CUI at Home and Satellite Offices: A 10-Point Checklist to Comply with NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - PE.L2-3.10.6

PE.L2-3.10.6 relates to protecting Controlled Unclassified Information (CUI) at distributed locations; for small businesses that allow work-from-home or maintain satellite offices, the practical challenge is applying repeatable physical and technical controls outside a central secure facility—this post gives a Compliance Framework–aligned, actionable 10-point checklist plus implementation guidance, real-world examples, technical specifics, and compliance tips to meet NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 expectations.

10-Point Checklist to Comply with PE.L2-3.10.6

1. Inventory and label CUI assets: maintain a register of all CUI copies, devices (company- and employee-owned), and physical containers at each home/satellite location; mark items with agreed labeling conventions and a custody owner.
2. Enforce device configuration baselines: require company-issued endpoints or MDM-enrolled BYOD with enforced full-disk encryption (e.g., AES-256 BitLocker/ FileVault), screen lock after 5 minutes, and disabled local admin where practical.
3. Use strong network controls: require VPN with MFA (or ZTNA) for access to internal CUI systems, block split tunneling for CUI traffic, and restrict remote desktop protocols to authenticated, logged gateways.
4. Physical storage controls: mandate lockable filing cabinets for paper CUI, secure safes for removable media, and clear desk policy for work areas when not attended.
5. Secure file handling and transfer: enforce enterprise file sync & share with IRM (e.g., Box/SharePoint with rights management), SFTP/HTTPS for file transfers, and disable non-approved cloud sync for CUI directories.
6. Access control and identity verification: require enterprise identities with MFA, role-based access to CUI, and conditional access policies that block legacy protocols or non-compliant devices.
7. Logging, monitoring, and remote response: forward endpoint and VPN logs to a central SIEM or log collection (syslog/CEF), enable EDR with remote containment/wipe capability, and document incident response for distributed locations.
8. Physical visitor and co-location rules: prohibit co-workers/household members from accessing CUI workspaces; in satellite offices, control reception and require badge/visitor logs and supervised access to CUI areas.
9. Training, attestations, and SOPs: require annual CUI handling training, signed remote work agreements describing approved CUI practices, and quick-reference SOPs for common scenarios (printing, shipping, device loss).
10. Periodic audit and remediation: perform quarterly checks (remote or on-site) of inventories, encryption status, MDM compliance reports, and maintain a POA&M for any variance with timelines for corrective actions.

Practical implementation details (Compliance Framework specific)

Map each checklist item to your Compliance Framework evidence artifacts: inventory = inventory spreadsheet + screenshots of labeling; device baseline = MDM policy, enrollment reports, and BitLocker recovery key storage; network = VPN configuration, enterprise conditional access policy, and MFA logs. Small businesses can use cloud-based MDM (Microsoft Intune, Jamf, or VMware Workspace ONE) to enforce encryption, password/screen-lock policies, and remote wipe—document the enrollment workflow and retention of device telemetry as evidence. For secure file sharing, configure IRM on SharePoint or Box with tenant-level policies that prevent external sharing for CUI-labeled folders and capture audit trails for downloads.

Real-world small business scenarios

Scenario 1: A 12-person engineering firm issues company laptops with Intune and BitLocker. They disable USB mass storage for non-admins, require VPN+MFA for RDP, and place a lockable file cabinet in the remote-office where paper drawings are kept. Evidence: Intune compliance reports, BitLocker escrow in Azure AD, signed remote work agreements, and quarterly on-site cabinet checks.

Scenario 2: A subcontractor uses a co-working space as a satellite office. They contract a private room with controlled access, use pre-approved laptop docking stations, and require employees to log in and out via a company-managed access control app; visitors must be escorted. Evidence includes the co-working contract, access logs from the provider, and staff attestations.

Compliance tips and best practices

Use a risk-tiered approach: classify what CUI is mission-critical and apply the strictest controls there. Automate compliance checks: schedule daily MDM/compliance reports and aggregate to a central dashboard. Keep an auditable chain-of-custody for removable media and use a secure courier policy for physical CUI transfers. Maintain a simple but enforceable Acceptable Use Policy and remote-work checklist employees must complete before handling CUI off-site. For small teams, designate a single compliance owner who runs monthly reviews and can produce evidence quickly for audits.

Technical controls and configurations

Specifics you can implement immediately: enable BitLocker with TPM+PIN on Windows and escrow keys to Azure AD; enable FileVault on macOS with institutional recovery key; configure VPN (IKEv2 or OpenVPN with TLS1.2+/TLS1.3) plus TOTP or FIDO2 MFA; build conditional access policies to block non-compliant devices; deploy EDR (CrowdStrike, SentinelOne) with automated containment and remote wipe; forward logs using syslog/CEF to a cloud SIEM (Splunk Cloud, Azure Sentinel) for retention and alerting. Disable SMBv1 and legacy auth, enforce TLS 1.2+ for services, and use hardware encryption for removable media if you must use USB drives (encrypted and tracked with asset tags).

Risk of not implementing PE.L2-3.10.6 protections

Failing to secure CUI at remote or satellite locations exposes you to data leakage, supply-chain cascade breaches, contract termination, and loss of future DoD or federal work. Practical consequences include theft of intellectual property, regulatory fines, damaged business relationships, and litigation. Operationally, a lost laptop without encryption can lead to months of forensic response and mandated notifications—costs that typically dwarf the investment in basic controls like MDM and encryption.

In summary, meeting PE.L2-3.10.6 for CUI at home and satellite offices is achievable for small businesses with disciplined inventory and labeling, enforceable device and network controls (MDM, encryption, VPN/MFA), physical safeguards (lockable storage, visitor management), documented policies and training, and continuous monitoring with a remediation cadence—use the 10-point checklist above as your implementation roadmap and record mapping to your Compliance Framework artifacts to demonstrate ongoing compliance.