Remote and hybrid work didn’t go away once defense contractors started taking CMMC seriously. It just got more complicated. NIST SP 800-171 was written well before distributed teams became the norm, but it does address remote work directly, and CMMC assessors treat those requirements as seriously as anything else in the framework. A contractor can have a tightly controlled office network and still fail an assessment because a program manager working from home connects to a CUI system through a VPN that allows split tunneling, or because a laptop issued for remote work was never brought into the same monitoring and encryption scope as everything on-site.
None of this means remote or hybrid work is off the table for CMMC Level 2 contractors. It means the controls that apply to alternate work sites, remote access sessions, and personally owned devices need the same deliberate implementation as anything inside the four walls of an office. This piece walks through what those controls actually require, where hybrid teams most commonly create gaps, and how to build a remote access architecture that holds up under assessment.
It’s worth saying plainly that this isn’t a temporary compliance headache tied to pandemic-era work patterns. Hybrid and remote arrangements are now a permanent feature of how most defense contractors staff engineering, program management, and back-office roles, and the DoD’s own CMMC guidance was written with that reality in mind rather than against it. The requirements exist because remote access genuinely does introduce more risk than a controlled office network, not because regulators are unaware that distributed teams are now standard practice.
Why Remote Work Complicates a CMMC Environment
CMMC Level 2 scoping starts with a straightforward question: where does CUI live, travel, or get processed? For an office-only environment, that answer is relatively contained. For a hybrid or fully remote team, CUI potentially touches home networks, personal routers, coffee shop Wi-Fi, and laptops that leave the physical control of the organization every day. Every one of those touchpoints is technically inside the CMMC assessment boundary the moment CUI passes through it, whether or not anyone thought of it that way when the remote work policy was written.
This is where a lot of contractors get the scope wrong. They treat remote access as an IT convenience issue, something to be solved with a VPN license and a laptop, rather than as a compliance boundary that needs its own controls, its own documentation, and its own evidence trail for an assessor. The result is usually a set of remote access practices that work fine for productivity and fail specific, well-defined CMMC requirements.

Alternate Work Sites: The Control Most Teams Skip
NIST SP 800-171’s alternate work site requirement is easy to overlook because it doesn’t sound technical. It requires organizations to enforce safeguarding measures for CUI at locations outside the primary facility, which in practice means a home office, a co-working space, or a hotel room has to meet a baseline standard before CUI is handled there, not just have a laptop that happens to be encrypted.
In practice, this control is usually satisfied through policy rather than a home inspection: a documented remote work security policy that spells out what an approved alternate work site looks like, requirements for physically securing devices and printed materials when not in use, rules against CUI-containing screens being visible to other household members or in public spaces, and a process for employees to attest that they’re following those requirements. Organizations that skip this step entirely, treating remote work as informally approved rather than governed by a written policy, create a documentation gap that shows up quickly in an assessor’s interview questions, even when the technical controls elsewhere are solid.
Locking Down Remote Access Sessions
The technical heart of remote CMMC compliance sits in the Access Control and System and Communications Protection domains. Organizations must monitor and control remote access sessions, route that access through managed control points rather than allowing direct connections from home devices to CUI systems, and protect the confidentiality of those sessions with cryptographic mechanisms. In practical terms, that means every remote connection to a CUI system goes through a controlled gateway, typically a VPN or a managed portal, with the connection itself encrypted end to end and logged for review. A VPN alone isn’t sufficient on its own, either. It needs to be paired with multi-factor authentication enforced at the point of connection, not layered on separately or left optional for convenience.
Encryption strength matters here too. CUI transmitted during a remote session needs to be protected with FIPS-validated cryptography, which rules out consumer-grade VPN products that weren’t built with federal cryptographic validation in mind. This is one of the areas where a hybrid team’s convenience choices, picking a VPN because it’s fast and easy rather than because it meets the encryption standard, create a finding that’s expensive to unwind after the fact.
Split Tunneling: A Small Setting With Outsized Consequences
Split tunneling is one of the more technical remote-work controls, and it’s also one of the more commonly missed. It occurs when a remote device maintains its VPN connection to organizational systems while simultaneously routing other traffic, streaming video, personal email, general web browsing, directly through the open internet rather than through the encrypted tunnel. The convenience is real: split tunneling reduces load on the VPN and keeps non-work traffic fast. The risk is also real, and NIST SP 800-171 explicitly prohibits it, because an open, unencrypted connection running alongside a trusted internal one gives an attacker who compromises the device a direct path into organizational systems while bypassing the very controls the VPN was supposed to enforce.
Most modern VPN clients disable split tunneling by default, which is exactly why this control catches organizations off guard: someone, at some point, often years before a CMMC assessment was ever on the radar, enabled it to solve a performance complaint, and the change was never revisited. Confirming split tunneling is disabled across every remote device, not just checking the default configuration on the VPN server, is a five-minute technical check that prevents a finding an assessor will specifically test for.

BYOD, Endpoints, and the Devices You Don’t Control
Bring-your-own-device arrangements are where remote and hybrid teams create some of the widest CMMC exposure, because a personally owned laptop or phone that touches CUI has to meet the same standard as a company-issued asset, and personal devices rarely do by default. Endpoint protection, disk encryption, patch management, and remote wipe capability all need to extend to any device in the CUI access path, which in practice pushes most CMMC-mature organizations toward requiring company-managed devices for any role that touches CUI rather than accepting the administrative overhead of securing an employee’s personal laptop to federal standards.
There’s a cultural dimension to this decision too, and it’s worth addressing directly with employees rather than treating it as a purely technical rollout. Asking staff to give up personal devices for work involving CUI, or to accept mobile device management on a phone they also use privately, is a bigger ask than it sounds, and organizations that explain the compliance reasoning upfront tend to get less resistance than ones that simply mandate the change. A clear policy on what MDM does and doesn’t monitor on a personal device goes a long way toward reducing pushback.
For organizations that have made the shift to cloud-based identity and device management, tools like Microsoft Entra ID and Intune make this considerably more manageable, since device compliance policies, conditional access rules, and remote wipe can all be enforced centrally regardless of where an employee is physically working. Organizations still relying on on-premises domain infrastructure for identity and device management tend to struggle here, because extending those controls to remote endpoints usually requires exactly the kind of complex VPN and network engineering that introduces the split tunneling and access-point risks already discussed above.
Collaboration Tools and Communication Systems
Remote and hybrid teams live inside collaboration platforms, video calls, shared documents, and cloud phone systems, and CMMC has specific requirements for that category too. Collaborative computing devices, cameras, microphones, and whiteboards accessible through a network connection, cannot be remotely activated without the user’s knowledge, and systems need to provide a clear indication when they’re in use. This matters for hybrid teams using video conferencing platforms extensively, since a compromised endpoint with unauthorized microphone or camera access represents a real information exposure path around technical CUI protections that focus purely on data at rest and in transit.
Voice communication is part of the same picture. A cloud-based VoIP system configured with the same security posture as the rest of a CMMC environment, encrypted transport, centralized access controls, integration with existing identity management, lets hybrid teams communicate securely regardless of location without introducing an unmanaged, disconnected phone system as a separate risk surface. Contractors who patch together a mix of personal cell phones, unmanaged softphone apps, and consumer video tools for a distributed workforce are effectively creating communication paths that sit entirely outside their documented security architecture.
Building a Remote Access Architecture That Holds Up
The organizations that manage this well tend to approach remote and hybrid work as an architecture decision made once, deliberately, rather than a collection of individual accommodations made over time. That usually starts with a broader cloud transformation that centralizes identity, device management, and data access around cloud-native tools built for distributed teams, rather than trying to extend an on-premises architecture designed for a single office location outward through VPN tunnels and remote desktop connections. A cloud-first architecture makes conditional access, device compliance, and encrypted remote sessions native to the environment instead of bolted-on exceptions.
It also means documenting the remote work policy with the same rigor as any other System Security Plan component: which roles are authorized for remote CUI access, what device and connection standards apply, how alternate work sites are approved, and how compliance is verified on an ongoing basis rather than assumed. An assessor evaluating a hybrid organization will ask to see this documentation specifically, and a policy that exists only informally, communicated verbally when someone starts working from home, reads as a gap regardless of how well the underlying technical controls are actually configured.

Making Hybrid Work Without Breaking Your CMMC Score
None of the controls covered here require abandoning remote or hybrid work models. They require treating remote access as a defined, monitored, and documented extension of the CMMC environment rather than an informal convenience layered on top of it. For organizations early in this process, a CMMC gap assessment scoped specifically to include remote and hybrid access paths, not just the office network, is the fastest way to find out where the actual gaps are before an assessor does.
A managed IT partner with direct CMMC experience can configure that architecture correctly the first time, rather than retrofitting compliance onto a remote work setup that was built for convenience alone. And for organizations still mapping which controls apply to their specific environment, our explanation of what CUI is and why it matters for compliance is a useful starting point for understanding why remote access controls carry the weight they do.
Stealth Technology Group builds remote and hybrid access architecture that meets CMMC requirements without slowing your team down. If your team works remotely or in a hybrid model and handles CUI, contact Stealth Technology Group today at (617) 903-5559 to talk with a specialist.
