Alternative Work Sites: Enforce safeguarding measures for CUI at alternate work sites.
Monarch ISC Guidance
In addition to deploying technical controls consistent with other practices in the CMMC for malware protection, patching, and VPN access, this practice will require you to educate your staff to protect devices and data whether they are at their home office, a hotel, or their local coffee shop. They should be reminded to:
Not leave their workstations unattended in a public location.
Not to allow family members to use their work computers.
Not to dispose of CUI or other "protected" data in their home trash. They should shred it. If a shredder is not available, documents should be brought back to the office for proper disposal.
Secure mobile devices when not in use at home, either in a locked office, locked drawer, or securing the home.
Do not leave devices unattended in your vehicle, but if necessary, cover them or lock them in the trunk.
What is Zero Trust? As organizations embrace the cloud, the idea of an organization perimeter begins to fade. You can no longer rely on network controls and centralized security models, everything is decentralized, and the ability to "trust" devices and users based upon location is diminished. Your organization will need to rethink how it secures remote devices, authorizes users, and maintains control of data no longer on its network.
NIST has release Special Publication 800-207 (draft) with recommendations for securing and authorizing people and devices in a zero trust model.
NIST SP 800-171 R2
Alternate work sites may include government facilities or the private residences of employees. Organizations may define different security requirements for specific alternate work sites or types of sites depending on the work-related activities conducted at those sites.
NIST SP 800-46 and NIST SP 800-114 provide guidance on enterprise and user security when teleworking.