This post gives actionable documentation templates and step-by-step evidence collection guidance to demonstrate you are enforcing CUI safeguards at alternate work sites in accordance with NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 (Control PE.L2-3.10.6), aimed at small businesses and DoD subcontractors that need pragmatic, verifiable artifacts for audits and assessments.
What this control requires (practical summary)
At a practical level, PE.L2-3.10.6 requires organizations to ensure CUI protections apply when employees or contractors work from alternate locations (home offices, customer sites, hotels, co-working spaces). That means documented policies, site-specific risk assessments, technical controls (encrypted endpoints, VPN with MFA, EDR, endpoint configuration enforcement), and attestation or training records proving personnel follow those controls; auditors expect artifacts that map policy to implemented technical and procedural evidence.
Documentation templates and evidence you should produce
Produce and maintain the following templates and completed artifacts: (1) Alternate Work Site Assessment Template — fields: site identifier, address, CUI types permitted, physical access control status (locks, visitor policies), Wi‑Fi classification (trusted/untrusted), device inventory, required controls (VPN, full disk encryption, EDR), assessor name, date, mitigation recommendations, and acceptance signature; (2) Telework / Alternate Site Security Policy — scope, permitted CUI handling, device baseline, remote access requirements (VPN protocol, allowed ports, split-tunnel policy), and disciplinary actions; (3) Employee Attestation & Acknowledgement form — employee name, role, approved site(s), confirmation of device configuration and storage rules, signature and date; (4) Technical Implementation Evidence Package — exported VPN configuration, VPN connection logs showing successful MFA, EDR policy export and last-seen telemetry, BitLocker/ FileVault compliance report, firewall rule set snapshot, and backup of the endpoint configuration management (MDM) profile; (5) Training and Awareness Record — training module name, completion date, quiz results, and signed acknowledgement; and (6) Periodic Review and Reassessment Log — schedule, findings, remediation actions, and closure evidence.
Implementation steps and specific technical details
Start by mapping CUI flows to alternate sites: which data types and workflows will touch CUI outside the primary facility. Enforce endpoint encryption (BitLocker with TPM+PIN on Windows, FileVault2 on macOS) and verify via MDM reports. Require enterprise VPN with strong encryption (recommend IKEv2/IPsec, OpenVPN with TLS + HMAC, or WireGuard with managed key rotation) and disable split-tunneling so traffic destined for internal CUI systems is forced through corporate controls; supply a VPN connection log extract showing username, source IP, connection time, and successful MFA (TOTP or FIDO2). Apply EDR that enforces policy and can provide an exportable policy document and endpoint status (e.g., show endpoints reporting healthy in the console with last check-in timestamp). Configure firewall rules to limit inbound/outbound access to required resources and produce a configuration dump as evidence (show rule names, source/destination, ports, and timestamps). Keep retention settings for logs consistent with your policy (e.g., maintain VPN and EDR logs 1 year as evidence for assessment). If personal devices are allowed, require a signed Bring Your Own Device (BYOD) agreement and MDM enrollment with controls that prevent local file sync of CUI to unapproved cloud services.
Sample technical artifact examples
Examples of artifacts auditors find convincing: a PDF of the Alternate Work Site Assessment signed by the CISO; a CSV export of VPN logs filtered for staff who accessed an internal file-share from a specified remote IP; a screenshot of the MDM console showing enforced disk encryption for a named device with timestamp; EDR alert history showing blocked suspicious behavior on an alternate-site endpoint; and a dated employee attestation PDF stored in HR records. Include a network diagram (small PNG/SVG) showing how remote traffic is routed through VPN -> IDS/Proxy -> internal CUI systems.
Real-world small business scenarios and evidence mapping
Scenario 1: A 12-person engineering subcontractor has two developers occasionally working from home on CUI-containing drawings. Evidence set: signed Telework Security Policy, two completed Alternate Site Assessments for each home office, VPN logs for the developers showing connections with MFA, MDM exports proving BitLocker enabled on the developer laptops, and training completion records. Scenario 2: A field technician accessing CUI at customer facilities uses a company laptop; evidence set: deployment checklist showing EDR and disk encryption applied prior to travel, ticketed authorization listing approved customers, remote-access firewall rule snapshot limiting access to technician VLANs, and an attestation signed by the technician for each trip.
Compliance tips, best practices, and risks of not implementing
Best practices: enforce least privilege and just-in-time access, centralize log retention and automate evidence exports monthly, tie alternate site approvals to contract requirements, and integrate attestations into onboarding and travel checklists. Use templates as living documents and timestamp every artifact. Risks of non-compliance include inadvertent CUI disclosure through unsecured Wi‑Fi, malware on unmanaged endpoints, contract penalties or loss of DoD work, reputational damage, and higher remediation costs post-breach. From a technical perspective, failing to disable split-tunnel VPN or omit endpoint encryption are common gaps auditors flag and are high-risk vectors for exfiltration.
Summary: To meet PE.L2-3.10.6 you need policy + site assessments + technical enforcement + personnel attestations, packaged into repeatable templates and supported by verifiable artifacts (log exports, MDM/EDR reports, signed forms). Implement the templates above, automate evidence collection where possible, and schedule periodic reviews to ensure alternate work site protections remain intact and auditable.
