A contractor with a Level 2 requirement can lock down the office network, harden the servers, deploy every control in the SSP, and still walk into an assessment with a finding — because someone’s laptop connected from a kitchen table on an unmanaged Wi-Fi network six months earlier, and nobody scoped that connection into the boundary. Remote and hybrid work didn’t create new categories of risk to Controlled Unclassified Information. It removed the physical assumptions that a lot of legacy security programs quietly relied on: a locked building, a single egress point, a network team that could see every device on the segment. Once CUI can touch a home router, a personal phone, or a coffee shop hotspot, those assumptions stop holding, and the control set has to compensate for what the building used to do for free.
This isn’t a theoretical problem for the defense industrial base. Engineering firms with distributed design teams, manufacturers running hybrid shifts between the floor and the office, and government services contractors with fully remote back offices are all sitting on the same exposure: CUI that used to stay inside four walls now moves across networks the organization doesn’t own. Getting this right under CMMC 2.0 means treating remote access as a first-class part of the system security plan, not an exception clause buried in an acceptable use policy.
Why Remote Work Changes the CUI Threat Model, Not Just the Location
The instinct in a lot of organizations is to treat remote work as a logistics question — VPN access, a laptop, maybe a policy document employees sign once. That framing misses what actually changed. Under NIST SP 800-171, the control baseline assumes CUI is protected across its full lifecycle: creation, storage, transmission, and disposal. Remote work multiplies the number of environments each of those lifecycle stages touches, and every one of those environments is a potential assessment boundary problem.
A document that gets edited on a company laptop, saved to a synced folder, printed on a home printer, and later shredded in a personal wastebasket has passed through four distinct control domains — access control, media protection, physical protection, and disposal — none of which the organization directly manages once the laptop leaves the office. The NIST SP 800-171 Rev. 3 control families don’t relax for remote scenarios; if anything, families like Access Control, Identification and Authentication, System and Communications Protection, and Media Protection carry more weight because there’s no compensating physical perimeter to fall back on.
This is also where a lot of contractors underestimate scope. If a personal device or home network touches CUI in any way — even incidentally, even once — it’s arguably in scope for assessment purposes unless the organization has implemented specific technical controls to prevent CUI from landing there. That’s a scoping decision with real cost implications, and it’s worth working through deliberately with a compliance partner rather than discovering it during a C3PAO assessment.

Mapping Where CUI Actually Lives Once People Leave the Building
Before fixing anything, you need an honest inventory of where CUI touches remote environments, and most organizations are wrong about this on the first pass. It’s rarely just “email and file shares.” CUI shows up in engineering drawings pulled into a personal OneDrive during a late-night deadline crunch, in Teams chat threads where someone pastes a spec sheet, in printed meeting notes from a home office, in screenshots dropped into a project management tool that was never evaluated for CMMC scope.
The exercise that actually works is a lifecycle walk-through, not a network diagram review. Sit down with the people who handle CUI day to day — program managers, engineers, contracts staff — and trace a document from the moment it’s created to the moment it’s destroyed. Where does it get saved? Who has access from which devices? Does it ever get forwarded, printed, or exported to a personal tool because the sanctioned system was slow or inconvenient? That last question tends to surface the real exposure, because shadow IT workarounds are almost always where CUI leaks outside the defined boundary. This is the same discipline covered in more depth in The Complete Lifecycle of CUI: Storage, Access, Sharing, and Disposal Requirements, and it’s worth treating as a standing exercise rather than a one-time audit, because remote work patterns drift.
The Home Network Is Not an Extension of Your Corporate Network — Stop Treating It Like One
Here’s the assumption that gets contractors in trouble: the home network is functionally similar to the office network, just smaller. It isn’t. A home router is typically unmanaged, running consumer firmware that may not have been updated in a year, sitting on the same broadcast domain as smart TVs, gaming consoles, kids’ tablets, and IoT devices with known, unpatched vulnerabilities. You have zero visibility into that environment and zero ability to enforce segmentation on it.
The correct posture is to assume the home network is hostile and design controls that don’t depend on it being trustworthy. That means the CUI-handling device shouldn’t trust its local network segment for anything beyond basic internet connectivity — no reliance on local network shares, no assumption that other devices on that Wi-Fi network are benign. A full-tunnel VPN back to a monitored, managed environment, combined with host-based firewall rules that reject unsolicited inbound connections regardless of network location, effectively removes the home network from the trust equation. Split-tunnel VPN configurations undermine this by routing general internet traffic outside the monitored tunnel while CUI traffic goes through it — convenient for bandwidth, but it creates exactly the kind of boundary ambiguity that complicates both security and assessment scoping.
For organizations without the internal bandwidth to manage this consistently across a distributed workforce, this is one of the clearer cases for bringing in outside expertise — either through dedicated managed IT services or a co-managed IT arrangement that lets an internal team keep ownership while an MSP handles the remote endpoint hardening and monitoring workload.
Identity Is the New Perimeter, and Most Contractors Are Still Treating It Like a Formality
With the physical perimeter gone, identity and access control absorb most of the enforcement burden, and CMMC Level 2’s Access Control and Identification and Authentication families reflect that. Multi-factor authentication isn’t optional at this point, but the specific type of MFA matters more than most organizations realize. SMS-based codes and push notifications are both vulnerable to real-time phishing and MFA fatigue attacks that have been used successfully against defense contractors. Phishing-resistant methods — FIDO2 security keys or platform authenticators tied to hardware — are the direction the requirements are heading, and adopting them now avoids a scramble later.
A few identity controls consistently make the difference between a remote access program that holds up and one that doesn’t:
- Conditional access policies that evaluate device compliance, location, and risk signals before granting access to CUI-hosting systems, not just username and password plus a second factor
- Just-in-time or time-bound privileged access for administrative accounts, rather than standing admin rights on remote-accessible systems
- Automated deprovisioning tied directly to HR offboarding events, since remote terminations are where stale access lingers longest
- Session timeout and re-authentication requirements calibrated for remote work patterns, not left at defaults designed for an always-connected office network
None of this is exotic, but it requires someone actively managing the identity platform rather than configuring it once at rollout and leaving it alone. That ongoing tuning is a good fit for a vCIO services engagement, where someone with visibility across the whole environment is periodically reviewing whether the access model still matches how the organization actually works.
Endpoint Security When You Don’t Control the Endpoint’s Physical Environment
You can enforce policy on a managed laptop even when you can’t control the room it sits in. That distinction matters because it defines what’s actually achievable. Full-disk encryption using FIPS-validated cryptographic modules is table stakes — if a laptop is lost or stolen from a car or a hotel room, encryption is what keeps that incident from becoming a CUI breach with mandatory reporting obligations. Endpoint detection and response tooling needs to be running and reporting back to a central console regardless of network location, because a home network isn’t monitored the way an office network is, and that’s precisely where compromise is more likely to go unnoticed.
The government-furnished equipment versus personally owned device (BYOD) decision is one of the higher-stakes calls a contractor makes for remote CUI handling. BYOD dramatically expands the attack surface and the scoping headache — a personal phone with a work email app installed is now potentially in the assessment boundary, and most organizations don’t have visibility into personal devices to prove otherwise. GFE with locked-down configurations, application allowlisting, and no local admin rights for end users is the more defensible position for anyone regularly handling CUI, even though it costs more upfront and creates logistics overhead for a distributed workforce.
Mobile device management matters here too, particularly for organizations that do allow phones or tablets to access email or collaboration tools touching CUI-adjacent information. Containerization that separates work data from personal data, remote wipe capability, and enforced device-level encryption reduce the blast radius when a personal device is inevitably lost, sold, or compromised. Threat actors specifically targeting the defense industrial base — including nation-state groups documented by CISA — have shown a consistent interest in exactly this kind of soft target: an unmanaged endpoint that happens to have a foothold into a contractor’s environment.

Encrypting CUI in Transit and at Rest Isn’t a Checkbox, It’s an Architecture Decision
System and Communications Protection controls require encryption for CUI both in transit and at rest, but the implementation details are where remote work programs succeed or fail. In transit means every hop — VPN tunnel, TLS on internal application traffic, encrypted email for anything touching CUI, not just the connection to the corporate network but every intermediate service the traffic passes through, including cloud collaboration platforms.
At rest means the laptop’s disk, yes, but also backup copies, cached files in collaboration tools, temp files generated by applications during editing, and anything synced to cloud storage. This is where organizations get tripped up by consumer-grade cloud sync tools that employees adopt for convenience — a personal Dropbox or Google Drive account isn’t going to meet FIPS validation requirements or give the organization any control over where that data physically resides or how long it persists after a file is “deleted.” Sanctioned, enterprise-managed cloud storage with proper encryption key management, paired with a real cloud transformation strategy rather than an ad hoc collection of tools employees picked themselves, closes that gap. The same logic applies to voice and video collaboration — using a properly configured, enterprise-grade platform like cloud-based VoIP rather than consumer video call apps for any conversation that might touch CUI-related discussion.
Backup and recovery deserves a specific mention because it’s frequently overlooked in remote work planning. If CUI lives on remote endpoints, those endpoints need to be included in the organization’s backup and data recovery strategy with the same encryption and access controls as anything on the corporate network — a laptop that’s never backed up because it’s “just a remote user’s machine” is both a business continuity risk and, if it’s the only copy of a CUI-relevant work product, a control gap.
Physical Security Requirements Follow the Data Home, Whether You’ve Planned for It or Not
CMMC’s Physical Protection family doesn’t have a carve-out for home offices, and this is the area where contractors most often assume the requirement doesn’t apply because there’s no server room to secure. If CUI is being viewed, printed, or discussed at a kitchen table where a spouse, roommate, or delivery person can see a screen, that’s a physical protection gap regardless of whether it’s technically the employee’s home.
Practical controls here don’t require a security guard, but they do require deliberate policy. Privacy screens for laptops used in shared or public spaces. A hard rule against printing CUI at home unless the organization has specifically evaluated and approved a secure printing workflow — and if printing is unavoidable, a defined, auditable disposal process, because a home shredder that jams half the time isn’t a control anyone can attest to. Locked storage for any physical CUI materials that must exist outside the office, even temporarily. Clear guidance on video call backgrounds and screen sharing, since it’s remarkably common for someone to screen-share a document with CUI markings visible in a background window during an unrelated call.
Engineering and manufacturing environments have an additional wrinkle worth calling out directly, since technical drawings and specifications are exactly the kind of content that ends up printed for review. Organizations in those industries — see the considerations laid out for engineering and manufacturing firms specifically — should treat physical CUI handling in remote settings as a distinct policy section, not an afterthought bolted onto a general remote work agreement.
Monitoring and Incident Response Without a Network Perimeter to Watch
A security operations function built around watching traffic at the network edge doesn’t have much to look at once half the workforce is remote and traffic is encrypted end to end through a VPN. Effective monitoring for a distributed workforce has to shift toward endpoint telemetry and identity signals as the primary detection surface — what the device is doing, what the account is doing, rather than what the network gateway sees.
That shift has direct implications for incident response planning. If a remote laptop is compromised, the response plan needs to account for the fact that the device isn’t on a network segment the IT team can isolate with a switch port change. Remote isolation capability built into the EDR platform, the ability to force a device offline or quarantine it via the management console, and a tested process for collecting forensic evidence from a device that’s never physically in the building are all things that need to exist before an incident happens, not get improvised during one. Reporting timelines under DFARS 252.204-7012 don’t pause because the affected device is remote — the 72-hour clock starts regardless of where the compromised endpoint physically sits, which makes remote-capable response tooling a compliance requirement as much as a security one.
Vendor and tool sprawl compounds this risk in distributed environments, since remote teams tend to accumulate SaaS tools and collaboration platforms faster than an office-bound team does, and each one is a potential path CUI takes outside the monitored boundary. The exposure this creates is covered in more detail in The Hidden Risk of Third-Party Vendors: How MSPs, Cloud Providers, and Software Partners Affect Your CMMC Compliance, and it’s worth revisiting that vendor list specifically through the lens of what remote employees have quietly added to it.
Writing Remote Work Policy That an Assessor Will Actually Accept
A one-page acceptable use policy that says “employees must follow security best practices” doesn’t survive a CMMC assessment, and it doesn’t give employees enough specificity to actually comply. Assessors under the CMMC Program overseen by the DoD are looking for policy that maps to specific practices, with evidence that it’s actually implemented — configuration screenshots, training records, technical enforcement — not just a document that exists.
Two things separate policy that holds up from policy that doesn’t. First, specificity: naming the approved VPN client, the required MFA method, the explicit prohibition on personal cloud storage for CUI, rather than vague references to “secure” tools. Second, technical enforcement wherever possible, so the policy isn’t relying on employee memory. A policy that says personal devices can’t access CUI is far stronger when conditional access rules technically block non-compliant devices from authenticating in the first place.
This is also the point at which scoping decisions made earlier in the process pay off or create problems. A well-scoped remote access architecture — one where CUI can only be accessed through a managed, monitored path regardless of the employee’s physical location — dramatically simplifies both the policy documentation and the assessment itself, because the boundary is technically enforced rather than dependent on trust. Getting that scoping right the first time, informed by the kind of environment review discussed in How to Scope Your CMMC Environment Correctly and Avoid Unnecessary Compliance Costs, saves a significant amount of rework compared to retrofitting scope boundaries around an already-distributed workforce.
Organizations should also revisit the guidance in the CUI Registry and the underlying framework in 32 CFR Part 2002 when drafting remote work policy language, since marking, handling, and dissemination requirements for specific CUI categories don’t change based on where the work happens, and policy that doesn’t reflect the correct category-specific handling rules will read as generic to an assessor.
Getting an Outside Read Before the Assessor Does
Every technical control described above is verifiable, but very few organizations catch every gap in their own remote access architecture through internal review alone. It’s worth engaging a CyberAB-registered assessor or consultant for a readiness review specifically focused on the remote and hybrid access boundary before a formal assessment, since gaps in this area tend to be scattered across multiple control families rather than concentrated in one place, which makes them easy to miss in a standard internal audit.
For contractors based around Boston, Tampa, or Sarasota working through this specific problem, it’s often more efficient to work with a firm that already understands the regional contracting landscape and can walk the physical and technical environment directly — see the Boston, Tampa, and Sarasota service pages for what that looks like in practice — rather than relying entirely on remote consultation for an assessment centered on how well remote work itself is secured.

Conclusion
Remote and hybrid work isn’t going away for the defense industrial base, and CMMC isn’t going to relax its expectations to accommodate that reality — the control set already assumes CUI needs protecting wherever it travels, home office included. The contractors who handle this well aren’t the ones who ban remote work outright or the ones who hope a VPN and a policy PDF will cover it. They’re the ones who’ve mapped exactly where CUI moves once people leave the building, built technical enforcement around identity and endpoint controls instead of relying on employee discretion, and documented all of it in a way that holds up to scrutiny rather than just existing on paper.
If your organization is planning its CMMC compliance journey, contact Stealth Technology Group today at (617) 903-5559 or visit the website to learn how modern cybersecurity infrastructure can accelerate your path toward certification readiness.
