Is your organization struggling to understand how to approach the NIST SP 800-171 3.10.6 Security Requirement for Alternate Work Sites?  What is allowed and what an assessor may be looking for?

In this CMMC Churns, we dive into what is expected for working when away from your controlled work area.

In the requirement deep dive, we will look at the requirement, assessment objectives, the requirements relationships to other requirements, and evidentiary objects we would expect to see as assessors.

Interestingly, there are four primary use cases (working at home; in public spaces & travelling; in a hotel room; and at a client location) to that an organization can use to define its safeguarding requirements to be followed by staff when working outside of their offices.

We also look at considerations your business should ponder when developing safeguarding measures.  For example, & remember, Alexa & Siri are not authorized listeners to CUI conversations…

3.10.6

SECURITY REQUIREMENT

Enforce safeguarding measures for CUI at alternate work sites.

 

DISCUSSION

Alternate work sites may include government facilities or the private residences of employees. Organizations may define different security requirements for specific alternate work sites or types of sites depending on the work-related activities conducted at those sites. [SP 800-46] and [SP 800-114] provide guidance on enterprise and user security when teleworking.

ASSESSMENT OBJECTIVE

Determine if:

3.10.6[a]

safeguarding measures for CUI are defined for alternate work sites.

3.10.6[b]

safeguarding measures for CUI are enforced for alternate work sites.

POTENTIAL ASSESSMENT METHODS AND OBJECTS

Examine

[SELECT FROM: Physical and environmental protection policy; procedures addressing alternate work sites for personnel; system security plan; list of safeguards required for alternate work sites; assessments of safeguards at alternate work sites; other relevant documents or records].

Interview

[SELECT FROM: Personnel approving use of alternate work sites; personnel using alternate work sites; personnel assessing controls at alternate work sites; personnel with information security responsibilities].

Test

Possible Test Objects

Key CMMC Sites

Key References

Key Acquisition References

Other Key Sites