CMMC Level 2 Practice 3.10.6: Enforce safeguarding measures for CUI at alternate work sites

10 min readLast verified: February 2026By

CMMC Level 2 Practice 3.10.6 requires you to apply and enforce the same safeguarding rules for Controlled Unclassified Information (CUI) when it is accessed, processed, or stored at alternate work sites (home office, hotel, field site) as you do in your primary facilities. Operationalize it by defining “alternate work site” rules, hardening endpoints, controlling physical exposure, and retaining repeatable evidence that remote/field work complies. 1

Key takeaways:

  • Treat alternate work sites as in-scope CUI environments, not “exceptions,” and document the conditions under which CUI work is allowed. 1
  • Enforce controls with technical guardrails (managed devices, VPN, MFA, DLP where feasible) plus physical protections (no public printing, locked storage, clean desk). 1
  • Assessors will look for proof of ongoing enforcement: policies, user acknowledgements, device configurations, logs, and exceptions with approvals. 2

Alternate work sites are where good CUI programs get messy: employees work from home, engineers travel, incident responders use laptops in the field, and project managers join calls from shared spaces. CMMC Level 2 Practice 3.10.6 (mapped to NIST SP 800-171 Rev. 2) expects you to control that reality, not pretend it doesn’t exist. The requirement is simple to say: enforce safeguarding measures for CUI at alternate work sites. The operational challenge is proving enforcement without slowing mission delivery.

For a CCO, GRC lead, or security program owner, “enforce” means you need defined rules, a method to ensure people follow them, and evidence that the method works over time. Assessors typically probe three angles: (1) where CUI can and cannot be accessed, (2) what protections exist at the endpoint and in the environment, and (3) how exceptions are handled without creating shadow IT.

This page translates the requirement into implementable controls, evidence you can retain without heroics, and the audit friction points that trigger findings. Primary references include the CMMC program rule and guidance plus the underlying NIST requirement. 3

Regulatory text

Requirement (as provided): “CMMC Level 2 practice mapped to NIST SP 800-171 Rev. 2 requirement 3.10.6 (Enforce safeguarding measures for CUI at alternate work sites).” 1

Operator meaning: If CUI is accessed, processed, or stored away from your controlled facilities, you must implement safeguards that reduce the risk of unauthorized disclosure and you must be able to show the safeguards are actually followed. This includes home offices, temporary project locations, travel settings, and other non-traditional work environments. 1

Plain-English interpretation

You must (1) define what “alternate work sites” are for your environment, (2) decide what CUI work is permitted there, (3) put technical and physical safeguards in place, and (4) enforce those safeguards through configuration management, monitoring, training, and exception management. “Enforce” is the key word: a PDF policy alone will not carry an assessment if endpoints or user practices contradict it. 1

Who it applies to

Entities: Defense contractors and other federal contractors that handle CUI and are seeking/maintaining CMMC Level 2 alignment. 4

Operational contexts in scope (examples):

  • Remote employees accessing CUI from home on company-managed endpoints
  • Traveling staff viewing CUI in hotels, airports, customer sites, or conference rooms
  • Field work where laptops/tablets are used on-site
  • Temporary offices, leased spaces, or partner-provided work areas where your staff performs CUI work

Common scoping boundary: If CUI never reaches the alternate site because you block access and prevent local storage (for example, no remote access to CUI systems), then 3.10.6 becomes a prohibition-and-enforcement story. If CUI does reach the alternate site, 3.10.6 becomes a controls-and-evidence story. 1

What you actually need to do (step-by-step)

1) Define “alternate work site” and your allowed-use model

Create a short standard that answers:

  • What locations count (home office, travel, temporary site)
  • Whether CUI may be accessed there
  • Whether CUI may be stored there (ideally “no” unless you have a managed, encrypted endpoint policy)
  • Whether printing is permitted (often “no” outside controlled facilities)

Deliverable: “Alternate Work Site CUI Safeguards Standard” aligned to your CUI handling policy. 1

2) Put technical guardrails in place (make the safe path the default)

Minimum expectations typically include:

  • Managed endpoints only for CUI work (MDM/UEM enrolled, hardened baselines, patching, EDR)
  • Strong authentication to CUI systems (MFA for remote access where feasible)
  • Encrypted storage on endpoints (full-disk encryption) and controlled removable media
  • Secure remote access (VPN or equivalent protected access path) and session controls
  • No local admin for standard users performing CUI work
  • Timeout/lock for unattended devices

You do not need every tool category to satisfy 3.10.6, but you do need a coherent enforcement story: users should not be able to casually move CUI onto unmanaged devices or personal email. 1

Practical decision matrix (document it):

Scenario Allow? Required safeguards (examples) Evidence to retain
Home office on managed laptop Yes Full-disk encryption; MFA; screen lock; no printing unless approved MDM policy screenshot; encryption status report; MFA config
Personal device (BYOD) Usually no If allowed, require formal exception + MDM containerization Exception ticket; MDM enrollment proof
Hotel/airport public areas Conditional Privacy screen; no speakerphone for CUI; no viewing in shoulder-surf zones User guidance + acknowledgement; travel checklist
Local storage of CUI Conditional Only in approved encrypted folders; DLP rules if available DLP policy; endpoint config

(Use your own controls; the assessor cares that you made a decision and enforce it.) 1

3) Add physical/environmental safeguards for alternate sites

Write clear, enforceable rules employees can follow:

  • Maintain visual and audio privacy (no CUI discussions in public, protect screens)
  • Lockable storage for any printed CUI or media (if printing is allowed)
  • Clean desk / secure disposal for notes and drafts
  • No shared household printers for CUI unless explicitly approved and controlled
  • Report loss/theft quickly (tie to your incident reporting procedures)

Tip: Put these into a one-page “Remote/Travel CUI Rules” sheet and require annual acknowledgement. Assessors like short, role-relevant artifacts. 1

4) Build an exception process that doesn’t become a loophole

Alternate work sites generate edge cases (field ops, customer deadlines). Your exception workflow should require:

  • Business justification
  • Specific duration/scope (what CUI, what system, what location type)
  • Compensating controls
  • Approval from security and the data owner/program owner
  • Post-exception review and closure evidence

If you cannot explain how exceptions are controlled, assessors often treat the “policy” as unenforced. 2

5) Train, verify, and continuously capture evidence

Enforcement is proven through repetition:

  • Train staff who handle CUI on remote/travel safeguards
  • Verify endpoint compliance through MDM/EDR reporting
  • Review remote access logs and investigate anomalies
  • Periodically test: “Can a user download CUI to an unmanaged device?” Document results and fixes.

Daydream (as a GRC workflow layer) is useful here because it can map 3.10.6 to your specific control activities and schedule recurring evidence capture, so you are not rebuilding proof right before an assessment. 2

Required evidence and artifacts to retain

Keep evidence that shows both design (what you intended) and operation (what actually happened):

Policy & standards

  • CUI Handling Policy with alternate work site section
  • Alternate Work Site CUI Safeguards Standard / Remote Work Standard
  • Acceptable Use + Remote Access policies
  • Exception procedure and completed exception records

Technical configuration evidence

  • MDM/UEM compliance reports (encryption, screen lock, OS version)
  • VPN/remote access configuration and MFA enforcement proof
  • EDR deployment status for endpoints used for CUI
  • DLP rules (if used) and alert handling workflow

Operational evidence

  • Training completion and annual acknowledgements for CUI remote rules
  • Remote access logs (samples) showing access from authorized devices/users
  • Incident tickets for lost/stolen devices and resolution notes
  • Internal test results (tabletop or control checks) for remote CUI handling

Common exam/audit questions and hangups

Assessors commonly probe:

  • “Show me where you define alternate work sites and the required safeguards.” 1
  • “How do you prevent CUI access from unmanaged devices?” 1
  • “Is printing allowed at home? If yes, where is it stored and how is it destroyed?” 1
  • “How do you know encryption is enabled on all endpoints used for CUI?” 1
  • “What happens when someone travels internationally with a laptop containing CUI?” If you allow it, be ready to show controls and approvals; if you prohibit it, show enforcement and user guidance. 1
  • “Show exceptions.” If exceptions exist but you cannot produce approvals and compensating controls, you risk a finding. 2

Frequent implementation mistakes (and how to avoid them)

  1. Policy says “no CUI on personal devices,” but systems allow it.
    Fix: enforce device compliance at the access layer (conditional access, certificate-based access, MDM compliance checks). Keep screenshots and change records. 1

  2. No written definition of “alternate work site.”
    Fix: define it explicitly and list common examples; tie it to your remote work policy and CUI boundary. 1

  3. Printing and paper notes ignored.
    Fix: either prohibit offsite printing or require lockable storage and secure destruction. Train to it and retain acknowledgements. 1

  4. Evidence scramble right before assessment.
    Fix: create a recurring evidence plan (quarterly endpoint compliance exports, monthly remote access log samples, annual training). Track it in a system like Daydream so each artifact is mapped to 3.10.6 and time-stamped. 2

  5. Exceptions become permanent.
    Fix: set expiry dates, require re-approval, and review for patterns that indicate a needed architecture change. 1

Enforcement context and risk implications

Public enforcement cases specific to this practice were not provided in the source catalog, so this page does not list case citations. The practical risk is still clear: alternate work sites increase exposure to loss/theft, shoulder surfing, unsecured Wi‑Fi, household/shared devices, and informal printing. Under CMMC, inability to show consistent enforcement and evidence can jeopardize assessment outcomes and contract eligibility. 4

Practical 30/60/90-day execution plan

First 30 days (stabilize and scope)

  • Inventory which roles and systems allow CUI access offsite; document “allowed vs prohibited” scenarios. 1
  • Publish an Alternate Work Site CUI Safeguards Standard and a one-page Remote/Travel CUI Rules sheet. 1
  • Confirm managed endpoints are required for CUI access; block obvious gaps (BYOD access paths, personal email forwarding). 1

Days 31–60 (enforce technically and formalize exceptions)

  • Implement or tighten conditional access rules that require device compliance for CUI systems. 1
  • Validate encryption, screen-lock, and patch baselines through MDM reporting; remediate noncompliant endpoints. 1
  • Stand up the exception workflow with approvals, compensating controls, and closure evidence. 2

Days 61–90 (prove operation and make evidence repeatable)

  • Run a control check: attempt to access/download CUI from an unmanaged device; document outcomes and fixes. 1
  • Start recurring evidence capture (endpoint compliance exports, remote access log samples, exception register review). 2
  • Map each evidence item to 3.10.6 in your SSP/POA&M support materials, and track it in Daydream so you can produce an assessor-ready packet on demand. 2

Frequently Asked Questions

Does 3.10.6 mean remote work with CUI is prohibited?

No. It means if you permit CUI work at alternate sites, you must enforce safeguards comparable to controlled environments and prove enforcement. If you prohibit it, you must still enforce the prohibition with technical controls and monitoring. 1

Are home networks (Wi‑Fi routers) in scope for CMMC evidence?

You generally don’t “manage” an employee’s home router the way you manage a company endpoint, but you should define required behaviors (secure Wi‑Fi, no public networks without approved protections) and enforce what you can through endpoint and access controls. Keep the policy, training, and technical enforcement evidence. 1

What if we use VDI or a browser-only portal and do not allow downloads?

That can reduce alternate-site exposure, but you still need safeguards for viewing CUI (screen privacy, MFA, managed device requirements) and evidence that downloads/local storage are blocked. Document the architecture decision and retain configuration proof. 1

Can we allow printing of CUI at home with written permission?

You can, but it increases audit scrutiny. If allowed, require explicit approval, define storage (lockable container), restrict printers, and require secure destruction; retain approvals and employee acknowledgements. 1

What evidence is strongest for “enforce”?

A mix wins: conditional access/device compliance rules, MDM compliance reports (encryption/lock), VPN/MFA configuration proof, and a maintained exception register. Assessors also value dated log samples that demonstrate ongoing operation. 5

How do we handle consultants or other third parties working remotely on our CUI?

Treat them the same as employees: only approved accounts, only approved managed endpoints (yours or contractually validated), and written alternate-site safeguards. Put the requirements into the third-party agreement and retain their compliance evidence or your enforcement logs. 1

Footnotes

  1. NIST SP 800-171 Rev. 2

  2. DoD CMMC Program Guidance

  3. 32 CFR Part 170; Source: DoD CMMC Program Guidance; Source: NIST SP 800-171 Rev. 2

  4. 32 CFR Part 170; Source: DoD CMMC Program Guidance

  5. DoD CMMC Program Guidance; Source: NIST SP 800-171 Rev. 2

Frequently Asked Questions

Does 3.10.6 mean remote work with CUI is prohibited?

No. It means if you permit CUI work at alternate sites, you must enforce safeguards comparable to controlled environments and prove enforcement. If you prohibit it, you must still enforce the prohibition with technical controls and monitoring. (Source: NIST SP 800-171 Rev. 2)

Are home networks (Wi‑Fi routers) in scope for CMMC evidence?

You generally don’t “manage” an employee’s home router the way you manage a company endpoint, but you should define required behaviors (secure Wi‑Fi, no public networks without approved protections) and enforce what you can through endpoint and access controls. Keep the policy, training, and technical enforcement evidence. (Source: NIST SP 800-171 Rev. 2)

What if we use VDI or a browser-only portal and do not allow downloads?

That can reduce alternate-site exposure, but you still need safeguards for viewing CUI (screen privacy, MFA, managed device requirements) and evidence that downloads/local storage are blocked. Document the architecture decision and retain configuration proof. (Source: NIST SP 800-171 Rev. 2)

Can we allow printing of CUI at home with written permission?

You can, but it increases audit scrutiny. If allowed, require explicit approval, define storage (lockable container), restrict printers, and require secure destruction; retain approvals and employee acknowledgements. (Source: NIST SP 800-171 Rev. 2)

What evidence is strongest for “enforce”?

A mix wins: conditional access/device compliance rules, MDM compliance reports (encryption/lock), VPN/MFA configuration proof, and a maintained exception register. Assessors also value dated log samples that demonstrate ongoing operation. (Source: DoD CMMC Program Guidance; Source: NIST SP 800-171 Rev. 2)

How do we handle consultants or other third parties working remotely on our CUI?

Treat them the same as employees: only approved accounts, only approved managed endpoints (yours or contractually validated), and written alternate-site safeguards. Put the requirements into the third-party agreement and retain their compliance evidence or your enforcement logs. (Source: NIST SP 800-171 Rev. 2)

Related Resources

Operationalize this requirement

Map requirement text to controls, owners, evidence, and review workflows inside Daydream.

See Daydream