NIST 800-171 Control 3.10.6: Alternative Work Sites
Alternative work sites introduce significant risk to CUI security when proper safeguards aren't enforced. Control 3.10.6 requires organizations to apply consistent security measures across all locations where controlled unclassified information is accessed, processed, or stored. Without documented alternate work site policies, you expose sensitive data to unauthorized access and regulatory non-compliance.
What this means
This control mandates that security safeguards protecting CUI at primary facilities must be equally enforced at alternative work locations—including remote offices, employee homes, client sites, and temporary workspaces. Organizations must establish baseline security requirements, conduct risk assessments for alternate sites, and monitor compliance continuously. The control recognizes that work location flexibility is necessary but cannot compromise the confidentiality, integrity, or availability of CUI.
How to comply
- 1.Document an alternate work site policy defining which locations qualify and what security controls apply
- 2.Classify work sites by risk level (high-sensitivity areas, public spaces, home offices) with corresponding control baselines
- 3.Require security assessments before approving new alternate work locations
- 4.Enforce technical controls: VPN access, endpoint encryption, multi-factor authentication, and network isolation
- 5.Implement physical security requirements (locked storage, clean desk policies, visitor access logs)
- 6.Establish monitoring and audit logging for CUI access from alternate sites
- 7.Conduct periodic compliance reviews and security audits of active alternate work locations
- 8.Provide security awareness training for remote workers on alternate site responsibilities
Evidence auditors look for
- Approved alternate work site policy document with security requirements and risk classifications
- Signed alternate work site security agreements from employees accessing CUI remotely
- Risk assessment reports completed for approved work locations (home offices, branch sites, client facilities)
- VPN and endpoint protection deployment records showing coverage for remote workers
- Access logs and audit trails demonstrating CUI access monitoring from alternate locations
- Security training completion records specific to remote work and alternate site responsibilities
- Periodic compliance audit reports validating safeguard enforcement at alternate work sites
- Incident reports and remediation records for alternate site security violations
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates alternate work site approval workflows, tracks security agreements and assessments, and monitors compliance through continuous access logging—eliminating manual tracking and ensuring no remote worker slips through your 3.10.6 safeguards.
See how GRCWatch handles this control automatically
Start free trial