NIST 800-171 - Alternate Work Site (3.10.6)

Overview:
Enforce safeguarding measures for CUI at alternate work sites (e.g., telework sites).

Action Items:
3.10.6[a]
Determine if: safeguarding measures for CUI are defined for alternate work sites.

3.10.6[b]
Determine if: safeguarding measures for CUI are enforced for alternate work sites.

POTENTIAL ASSESSMENT METHODS AND OBJECTS

1
Examine: Physical and environmental protection policy; procedures addressing alternate work sites for personnel; system security plan; list of safeguards required for alternate work sites; assessments of safeguards at alternate work sites; other relevant documents or records].

2
Interview: Personnel approving use of alternate work sites; personnel using alternate work sites; personnel assessing controls at alternate work sites; personnel with information security responsibilities].

3
Test: Organizational processes for security at alternate work sites; mechanisms supporting alternate work sites; safeguards employed at alternate work sites; means of communications between personnel at alternate work sites and security personnel].

Related Documents (document name and content will vary by organization):
1) Physical and environmental protection policy
2) procedures addressing alternate work sites for personnel
3) system security plan
4) list of safeguards required for alternate work sites
5) assessments of safeguards at alternate work sites
6) other relevant documents or records

Additional Guidance:
Alternate work sites may include, for example, government facilities or private residences of employees. Organizations may define different security requirements for specific alternate work sites or types of sites depending on the work-related activities conducted at those sites. NIST Special Publications 800-46 and 800-114 provide guidance on enterprise and user security when teleworking.