This post explains how to build a practical, auditable checklist to secure Controlled Unclassified Information (CUI) at home offices and satellite locations to meet NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 control PE.L2-3.10.6, with concrete implementation steps, technical specifics, and small-business scenarios.
What PE.L2-3.10.6 requires and key objectives
At a high level, PE.L2-3.10.6 is focused on preventing unauthorized physical access to CUI outside primary facilities — which includes home offices, remote workers, and satellite/coworking locations. The key objectives are: (1) ensure CUI is stored and processed only where approved controls exist, (2) provide defense-in-depth so physical weaknesses do not expose digital data, and (3) produce auditable evidence that controls were implemented and are monitored.
Implementation notes (Compliance Framework-specific)
For Compliance Framework alignment, treat each home/satellite location as a "facility" in your system security plan (SSP) and map controls to the requirement. Document baseline configurations, owner/responsible parties, and evidence types (photos of safes/locks, MDM/NAC logs, EDR alerts, training records). Where possible, incorporate evidence into your continuous monitoring feed so attestations are based on real telemetry rather than one-off checks.
Actionable checklist — physical controls and handling
Start with a physical-control checklist you can use during onboarding and audits. Items to include: locked storage (approved safe or lockable filing cabinet bolt‑anchored if in a shared space); secure printing policies (no unattended printed CUI); visible privacy practices (privacy films/screens for laptops used in public settings); cable locks for laptops; secure disposal (cross-cut shredder or secure pickup for printed CUI); and visitor restrictions in satellite offices (visitor sign-in, escorted access to CUI areas). For each item, note responsible person, verification method, and frequency (e.g., weekly spot-checks or quarterly audits).
Actionable checklist — technical controls
Technical controls should directly support physical protections: require whole-disk encryption (AES-256) on all endpoints storing or accessing CUI—BitLocker (Windows) with TPM 2.0 + secure boot, FileVault2 for macOS; enforce strong authentication with MFA for remote access and cloud portals; use enterprise VPNs with split-tunnel disabled for CUI flows or zero-trust access solutions; deploy an MDM/EDR solution to enforce device hygiene (patch levels, anti-malware, disk encryption status) and allow remote wipe. For small businesses, use vendor-managed offerings (e.g., Microsoft Intune + Defender, Jamf + endpoint protection) to reduce operational overhead and produce logs for assessments.
Device and network specifics
Require endpoints to have TPM-backed BitLocker encryption enabled, Secure Boot turned on, OS and agent auto-update configured, and antivirus with tamper protection. On the network side, use WPA3 for home Wi‑Fi where possible, require unique strong passwords, and recommend or enforce use of a separate SSID/VLAN for guest devices at satellite offices. If employees use personal routers, include approved configuration templates (admin password, firmware updates, disable UPnP) in the telework policy and require a periodic screenshot or MDM attestation as evidence.
Administrative controls, training, and contractual considerations
Administrative controls are often the weakest link but easiest to implement: add telework and satellite office language to your SSP and policies, sign addenda to subcontractor agreements requiring compliance, and maintain a CUI handling SOP that covers marking, storage, printing, transfer, and destruction. Train staff annually and at onboarding with scenarios focused on home-office risks (package theft, family members accessing devices, working in public spaces). Require employees to self-attest monthly that their home-office controls remain in place and capture those attestations as evidence.
Monitoring, evidence collection, and lifecycle management
Implement logging and evidence collection as part of the checklist: check MDM/EDR dashboards for device compliance daily, archive VPN and conditional access logs for 90 days, and record quarterly physical inspections (photos of locks/safes). Maintain an asset inventory that links device serial numbers to user, location, and CUI access level. For lifecycle: define processes for onboarding (checklist + configuration), change control (approved exceptions documented), and decommissioning (verified wipe and physical recovery or disposal of devices storing CUI).
Real-world small business scenarios and timelines
Example 1: A 20-person subcontractor with 5 remote workers — Week 1: inventory remote locations and devices; Week 2–4: enable BitLocker/FileVault, enroll devices in MDM, deploy VPN and MFA; Month 2: distribute safes or require locked cabinets for paper CUI and train staff; Month 3: begin weekly MDM compliance checks and quarterly physical checks. Example 2: Small team in a coworking satellite — implement access-controlled room booking, provide a lockable cabinet for CUI, require guests to be escorted, and ensure the coworking provider signs a non-disclosure and basic physical security addendum.
Risk of not implementing PE.L2-3.10.6 and compliance consequences
Failing to implement these controls increases risk of data leakage, loss of DoD contracts, and regulatory fines. A typical breach scenario: an unenforced home-office without encryption results in a stolen laptop containing CUI — this can lead to compromise of prime-contractor data, mandatory breach notification, damage to reputation, a lost contract, and adding deficiencies to your CMMC assessment. From a compliance perspective, lack of documented controls, evidence, or continuous monitoring will cause deficiencies under CMMC Level 2 and prevent certification.
Compliance tips and best practices
Keep evidence simple and automated where possible: screenshots of MDM compliance reports, VPN logs, photos of physical controls, signed policies stored in your compliance system. Use a POA&M to track exceptions and remediation dates. Prefer managed services with FedRAMP or DoD SRG-aligned offerings for cloud storage of CUI. Conduct at least one tabletop exercise per year that simulates loss of a CUI-bearing device in a home or satellite office and validate incident response and notification steps.
Summary: Treat each remote location as a mini-facility — document, apply layered physical and technical controls, automate evidence collection, train staff, and monitor continuously. Using the checklists and timelines above, a small business can create auditable controls that satisfy NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 PE.L2-3.10.6 and materially reduce the risk of CUI exposure at home offices and satellite locations.
