Description:   

Alternate work sites may include government facilities or the private residences of employees. Organizations may define different security requirements for specific alternate work sites or types of sites depending on the work-related activities conducted at those sites.  [SP 800-46] and [SP 800-4] provide guidance on enterprise and user security when teleworking. 


Priority: Medium


Category: Personnel Security 


Services Associated with AWS:   

NA

 

Objective Evidence:   

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate how Work From Home (WFH) workplaces are to be secured
  • Administrative: supporting documentation to demonstrate how alternate workplaces (other than WFH) are to be secured
  • Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations
  • Technical: screenshot of endpoint protection mechanisms
  • Technical: screenshot of VPN configurations 

 

Possible Technology Considerations : 

  • Physical Access Control (PAC) 


What needs to be answered :  

Do all alternate sites where CUI data is stored or processed meet the same physical security requirements as the main site? Does the alternate processing site provide information security measures equivalent to those of the primary site? 

  • Safeguarding Measures for CUI at Alternate Work Sites
    Description: This check focuses on the enforcement of safeguarding measures to protect Controlled Unclassified Information (CUI) at alternate work sites, which may include government facilities or the private residences of employees. Organizations need to establish and enforce security measures that are appropriate for the specific work-related activities conducted at these sites.
     


More Details:  

No CUI stored in company facilities. All CUI storage done via AWS services.