03.10.06: Alternate Work Site

NIST SP 800-171 Rev. 3 requirement 03.10.06 (“Alternate Work Site”) means you must control and document how personnel protect CUI when working away from your controlled facilities (home, travel, field sites). Operationalize it by defining approved alternate-work scenarios, enforcing baseline technical controls (device, identity, network), and retaining evidence that remote handling of CUI follows your SSP-defined rules ¹.

Key takeaways:

• Treat “alternate work site” as a defined operating mode with explicit rules for CUI, not an informal exception.
• Your SSP must state the remote-work control boundary, and your evidence must prove it runs that way in production ¹.
• Assess using NIST SP 800-171A-style “show me” evidence: configs, logs, approvals, and user acknowledgments ².

“Alternate work site” is where CUI programs fail quietly: people do real work from home, in hotels, at customer locations, and on personal networks, while your written controls assume a corporate office. Requirement 03.10.06 forces you to close that gap. You need a documented, enforceable remote-work posture that prevents CUI exposure through unmanaged endpoints, weak authentication, uncontrolled local storage, and ad hoc file-sharing.

For a CCO or GRC lead, the fastest path is to convert 03.10.06 into a small set of non-negotiable conditions for any CUI work outside your facilities: (1) only approved devices and accounts, (2) only approved access paths (e.g., VPN/ZTNA), (3) controlled data handling (no uncontrolled local copies), and (4) evidence that these conditions are continuously enforced. Then tie those conditions to your System Security Plan (SSP) control statements and track any gaps in a POA&M with owners and closure criteria ¹.

This page focuses on requirement-level implementation steps, what auditors ask for, and what artifacts you need on hand to pass an assessment without scrambling.

Regulatory text

Provided excerpt: “NIST SP 800-171 Rev. 3 requirement 03.10.06 (Alternate Work Site).” ¹

What the operator must do (practical reading):
You must define and implement protections for CUI when personnel work at alternate locations (e.g., home office, travel, field site) so that remote work does not reduce the security posture below what your CUI environment requires. In practice, assessors expect you to (a) document the rules, (b) enforce them technically where possible, and (c) prove operation with evidence aligned to the SSP and assessment objectives (Sources: NIST SP 800-171 Rev. 3; NIST SP 800-171A).

Plain-English interpretation (what 03.10.06 requires)

If someone can access, process, store, or transmit CUI from outside your controlled facility, you must:

1. Decide what “allowed remote CUI work” looks like in your environment.
2. Put guardrails around identity, devices, network access, and data handling.
3. Train users on those guardrails and require acknowledgment.
4. Keep records that demonstrate the guardrails are active and effective.

A useful mental model: alternate work sites expand your system boundary into places you do not control physically. Your response is to tighten logical controls and reduce data exposure in those places, then document that design in the SSP and validate it through assessment evidence (Sources: NIST SP 800-171 Rev. 3; NIST SP 800-171A).

Who it applies to

Entities: Any nonfederal organization that handles CUI under a federal contract or agreement and is implementing NIST SP 800-171 controls ¹.

Operational context (where it shows up):

• Remote employees and hybrid work where CUI is accessed offsite.
• Travel (hotel Wi-Fi, conference venues, airports).
• Field work (construction sites, maintenance locations, customer facilities).
• Third parties supporting you (IT support, engineering subcontractors) if they access your CUI systems from their locations. Manage this as third-party remote access within your broader third-party risk management program, but keep the evidence in-scope for your CUI system.

What you actually need to do (step-by-step)

Step 1: Define your alternate-work use cases and “allowed modes”

Create a short matrix that lists:

• Who can work remotely with CUI (roles, teams).
• Where they can work (home, customer site, travel).
• What systems they can use (VDI, managed laptop, approved SaaS).
• What CUI actions are permitted (view only, edit, download, print, sync).

Make decisions explicit. Auditors and assessors penalize “it depends” answers that aren’t backed by policy and configuration.

Step 2: Write the control statement into the SSP (and name owners)

In your SSP, document:

• The system boundary for remote access (which endpoints and access methods are in-scope).
• The control owner (often IT Security for technical enforcement, HR/Compliance for training/attestation, and System Owner for exceptions).
• The implementation criteria: what must be true for remote CUI work to be compliant ¹.

Daydream tip: store the SSP control statement, mapped system components, and accountable owners in one place so evidence collection stays consistent during assessments ¹.

Step 3: Enforce baseline technical conditions for remote CUI access

Set minimum conditions that are testable:

Identity and session controls

• Require strong authentication for remote access paths.
• Restrict remote access to named user accounts and managed identities.
• Session timeout and re-authentication expectations should be documented and configured where feasible.

Device controls

• Only managed endpoints can access CUI systems (corporate laptop/VDI).
• Endpoint security tooling enabled (EDR/AV), disk encryption, host firewall baseline.
• Block or tightly control removable media and local admin rights based on risk.

Network and access path

• Require an approved access path (VPN/ZTNA/VDI) for reaching CUI resources.
• Prevent direct access from unmanaged networks to sensitive admin interfaces.
• Use conditional access (device compliance + user risk) where available.

Data handling

• Decide whether CUI may be stored locally at the alternate site.
• If local storage is allowed, define controls (encryption, backup restrictions, secure deletion).
• Control printing and local copies. If you permit printing, define physical safeguards and disposal expectations.

You do not need exotic tooling. You need enforceable guardrails and proof they’re enforced (Sources: NIST SP 800-171 Rev. 3; NIST SP 800-171A).

Step 4: Establish an exceptions process (and treat it as a risk decision)

Remote work creates edge cases: emergency access, a broken VPN, travel with limited connectivity. Define:

• Who can approve exceptions.
• Time-boxing expectations and compensating controls.
• Logging requirements and after-action review.

Track exceptions as POA&M items if they indicate a control gap that needs engineering work ¹.

Step 5: Train and obtain acknowledgments specific to alternate work sites

Generic security awareness training rarely passes a serious CUI assessment by itself. Add a short “Alternate Work Site for CUI” module:

• Approved devices only
• No personal email or consumer file-sharing for CUI
• No photographing screens/whiteboards containing CUI
• Handling of calls and meetings in public spaces
• Reporting lost/stolen devices immediately

Keep acknowledgment records tied to user identity and role.

Step 6: Build recurring operational evidence (don’t wait for the audit)

Set a cadence that produces evidence naturally:

• Access logs for remote connections (VPN/ZTNA/VDI)
• Device compliance reports (encryption, EDR status)
• MFA/conditional access policy snapshots
• Ticketing records for exceptions and approvals
• Periodic access reviews for remote access groups

Daydream can help by turning evidence requests into recurring tasks, linking each artifact to the SSP control statement, and showing what’s missing before an assessor finds it ¹.

Required evidence and artifacts to retain

Keep artifacts organized by “policy/design,” “implementation,” and “operating evidence”:

Policy / design artifacts

• Remote work / alternate work site standard for CUI
• Data handling standard for CUI (local storage, printing, file transfer rules)
• Exception approval workflow and criteria
• SSP control statement and boundary description ¹

Implementation artifacts (point-in-time proof)

• VPN/ZTNA/VDI configuration screenshots/exports
• Conditional access/MFA policy configuration exports
• Endpoint encryption policy and compliance configuration
• MDM/endpoint management baseline profile documentation

Operating evidence (time-based proof)

• Remote access logs and authentication logs (sampled)
• Endpoint compliance reports over time
• User training completion and acknowledgments
• Remote access group membership reviews and approvals
• POA&M entries for gaps, with closure validation evidence ¹

Common exam/audit questions and hangups

Assessors tend to probe these areas ²:

• “Show me who can access CUI remotely.” Expect a list of groups, users, and approval records.
• “Show me the technical enforcement.” They will ask for conditional access rules, VPN requirements, and device compliance checks.
• “Can a personal device access CUI?” If the answer is “no,” they will test the control path. If the answer is “yes,” you need strong compensating controls and documentation.
• “Where is CUI stored during remote work?” They will look for uncontrolled local folders, sync clients, and browser downloads.
• “How do you handle travel?” Public Wi-Fi and shoulder-surfing are common pressure points; your training and requirements should address them.

Hangup pattern: teams have a remote-work policy but cannot produce logs, reports, or configurations that demonstrate enforcement. Treat “policy-only” as a gap.

Frequent implementation mistakes (and how to avoid them)

1. Writing a remote-work policy that conflicts with reality.
   Fix: inventory actual remote access paths, then either shut down the risky ones or formalize them with controls and evidence.

2. Allowing split handling of CUI across multiple unsanctioned tools.
   Fix: publish an “approved toolchain” for CUI work (approved storage, approved collaboration, approved remote access). Block the rest where feasible.

3. No documented boundary for alternate work sites in the SSP.
   Fix: explicitly define whether endpoints are part of the system boundary or whether you require VDI and keep CUI off endpoints ¹.

4. No exception mechanism (so exceptions happen in the dark).
   Fix: create a fast approval path with logging and time limits; track systemic needs in the POA&M ¹.

5. Evidence scramble right before assessment.
   Fix: implement recurring evidence capture mapped to the control and store it with clear dates and owners (Sources: NIST SP 800-171 Rev. 3; NIST SP 800-171A).

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for this specific requirement. Even without case law, the risk is straightforward: alternate work sites increase exposure to credential theft, unmanaged devices, eavesdropping, and accidental spillage of CUI into personal accounts or consumer cloud storage. In a NIST SP 800-171 assessment, failure modes typically show up as missing or inconsistent evidence, unclear boundaries, and unenforced remote access rules (Sources: NIST SP 800-171 Rev. 3; NIST SP 800-171A).

Practical 30/60/90-day execution plan

First 30 days (stabilize and define)

• Identify all alternate work site scenarios where CUI is touched (roles, tools, locations).
• Decide your approved remote-work model for CUI (managed endpoint access, VDI-only, or other defined model).
• Draft/update the SSP control statement for 03.10.06 and assign control owners ¹.
• Put a temporary rule in place: CUI remote access only through approved access path(s) while you harden controls.

Days 31–60 (enforce and instrument)

• Implement or tighten MFA and conditional access for CUI systems.
• Enroll endpoints in management, enforce encryption, and set compliance gates.
• Configure logging and reporting so you can show remote access activity and device posture ².
• Stand up the exception workflow (ticket + approval + compensating controls + expiration).

Days 61–90 (prove operation and close gaps)

• Run an internal “mini assessment” using NIST SP 800-171A-style prompts: interview, examine artifacts, test configurations ².
• Populate POA&M items for any gaps; define closure evidence and validate before marking complete ¹.
• Launch role-based training/acknowledgment for alternate work sites and collect completion records.
• Put evidence collection on a recurring schedule and store artifacts in a system of record (Daydream or your existing GRC repository).

Frequently Asked Questions

Does 03.10.06 forbid remote work with CUI?

No. It drives you to define and enforce protections for CUI at alternate work sites, then prove those protections operate as designed ¹.

Are personal (BYOD) laptops allowed for CUI at home?

The requirement does not provide a simple “yes/no” in the provided excerpt, but assessors will expect your SSP to define the boundary and your controls to enforce it with evidence (Sources: NIST SP 800-171 Rev. 3; NIST SP 800-171A). Many programs choose “managed devices only” because it is easier to evidence.

What evidence is most persuasive to an assessor?

Configuration exports (MFA/conditional access, VPN/ZTNA/VDI), endpoint compliance reports, remote access logs, and documented approvals for who gets remote CUI access ².

How do we handle employees who travel and need CUI access?

Treat travel as an alternate work site use case with explicit rules (approved devices, approved access path, restrictions on local storage and printing) and require training and acknowledgment for those users.

Do third parties (subcontractors, IT support) fall under alternate work site controls?

If a third party accesses your CUI system remotely, you need equivalent guardrails for their identities, devices, and access paths, and you need evidence to show how you enforce and monitor that access (Sources: NIST SP 800-171 Rev. 3; NIST SP 800-171A).

Where should we document 03.10.06 to make audits easier?

Put the control statement, boundary, and implementation details in the SSP, track gaps in the POA&M, and store recurring evidence with clear dates and owners ¹.

Footnotes

1. NIST SP 800-171 Rev. 3

2. NIST SP 800-171A