryption and MDM status, VPN and ZTNA configuration screenshots showing MFA enforcement and split-tunnel controls, MDM records proving remote-wipe capability, training completion logs and signed user attestations, sample spot-check results, and a short POA&M for any gaps with remediation timelines. Keep logs for a defined retention period aligned to your organizational policy (e.g., 1 year) to demonstrate monitoring.
Risks and consequences of not implementing the requirement
Failing to control alternate work sites increases the risk of CUI exposure through shoulder-surfing, insecure Wi‑Fi interception, stolen or lost devices, and unauthorized access to printed or cached files. For small businesses that handle government contracts this can mean lost contracts, failed CMMC assessment, mandatory incident reporting, financial penalties, reputational damage, and long remediation timelines. Practically speaking, a single unmanaged laptop stolen from a hotel can trigger a reportable incident and contractual noncompliance.
Compliance tips and best practices
Keep the checklist lean and enforceable: automate what you can (MDM profiles, mandatory EDR, VPN configuration push), document approvals, and integrate training into regular staff meetings. Use templates for evidence collection (screenshots, logs, signed forms) so building an assessor package is low-effort. Prioritize controls: start with company-managed devices and disk encryption, then add network hardening and remote-wipe capabilities. Use risk acceptance sparingly and record it in your SSP with a compensating control if a strict technical control is infeasible.
Summary
Building a CUI remote-work security checklist for alternate work sites under NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 PE.L2-3.10.6 is a mix of policy, simple operational procedures, and measurable technical controls: define authorized sites, mandate managed and encrypted devices, enforce VPN/ZTNA with MFA, use MDM for remote-wipe, harden home networks, collect approval and training evidence, and perform periodic checks. For small businesses this approach reduces implementation overhead while producing clear, auditable artifacts that demonstrate compliance and substantially lower the risk of CUI exposure.
