Protecting Controlled Unclassified Information (CUI) when employees work remotely or from alternate work sites is a common gap for small businesses trying to comply with the Compliance Framework mapped by NIST SP 800-171 Rev.2 and CMMC 2.0 Level 2 (Control PE.L2-3.10.6); this post gives a practical, actionable checklist and implementation advice you can use today to reduce risk and demonstrate compliance.
What PE.L2-3.10.6 requires (plain language)
At its core, PE.L2-3.10.6 compels organizations to ensure that physical and logical protections for CUI extend beyond the primary office: remote employees, home offices, co-working spaces and any alternate site where CUI might be accessed, processed, or stored. That means you must identify where CUI may appear offsite, apply equivalent protections (encryption, access controls, training, and monitoring), and document controls as part of your Compliance Framework evidence.
Step-by-step checklist to build and validate protections
Use the following checklist as your working compliance artifact. For each item record the responsible owner, evidence (policy, logs, screenshots), and review frequency.
1) Inventory CUI flows to remote/alternate sites (what data, who, why, where).
2) Risk assessment for each remote scenario (home, hotel, co-working, client site).
3) Policy: Remote work and alternate site restrictions, device use, printing, and storage rules.
4) Device controls: Full-disk encryption, approved MDM enrollment, EDR, and baseline config enforcement.
5) Network controls: VPN with MFA, approved protocols (IKEv2/OpenVPN/WireGuard) and certificate-based auth where feasible.
6) Physical controls: Lockable storage for printed CUI, privacy screens, cable locks, and secure disposal/shredding.
7) Access controls: Least privilege, role-based access, and session timeouts (screen lock within 5 minutes recommended).
8) Logging & monitoring: Centralized log collection (syslog/SIEM) and periodic remote-access audit trails.
9) Training & attestations: Mandatory remote-work security training and periodic employee attestations.
10) Incident response & remote wipe playbook: Steps and responsible parties to isolate, wipe, and report lost/stolen devices.
Technical controls β concrete implementations
Be specific about technology. Require FIPS 140-2/3βvalidated crypto for systems that will hold CUI (AES-256 recommended). Enforce full-disk encryption with BitLocker (Windows) or FileVault (macOS) and enforce secure key escrow via your MDM or Active Directory. Use an MDM (Microsoft Intune, Jamf, or Workspace ONE) to push configuration baselines: disable USB mass storage, enforce complex passcodes, require disk encryption, configure automatic updates, and turn on EDR (CrowdStrike, SentinelOne, etc.). For network access mandate an enterprise VPN with MFA (hardware tokens or FIDO2 preferred); where possible use certificate-based authentication to prevent credential theft. Implement per-app VPNs or containerized storage (managed apps with encryption and data loss prevention) if corporate data must be accessed on personal devices.
Physical and procedural controls for alternate sites
Small businesses often underestimate simple physical mitigations. Require that employees keep CUI in locked drawers or portable lockboxes when working remotely. Prohibit printing of CUI unless using a secure, trusted printer and require immediate secure pickup and shredding of printed materials. For co-working or client spaces, require privacy screens, sit with back to a wall when possible, and never leave devices unattended. Contract language for third-party locations should include CUI handling clauses (non-disclosure, physical security minimums) and you should perform a light risk assessment before allowing prolonged CUI work at that site.
Administrative controls, monitoring, and evidence collection
Documented administrative controls demonstrate that your Compliance Framework is active. Maintain a remote-work policy, a CUI marking and handling standard, and acceptability criteria for devices. Collect evidence: device inventory exports from your MDM, BitLocker/FileVault compliance reports, VPN connection logs, and training completion records. Configure your SIEM or log collector to retain VPN and authentication logs for the contractually required retention period and schedule quarterly audits to validate controls. For suppliers and contractors, maintain signed attestations and proof of their controls (e.g., MSA addenda, SOC reports).
Real-world small-business scenarios: 1) A 12-person engineering subcontractor sets a rule that only company-issued laptops (with MDM and BitLocker) may access CUI; employees working from home must store devices in a lockable cabinet and use the company VPN with Duo MFA. Evidence: device inventory, MDM compliance report, VPN logs, and signed employee remote-work attestation. 2) A field service provider allows technicians to access CUI at client sites but prohibits local storage β data is accessed via streamed, containerized web apps with no download ability; the technician uses a privacy screen and cable lock and completes monthly training. Evidence: device config, DLP policy logs, and training records.
Risks of not implementing PE.L2-3.10.6 are concrete and immediate: accidental or intentional exfiltration of CUI, loss of DoD contracts, financial penalties, reputational damage, and downstream supply-chain consequences. For small businesses the typical vector is an unmanaged personal device or an unattended laptop in a public space; both are preventable with the checklist items above. Without monitoring and documented evidence, you also cannot demonstrate compliance during audits or assessments.
Compliance tips and best practices: prioritize controls that give the highest assurance for the lowest friction β require company devices with MDM first, then add VPN+MFA and disk encryption. Use automated evidence collection (MDM and SIEM exports) to simplify audits. Keep policies short and prescriptive (do X, don't do Y), and map each checklist item to evidence artifacts and an owner. Run quarterly tabletop exercises for device loss and remote incidents and include alternate-site scenarios. Finally, align configurations to a recognizable baseline (CMMC/NIST mapping sheet) so assessors can quickly see adherence.
In summary, meeting PE.L2-3.10.6 is a mix of policy, proven technical controls, physical protections, training, and documented evidence β all of which can be organized into a concise checklist that a small business can implement in phases. Start by inventorying CUI and mandating company devices and MDM, then layer in network controls, logging, and physical safeguards; maintain evidence and review regularly to keep your Compliance Framework demonstrable and your CUI safe at every work site.
