Requirement
NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - PE.L2-3.10.6 – Enforce safeguarding measures for “Controlled Unclassified Information” (CUI) at alternate work sites.
Understanding the Requirement
This control requires that an organization define and enforce protections for CUI whenever work occurs outside the main facility—such as at employee homes, government locations, or client sites—and ensure those protections are effective. Under the NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 framework, the two clear objectives are to (1) establish safeguarding measures for alternate worksites and (2) make sure those measures are actually enforced so CUI remains protected when it leaves your physical office.
Technical Implementation
- Issue and enforce company-managed, encrypted devices. Require that employees handling CUI use only company-provisioned laptops or tablets with full-disk encryption (e.g., BitLocker for Windows, FileVault for macOS). Configure disk encryption via a device management solution so keys and recovery options are centrally controlled.
- Deploy endpoint management & patching. Use an MDM/endpoint management tool (Microsoft Intune, Jamf, or a lightweight RMM) to push security baselines, enforce local firewall policies, deploy software updates, and install approved security agents. Ensure devices check in regularly and apply critical patches automatically.
- Require secure network access (VPN or ZTNA) and MFA. Mandate VPN or a zero trust network access gateway for any access to internal systems containing CUI. Combine with multi-factor authentication for all accounts that access CUI resources to reduce credential risk on home or public networks.
- Control data egress and printing. Restrict printing of CUI at alternate sites by disabling local print drivers on managed devices or using policy to allow printing only to company-managed, audited printers. Block or control removable media and cloud-sync services for devices that handle CUI.
- Monitoring and remote response capability. Ensure logging is enabled and that devices send telemetry when connected to VPN. Maintain the ability to remotely lock or wipe lost/stolen devices and to run basic endpoint investigations (antivirus scans, process review) when devices connect to your network.
- Policy, training, and physical controls. Publish a clear remote-work policy for CUI handling: approved devices, workspace privacy, secure storage, and incident reporting. Train employees annually and require acknowledgment. For particularly sensitive CUI, require dedicated workspaces (e.g., lockable file cabinets) or prohibit remote handling entirely.
Example in a Small or Medium Business
A 45-person engineering firm that handles CUI allows staff to work from home up to two days a week. The firm issues company-controlled laptops only and configures each with full-disk encryption and an approved security baseline via Microsoft Intune. When employees sign in, a conditional access policy forces them to connect to the corporate VPN and require MFA before accessing network shares or collaboration tools containing CUI. Intune manages Windows and third-party updates on a scheduled cadence and enforces local firewall and browser hardening. The firm also disables local printing for users who will access CUI and provides a documented exception process for cases that require printed outputs; exceptions require manager approval and in-office retrieval. All remote devices report endpoint telemetry to a central logging service when on VPN, and the IT admin can remotely wipe a device or place it under quarantine if suspicious activity is detected. Employees complete an annual remote-work training that explains how to secure a home workspace, who to contact for incidents, and the physical controls required for any printed CUI.
Summary
Combining clear policy with practical technical controls lets SMBs meet PE.L2-3.10.6: define the safeguarding measures (device encryption, managed endpoints, VPN/MFA, printing and media controls, and training) and enforce them through device management, logging, and remote response capabilities. These steps ensure that CUI remains protected when work moves beyond the office while keeping implementation realistic and maintainable for small and medium organizations.
