03.10.06 — (a) Determine alternate work sites allowed for use by employees. (b) Employ the following security requirements at alternate work sites: {{ insert: param, A.03.10.06.ODP.01 }}.

What this control requires

(a) Determine alternate work sites allowed for use by employees. (b) Employ the following security requirements at alternate work sites: {{ insert: param, A.03.10.06.ODP.01 }}.

Source: NIST SP 800-171 R3 §03.10.06 (official control text).

Why this matters

Remote and hybrid work expands your security perimeter beyond controlled facilities into homes, coffee shops, and co-working spaces where physical security, network trust, and device posture vary wildly. Without documented alternate work site requirements, employees may handle CUI on unpatched personal devices over public Wi-Fi, leave documents visible to family members, or store backup drives in unlocked cars. This control requires you to identify which remote locations are acceptable and enforce specific safeguards—like VPN mandates, screen privacy filters, or locked storage—that maintain confidentiality and availability regardless of where work happens. It protects CUI from shoulder surfing, theft of unsecured devices, and network interception when your perimeter dissolves.

What evidence assessors expect

Assessors typically look for: PDF, screenshot, photo, CSV export, training certificate. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls