3.10.6 Alternate Work Sites

Is your organization struggling to understand how to approach the NIST SP 800-171 3.10.6 Security Requirement for Alternate Work Sites? What is allowed and what an assessor may be looking for?

In this CMMC Churns, we dive into what is expected for working when away from your controlled work area.

In the requirement deep dive, we will look at the requirement, assessment objectives, the requirements relationships to other requirements, and evidentiary objects we would expect to see as assessors.

Interestingly, there are four primary use cases (working at home; in public spaces & travelling; in a hotel room; and at a client location) to that an organization can use to define its safeguarding requirements to be followed by staff when working outside of their offices.

We also look at considerations your business should ponder when developing safeguarding measures. For example, & remember, Alexa & Siri are not authorized listeners to CUI conversations…

3.10.6	SECURITY REQUIREMENT Enforce safeguarding measures for CUI at alternate work sites.
	DISCUSSION Alternate work sites may include government facilities or the private residences of employees. Organizations may define different security requirements for specific alternate work sites or types of sites depending on the work-related activities conducted at those sites. [SP 800-46] and [SP 800-114] provide guidance on enterprise and user security when teleworking.
	ASSESSMENT OBJECTIVE Determine if:
	3.10.6[a]	safeguarding measures for CUI are defined for alternate work sites.
	3.10.6[b]	safeguarding measures for CUI are enforced for alternate work sites.
	POTENTIAL ASSESSMENT METHODS AND OBJECTS
	Examine	[SELECT FROM: Physical and environmental protection policy; procedures addressing alternate work sites for personnel; system security plan; list of safeguards required for alternate work sites; assessments of safeguards at alternate work sites; other relevant documents or records].
	Interview	[SELECT FROM: Personnel approving use of alternate work sites; personnel using alternate work sites; personnel assessing controls at alternate work sites; personnel with information security responsibilities].
	Test	Possible Test Objects

As the CMMC Churns

We share our knowledge and experiences as a CMMC 3rd Party Assessment Organization (C3PAO) via the "As the CMMC Churns" episode so everyone can benefit.

3.10.6 Alternate Work Sites

Key CMMC Sites

Key References

Key Acquisition References

Other Key Sites

Recent Posts

Social Contact

As the CMMC Churns

We share our knowledge and experiences as a CMMC 3rd Party Assessment Organization (C3PAO) via the "As the CMMC Churns" episode so everyone can benefit.

3.10.6 Alternate Work Sites

Key CMMC Sites

Key References

Key Acquisition References

Other Key Sites

Share This Content!

Related Posts

The Three Types of Evidentiary Objects

Your SSP Sucks, Seriously.

Requirements have Relationships

Approve, the Forgotten Verb

CMMC Rule, an Executive Summary

Recent Posts

Social Contact