Level 2

Description:   

Alternate work sites may include government facilities or the private residences of employees. Organizations may define different security requirements for specific alternate work sites or types of sites depending on the work-related activities conducted at those sites.  [SP 800-46] and [SP 800-4] provide guidance on enterprise and user security when teleworking. 


Priority: Medium


Domain:  PHYSICAL PROTECTION (PE) 


Category: Personnel Security 


Services Associated with AWS:   

NA

 

Services Associated with Azure:

  • Azure Security Center  
  • Azure VPN
  • Azure Active Directory (Azure AD)


Objective Evidence:   

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate how Work From Home (WFH) workplaces are to be secured
  • Administrative: supporting documentation to demonstrate how alternate workplaces (other than WFH) are to be secured
  • Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations
  • Technical: screenshot of endpoint protection mechanisms
  • Technical: screenshot of VPN configurations 

 

Possible Technology Considerations : 

  • Physical Access Control (PAC) 


What needs to be answered :  

Do all alternate sites where CUI data is stored or processed meet the same physical security requirements as the main site? Does the alternate processing site provide information security measures equivalent to those of the primary site? 

Checks for AWS 

  • Safeguarding Measures for CUI at Alternate Work Sites
    Description: This check focuses on the enforcement of safeguarding measures to protect Controlled Unclassified Information (CUI) at alternate work sites, which may include government facilities or the private residences of employees. Organizations need to establish and enforce security measures that are appropriate for the specific work-related activities conducted at these sites.
     

Checks for Azure 

  • Secure Configuration Policy for Alternate Work Sites
    Description: This policy ensures that organizations have documented policies, standards, and procedures in place for securing alternate work sites, other than Work From Home (WFH) locations, where Controlled Unclassified Information (CUI) is stored or processed. The policy requires the organization to have clear guidelines on how to secure these sites to meet information security measures equivalent to those of the primary site.
  • Administrative Security Measures for Alternate Work Sites
    Description: This policy requires organizations to provide supporting documentation that demonstrates how alternate workplaces, apart from Work From Home (WFH) locations, are secured. The documentation should outline the specific administrative security measures put in place to protect CUI while conducting work-related activities at these sites.
  • Secure Practices for Technology Platform-specific Configurations
    Description: This policy mandates organizations to provide supporting documentation showcasing the "secure practices" used to build technology platform-specific secure baseline configurations for alternate work sites. These configurations should be aligned with industry best practices and ensure the protection of CUI at these sites.
  • Endpoint Protection Mechanisms at Alternate Work Sites
    Description: This policy requires organizations to provide screenshots or evidence of endpoint protection mechanisms deployed and enforced at alternate work sites. Endpoint protection mechanisms play a crucial role in safeguarding CUI from unauthorized access and malicious activities.
  • VPN Configurations at Alternate Work Sites
    Description: This policy ensures that organizations have implemented Virtual Private Network (VPN) configurations for secure remote access to alternate work sites. VPNs help encrypt communications and maintain the confidentiality and integrity of CUI while it is being accessed or processed remotely.


More Details:  

No CUI stored in company facilities. All CUI storage done via AWS services.