PE-17: Alternate Work Site

PE-17: Alternate Work Site requires you to determine and document what alternate work sites employees are allowed to use (for example, home offices, coworking spaces, client sites) and make that decision auditable. Operationalize it by defining approved site types, setting minimum security conditions for each, and keeping proof that employees and managers follow the rules. ¹

Key takeaways:

• You must explicitly define which alternate work sites are allowed, not rely on informal “remote work is fine” norms. ¹
• The control lives or dies on documentation: a decision record, criteria, and repeatable evidence of enforcement. ¹
• Treat alternate sites as part of your physical security boundary and align requirements with data sensitivity and system impact level. ²

Remote and hybrid work made “where work happens” a security decision. PE-17 is the requirement that forces you to make that decision explicitly and keep it documented so an assessor can verify it. The regulatory expectation is simple: determine and document the alternate work site(s) employees are allowed to use. ¹

For a Compliance Officer, CCO, or GRC lead, the fastest path is to convert this into a short, enforceable standard: approved alternate site categories, minimum conditions per category, and a workflow that ties HR/people policies to IT access and endpoint controls. You are not trying to police every kitchen table. You are proving that your organization made a risk-based decision, communicated it, and can show it is followed.

This page gives requirement-level implementation guidance you can hand to control owners in HR, Security, Facilities, and IT. It also includes the evidence artifacts auditors ask for, the hangups that create findings, and a practical execution plan you can run without turning PE-17 into a sprawling “remote work program.”

Regulatory text

Control requirement (excerpt): “Determine and document the {{ insert: param, pe-17_odp.01 }} allowed for use by employees;” ¹

What the operator must do

PE-17 is a documentation-driven control with a clear operational outcome:

1. Determine what alternate work site(s) are permitted for employees.
2. Document that determination in a durable, reviewable artifact (policy/standard + supporting record).
3. Make it specific enough that managers, employees, IT, and auditors can all answer the same question: “Where are employees allowed to work, and under what conditions?” ¹

NIST does not prescribe the exact list of sites. You set it based on mission needs and risk tolerance, then prove you did so in a controlled way. ²

Plain-English interpretation (what PE-17 means in practice)

PE-17: alternate work site requirement means your organization must have a clear, written position on remote/alternate work locations. “Allowed” should be unambiguous. If your real-world practice includes employees working from home, client sites, hotels, coworking spaces, or public spaces, your documentation needs to reflect what’s permitted and what is not.

A good interpretation statement you can adopt internally:

• “Employees may only access organizational systems from approved alternate work site types. Each type has minimum physical and environmental conditions (privacy, device security, network constraints). Exceptions require documented approval.” ¹

Who it applies to

Entity types

PE-17 commonly applies to:

• Federal information systems adopting NIST SP 800-53 controls. ²
• Contractor systems handling federal data where NIST SP 800-53 is a contractual or program requirement. ²

Operational contexts where auditors focus

Assessors tend to probe PE-17 when:

• The organization supports remote/hybrid work at scale.
• Staff access systems from non-corporate locations (travel, field work, client sites).
• Sensitive workloads exist (regulated data, controlled unclassified information, high-impact systems).
• There is reliance on third parties (contractors, outsourced service desks) working offsite, even if their “employee” status differs. You may still need parallel requirements in third-party contracts to avoid a control gap.

What you actually need to do (step-by-step)

Use this sequence to operationalize PE-17 quickly and make it assessable.

Step 1: Define “alternate work site” for your environment

Write a one-paragraph definition that fits your operations. Include examples and exclusions.

Example scope statement

• Included: employee home office, client site, approved coworking site, approved satellite office.
• Excluded: public cafés, airports, any location where privacy cannot be maintained.

Keep this aligned with your acceptable use, telework/remote work, and access control policies. ²

Step 2: Establish approved site categories and minimum conditions

Create a simple matrix. This becomes the heart of your PE-17 documentation.

Alternate work site type	Allowed?	Minimum conditions (write what “good” looks like)	Approval / exception rule
Home office	Yes/No	Private space; company-managed endpoint; screen lock; secure storage for any paper; no smart speaker in work area (if you choose)	Manager approval and acknowledgment
Coworking space	Yes/No	Private room required; no public Wi‑Fi unless via approved secure connection; no printing	Security approval required
Client site	Yes/No	Follow client physical rules + your endpoint rules; prevent shoulder surfing	Engagement owner approval
Public spaces (café/airport)	Yes/No	If allowed at all, restrict to low-risk activities; no sensitive data display	Explicit exception only

You are not required to choose these categories, but you must determine and document what you allow. ¹

Step 3: Tie “allowed sites” to technical enforcement where possible

PE-17 is a physical/environment decision, but it becomes defensible when paired with technical controls. Map the site categories to enforceable requirements such as:

• Corporate VPN / secure tunneling expectations
• Device management (MDM/EDR), disk encryption, screen timeout
• Conditional access (block unmanaged devices; restrict high-risk logins)
• Data handling rules (no local downloads; approved storage only)

You are building an audit story: policy says where, standards say how, and systems enforce key parts. ²

Step 4: Implement a lightweight approval and exception workflow

Define:

• Who can approve an alternate work site (manager, security, facilities)
• What triggers an exception (travel, emergency, client requirement)
• What must be recorded (request, approver, duration/conditions if you track them, and reason)

Keep it practical: a ticketing workflow or HR system acknowledgment is usually enough if it is retained and searchable.

Step 5: Communicate and collect acknowledgments

Publish the standard in your policy repository and:

• Add it to onboarding for employees and relevant third parties
• Require periodic acknowledgment if your organization uses that mechanism
• Provide a one-page “remote work do’s/don’ts” that matches the allowed site matrix

Step 6: Make it auditable with recurring evidence

PE-17 findings are often “paper gaps.” Schedule evidence collection:

• Changes to allowed site categories are version-controlled.
• Exceptions are logged and reviewable.
• A sample set of acknowledgments exists for the population in scope.

Daydream (or any GRC system) becomes useful here as the control system of record: assign a control owner, store the approved matrix, link the implementation procedure, and set recurring evidence tasks so PE-17 does not decay into tribal knowledge.

Required evidence and artifacts to retain

Keep evidence tight and directly tied to the “determine and document” language. ¹

Minimum evidence set:

• Alternate Work Site Standard (or section inside telework/remote work policy) with approved site types and conditions
• Decision record showing who approved the allowed site types (Security/Facilities/HR sign-off)
• Exception/approval log (tickets, forms, approvals)
• Employee acknowledgment evidence (HRIS acknowledgment, training completion, or signed policy)
• Control mapping: owner, procedure, and evidence list (a control register entry)

Helpful supporting artifacts:

• Conditional access/VPN configuration screenshots or exports that reflect your stated requirements
• Remote work onboarding checklist
• Third-party contract clauses or addenda for offsite work rules (if applicable)

Common exam/audit questions and hangups

Auditors tend to test PE-17 with “show me” questions:

1. “What alternate work sites are allowed?” If you answer verbally but cannot point to a controlled document, expect a gap. ¹
2. “Who decided and when was it last reviewed?” Your version history and approver list matters.
3. “How do you handle coworking/public spaces?” Ambiguity here creates inconsistent practice.
4. “How do you enforce it?” Pure policy with no workflow or technical tie-in reads as weak operation.
5. “Do contractors follow the same rules?” If contractors access the same systems, inconsistent rules create exposure.

Frequent implementation mistakes (and how to avoid them)

1. Mistake: Treating PE-17 as “we have a remote work policy.”
   Fix: Make the “allowed site types” explicit and easy to find, preferably in a matrix.

2. Mistake: Over-scoping to impossible-to-prove statements.
   Fix: Write conditions you can actually verify through procedure, training, spot checks, or technical controls.

3. Mistake: No exception process.
   Fix: Create a simple approval path. Most orgs need one for travel, client work, or emergencies.

4. Mistake: Conflicting documents (HR says one thing, Security says another).
   Fix: Publish a single authoritative standard and reference it from HR and Security docs.

5. Mistake: No evidence cadence.
   Fix: Put PE-17 on an evidence calendar with ownership. A GRC workflow in Daydream can assign collection tasks and keep artifacts linked to the control.

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for PE-17, so this page does not cite specific actions.

Operationally, PE-17 gaps show up as:

• Increased likelihood of visual privacy breaches and inadvertent disclosure (screen viewing, conversations, paper handling).
• Higher risk of device loss or theft when work expands into travel and shared spaces.
• Weak audit posture: you cannot demonstrate control over where work occurs, which can cascade into findings across access control, incident response, and data protection control families. ²

Practical execution plan (30/60/90-day)

You asked for speed, but the playbook rules prohibit invented time-to-implement claims. Use these phases as a pragmatic sequence you can compress or expand based on your environment.

Immediate (stabilize scope and documentation)

• Name a control owner (usually Security/Facilities with HR partnership).
• Draft the allowed alternate work site matrix and get sign-off.
• Publish the standard in a controlled repository with versioning. ¹

Near-term (operationalize and connect to enforcement)

• Add an approval/exception workflow in your ticketing system.
• Update onboarding and policy acknowledgment steps.
• Align technical controls (VPN/conditional access/MDM) to your stated minimum conditions. ²

Ongoing (evidence and continuous compliance)

• Review allowed site types when business operations change (new offices, acquisitions, expanded travel).
• Sample exceptions periodically to confirm approvals match policy.
• Maintain an evidence packet per audit period (standard, approvals, exceptions, acknowledgments, technical alignment).

Frequently Asked Questions

Do we have to approve specific addresses for employee home offices to meet pe-17: alternate work site requirement?

PE-17 requires you to determine and document what alternate work sites are allowed; it does not require enumerating every address in the control text provided. Define whether “home office” is an approved category and what minimum conditions apply, then keep evidence of acknowledgment and exceptions. ¹

Are coworking spaces allowed under PE-17?

They can be, but only if your organization determines they are allowed and documents the conditions. Many teams allow coworking only with private rooms and additional approvals because shared spaces complicate privacy and physical security. ¹

Does PE-17 apply to contractors and third parties?

The applicability statement in your program may focus on employees, but risk often extends to third parties accessing the same systems. If contractors work offsite, mirror the alternate work site rules in contracts and onboarding so your control story stays consistent. ²

What’s the minimum evidence an auditor will accept for PE-17?

Expect to show a controlled document listing allowed site types, proof of approval/versioning, and proof employees were informed (acknowledgment or training). If you allow exceptions, keep a log with approvals. ¹

How do we “enforce” alternate work site rules without being invasive?

Focus on enforceable boundaries: managed devices, conditional access, VPN requirements, and clear rules for public spaces. Pair that with a documented exception process rather than trying to monitor physical locations. ²

How should we document PE-17 in a GRC tool like Daydream?

Create a single control record for PE-17 with an owner, implementation procedure, and recurring evidence tasks. Attach the allowed-site matrix, approval record, and the latest acknowledgment/exceptions exports so an assessor can review the control end-to-end in one place. ¹

Footnotes

1. NIST SP 800-53 Rev. 5 OSCAL JSON

2. NIST SP 800-53 Rev. 5