03.10.06: Alternate Work Site

To meet the 03.10.06: alternate work site requirement, you must define and enforce security controls for any location outside your managed facilities where personnel access, process, store, or transmit CUI, then prove those controls operate. Treat remote and temporary sites as in-scope system environments with documented rules, technical protections, user obligations, and retained evidence. ¹

Key takeaways:

• You need a written alternate work site standard that ties directly to CUI handling and your system boundary in the SSP. ¹
• Technical controls (managed endpoints, secure remote access, encryption, logging) must be enforceable, not “guidance.” ¹
• Audits fail on evidence gaps: approvals, configurations, monitoring, and exception handling must be provable over time. ¹

“Alternate work site” is a compliance phrase for a practical reality: people work from home, hotels, customer sites, and shared workspaces. Under NIST SP 800-171 Rev. 3, those locations matter because they can become part of the environment where Controlled Unclassified Information (CUI) is accessed or handled. If your program only secures the corporate office and ignores remote work, you end up with an SSP narrative that doesn’t match operations, and assessors will treat that as a control design and scope failure.

Operationalizing 03.10.06 means you set clear conditions under which alternate work is allowed, specify the minimum safeguards (technical and procedural), and make compliance measurable. Your goal is not to “ban remote work.” Your goal is to ensure the same CUI protection objectives follow the user and endpoint, regardless of location, and that you can show repeatable evidence.

This page gives requirement-level guidance a CCO, compliance officer, or GRC lead can execute quickly: scoping decisions, a step-by-step control build, evidence to retain, common audit traps, and a practical execution plan that maps cleanly into an SSP/POA&M workflow. ¹

Regulatory text

Requirement: “NIST SP 800-171 Rev. 3 requirement 03.10.06 (Alternate Work Site).” ¹

Operator interpretation: You must establish and implement safeguards for alternate work sites used to perform work involving CUI. In practice, this means you define what qualifies as an alternate work site, specify approved methods for remote access and CUI handling, enforce endpoint and network protections, and document how you monitor and respond to issues arising from those sites. Your SSP must describe how the requirement is met, and your POA&M must track gaps to closure with validation. ¹

Plain-English interpretation (what this requirement is really asking)

If people do CUI work somewhere other than your controlled facility, you have to:

1. Set rules for that scenario,
2. Enforce technical controls that make the rules real, and
3. Keep evidence that those controls operate consistently.

Alternate work sites are not limited to “work from home.” Include temporary offices, coworking spaces, hotel rooms, field locations, and customer premises when your personnel (or authorized third parties) access CUI using your systems or process CUI in any form. ¹

Who it applies to

Entities

• Federal contractors and other nonfederal organizations handling CUI in nonfederal systems, including environments supporting covered contracts and related internal business systems that touch CUI. ¹

Operational context (what triggers it)

This requirement becomes “real” when any of the following occur:

• Users access CUI from offsite via VPN, ZTNA, VDI, remote desktop, or SaaS.
• Users store CUI locally on endpoints while remote.
• Users print, scan, photograph, or discuss CUI in environments you do not physically control.
• Support staff administer CUI systems from home or while traveling. ¹

What you actually need to do (step-by-step)

Step 1: Define “alternate work site” and your allowed work modes

Create a standard that answers these questions in plain language:

• Which roles can work with CUI from alternate sites?
• What work modes are allowed (e.g., “access-only via VDI,” “no local storage,” “no printing”)?
• What locations are prohibited (e.g., public kiosks, shared family computers)?
• What constitutes a policy violation and what happens next?

Deliverable: Alternate Work Site Standard (policy/standard-level), referenced by the SSP. ¹

Step 2: Tie the requirement to SSP scope and owners

Assessors look for clarity: what systems, endpoints, and remote access paths are in scope for CUI.

• Update SSP control statements for 03.10.06.
• Assign a control owner (often Security/GRC) and operational owners (IT endpoint management, IAM, SOC).
• Identify responsible system components: endpoint management, MDM/MAM, VPN/ZTNA, VDI, logging/SIEM, DLP (if used).

A practical way to stay organized is to track this mapping in Daydream as a requirement-to-SSP trace, with named owners and linked evidence, so the SSP stays synchronized with real controls. ¹

Step 3: Enforce minimum endpoint protections for remote CUI work

Write “minimum required” configurations that IT can implement and auditors can test. Examples of enforceable requirements:

• Only managed devices may access CUI (corporate-managed laptops or managed mobile).
• Full-disk encryption enabled.
• Host firewall enabled.
• EDR installed and reporting.
• Automatic patching and configuration baselines.
• Screen lock and session timeout settings.

Avoid ambiguous language (“should,” “where possible”). If exceptions exist, define an exception process with compensating controls and approvals. ¹

Step 4: Standardize secure remote access paths

Document and implement approved remote access patterns. Typical options:

• VPN/ZTNA into the environment hosting CUI
• VDI to prevent local data persistence
• Controlled SaaS with strong identity and access controls

What matters for 03.10.06 is that the remote access method is authorized, monitored, and consistent, and that it supports your CUI handling rules (for example: “no download” when required). ¹

Step 5: Control CUI data handling at the alternate site

Your standard should explicitly address:

• Local storage rules (allowed, restricted, or prohibited)
• Printing rules (usually prohibited unless approved)
• Voice/video conversations (privacy expectations, no smart speakers, avoid public spaces)
• Physical protection of devices (do not leave devices unattended; secure transport)
• Handling of paper notes (secure disposal, return-to-office procedures)

Train personnel on the specific alternate-site rules they must follow. Keep training acknowledgments tied to CUI roles. ¹

Step 6: Monitoring, incident response, and “break glass” controls

Alternate sites increase the chance of lost devices, insecure Wi‑Fi, shoulder surfing, and delayed reporting. Make response steps explicit:

• How users report loss/theft or suspected exposure while remote
• How IT disables access, wipes devices (if applicable), and preserves logs
• How you triage suspicious remote logins (impossible travel, unusual geo, new device)

Your evidence should show you can detect and respond, not just that you wrote a policy. ¹

Step 7: Operational reviews and POA&M discipline

Build a recurring review cycle:

• Review remote access logs and endpoint compliance.
• Sample-check alternate work site attestations (if you require them).
• Track exceptions in a register with approvals and expiry dates.
• Put gaps in the POA&M with owners, target dates, and closure validation.

Daydream can help here by linking each open gap to the specific requirement statement, the system component, and the closure evidence, so you can defend “implemented” versus “planned.” ¹

Required evidence and artifacts to retain

Keep artifacts that prove design and operation:

Governance

• Alternate Work Site Standard / Remote Work with CUI Standard (approved, versioned)
• SSP control statement for 03.10.06 with system boundary notes ¹
• Exception register with compensating controls and approvals
• Role-based training materials and completion/acknowledgments

Technical

• Endpoint compliance reports (encryption, EDR status, patch posture, configuration baseline)
• Remote access configuration exports (VPN/ZTNA/VDI policy settings)
• Authentication/conditional access policies supporting remote access (where applicable)
• Centralized logs showing remote access events and endpoint check-ins

Operational

• Periodic review records (tickets, meeting notes, sign-offs)
• Incident tickets involving remote work, with response actions and outcomes
• POA&M entries and closure evidence mapped to 03.10.06 ¹

Common exam/audit questions and hangups

Assessors and internal audit commonly press on:

1. Scope clarity: “Which endpoints and remote access methods can touch CUI?” If you can’t answer quickly, your SSP is likely too vague. ¹

2. Enforcement vs. guidance: “How do you technically prevent unmanaged devices from accessing CUI?” A policy alone rarely satisfies expectations. ¹

3. Evidence over time: “Show me remote-access logs and endpoint compliance from across the assessment period.” Point-in-time screenshots are a weak substitute. ¹

4. Exceptions: “How many exceptions exist, who approved them, and when do they expire?” Exceptions without expiry and compensating controls draw findings. ¹

Frequent implementation mistakes (and how to avoid them)

Mistake	Why it fails	What to do instead
Defining alternate work site rules but allowing BYOD informally	You can’t enforce baseline security	Require managed devices for CUI access; formalize exceptions with compensating controls 1
SSP says “remote work is allowed” with no system/component detail	Assessors can’t test implementation	Map 03.10.06 to systems, access paths, and owners in the SSP 1
“No local storage” policy while tools still allow downloads	Control objective is contradicted by reality	Align configuration to policy, then test and retain evidence 1
Weak evidence collection	You can’t prove operation	Define measurable evidence, collect it on a schedule, and store it centrally 1
Exceptions handled in email threads	No audit trail, no expiry	Maintain an exception register with risk rationale, approval, expiry, and closure 1

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for this requirement. Practically, the risk shows up as assessment findings: remote work expands your attack surface and increases the chance of CUI exposure through unmanaged endpoints, insecure networks, and weak user practices. The compliance impact is usually “control not implemented” or “implemented but not operating,” driven by SSP misalignment and thin evidence. ¹

A practical 30/60/90-day execution plan

First 30 days (stabilize scope and rules)

• Publish an Alternate Work Site Standard for CUI work with allowed work modes, prohibited actions, and an exception process. ¹
• Update SSP language for 03.10.06: scope, system components, control owners. ¹
• Inventory who accesses CUI remotely and from what managed endpoints and tools.

By 60 days (enforce minimum safeguards)

• Restrict CUI access to managed endpoints and approved remote access paths.
• Validate endpoint baselines and produce repeatable compliance reports (encryption, EDR, patching).
• Implement centralized logging for remote access and confirm you can retrieve it for audit.

By 90 days (prove operation and close gaps)

• Run an internal control test: sample remote users, confirm configurations, and validate that evidence is retrievable and consistent.
• Review exceptions, enforce expirations, and move gaps into POA&M with closure criteria and owners. ¹
• In Daydream, link evidence to 03.10.06 statements and track remediation to closure so the SSP/POA&M stays assessment-ready. ¹

Frequently Asked Questions

Does 03.10.06 require banning remote work for CUI?

No. It requires that alternate work sites have defined safeguards and that you can demonstrate those safeguards operate for CUI access and handling. Your policy and technical controls must match actual remote work patterns. ¹

Are coworking spaces and hotels considered alternate work sites?

Treat them as alternate work sites if personnel access, process, store, or transmit CUI there. Your standard should explicitly address high-risk locations and what is prohibited or required. ¹

What’s the fastest way to fail an assessment on alternate work sites?

An SSP that says remote work is allowed without naming systems, access paths, endpoint requirements, and operational evidence. The second fastest is allowing unmanaged devices in practice. ¹

Do we need users to sign an annual remote work/CUI attestation?

NIST SP 800-171 Rev. 3 doesn’t prescribe a specific attestation cadence in the provided excerpt, but an attestation can be strong supporting evidence if it ties to specific rules and consequences. Pair it with technical enforcement and logs. ¹

How should we handle exceptions for executives or field teams?

Use a written exception workflow with documented compensating controls, explicit approval, an expiration date, and a validation step before renewal. Track exceptions centrally so you can answer audit questions quickly. ¹

What evidence matters most for auditors?

Evidence that controls operate: endpoint compliance reports, remote access configurations, logs of remote access activity, training acknowledgments, and POA&M records for any gaps. Store evidence with clear mapping to 03.10.06 in the SSP. ¹

Footnotes

1. NIST SP 800-171 Rev. 3