Back to Blog
CMMC Compliance

Remote Work Security for CMMC: How Defense Contractors Should Protect CUI Outside the Office

July 12, 2026
12 min read

Remote Work Security for CMMC: How Defense Contractors Should Protect CUI Outside the Office

Remote work is no longer an exception for defense contractors. It is part of normal operations.

Engineers review drawings from home. Project managers join Teams meetings from hotels. Executives approve contract documents from personal networks. Subcontractors collaborate in cloud workspaces. Managed service providers administer systems remotely. Employees expect to work securely from wherever the mission requires.

CMMC does not prohibit that.

But CMMC does require contractors to prove that Federal Contract Information and Controlled Unclassified Information are protected wherever they are processed, stored, or transmitted. If CUI leaves the controlled office environment and lands on an unmanaged laptop, a personal cloud folder, a weak home Wi-Fi network, or an unapproved remote access tool, the organization has not solved remote work. It has moved the CUI boundary into places it cannot defend.

That is the problem assessors care about.

The final CMMC program rule in 32 CFR Part 170 makes clear that contractor information systems that process, store, or transmit FCI or CUI are in scope for assessment. The DoD's public CMMC guidance also reminds contractors that Phase 1 implementation is already underway, with Level 1 and Level 2 self-assessments active and affirmations required in SPRS. For contractors handling CUI, remote work needs to be designed as part of the CUI environment, not bolted on after the fact.

This article walks through how small and mid-sized defense contractors should secure remote work in a CMMC Level 2 environment without turning the business into a fortress nobody can operate.

Start With the Real Question: Where Can CUI Go?

The first mistake is treating remote work as an IT access issue.

It is really a CUI flow issue.

Before buying another VPN license or endpoint tool, leadership should answer a simple set of questions:

  • Which job roles need remote access to CUI?
  • Which systems contain CUI?
  • Which devices are allowed to access those systems?
  • Can CUI be downloaded locally?
  • Can CUI be printed from remote locations?
  • Can CUI be copied into email, chat, AI tools, or personal storage?
  • Are subcontractors or external service providers involved?
  • What logs prove who accessed CUI remotely and when?

If those questions are fuzzy, the remote work environment is not assessment-ready.

CMMC Level 2 is built on NIST SP 800-171, and many control families intersect with remote work: Access Control, Identification and Authentication, Media Protection, System and Communications Protection, Audit and Accountability, Configuration Management, Incident Response, and Security Awareness. A remote access decision touches all of them.

That means remote work must be described in the System Security Plan, supported by policy, implemented in technical controls, and backed by evidence. "We trust our employees" is not a control. "Our MSP set up VPN" is not a control. "We use Microsoft 365" is not a control by itself.

The assessor will want to see the full story: scope, users, devices, access paths, data handling rules, monitoring, and enforcement.

Define the Remote Work Boundary

Every CMMC program needs a defined CUI boundary. Remote work makes that boundary more complicated, but not impossible.

For many contractors, the strongest design is to keep CUI inside a controlled cloud or virtual environment and prevent local storage on home devices. That may mean a managed Microsoft 365 GCC High environment, a controlled commercial cloud enclave, a virtual desktop infrastructure, or a secure remote access platform where files stay inside the approved system.

Other contractors allow managed company laptops to access CUI directly, but only when the devices meet strict requirements: encryption enabled, endpoint protection running, patching current, local admin restricted, MFA enforced, logging enabled, and unmanaged applications blocked.

Both approaches can work. What does not work is ambiguity.

A defensible remote work boundary should identify:

  • Approved remote access methods
  • Approved devices and device ownership model
  • Approved applications for CUI
  • Network and encryption requirements
  • Rules for local download and offline access
  • Printing restrictions
  • External sharing restrictions
  • Logging and monitoring sources
  • Support responsibilities for MSPs or cloud providers
  • Exceptions and approval process

The goal is not to write a theoretical diagram. The goal is to define where CUI is allowed to live and how the contractor keeps it from spreading into unmanaged places.

If employees can access CUI from any device with a browser, the boundary includes every device they use. If employees can sync CUI to personal desktops, the boundary now includes personal desktops. If employees can forward CUI to personal email so they can print it at home, the boundary has collapsed.

That is why remote work policy must be practical and specific.

Company Devices Should Be the Default for CUI

Bring-your-own-device may be convenient, but it is hard to defend in a CMMC Level 2 environment.

For general business use, BYOD can sometimes be managed with mobile application controls and conditional access. For CUI, the risk is much higher. Personal devices are difficult to inventory, baseline, patch, monitor, investigate, and sanitize. They may have family accounts, consumer backup software, unmanaged browser extensions, personal cloud sync tools, and weak local security settings.

If CUI is involved, company-managed devices should be the default.

At minimum, remote devices that access CUI should have:

  • Full-disk encryption
  • Strong endpoint detection or anti-malware
  • Current operating system and application patches
  • Screen lock and inactivity timeout
  • Local administrator restrictions
  • Centralized configuration management
  • Logging and security telemetry
  • Approved software controls
  • Remote wipe or recovery capability
  • Clear assignment to an authorized user

This is where Configuration Management becomes more than a paperwork requirement. The contractor needs to prove the laptop used from home is built to an approved baseline, enrolled in management, visible to security tooling, and still compliant after months of real use.

The evidence should be easy to pull: device inventory, encryption status, endpoint protection status, patch compliance, MDM profile, user assignment, and recent check-in. If the organization cannot produce that evidence, it cannot confidently say the remote device is controlled.

MFA Is Mandatory, But Conditional Access Makes It Stronger

Multifactor authentication is one of the most visible controls in any CMMC program, but remote work raises the bar.

MFA should protect remote access to email, cloud applications, VPN, virtual desktops, privileged administration, and any system that contains or protects CUI. But MFA alone does not answer every remote work risk. A valid user with MFA can still log in from an unmanaged device, a risky location, or a compromised endpoint.

That is where conditional access earns its keep.

Contractors should consider policies that require:

  • MFA for all remote access
  • Managed or compliant devices for CUI systems
  • Stronger controls for privileged accounts
  • Blocking legacy authentication
  • Session controls for browser access
  • Geographic or risk-based restrictions when appropriate
  • Reauthentication for sensitive actions
  • Separate policies for administrators and standard users

For small contractors, the point is not to create a maze of fragile rules. The point is to make CUI access conditional on trust signals the company can defend: verified identity, managed device, approved application, encrypted connection, and appropriate user role.

Assessors will not be impressed by a screenshot that says MFA is enabled if stale accounts, shared admin credentials, unmanaged devices, and broad access groups still exist. The access control story has to hold together.

VPN Is Not a Complete Remote Work Strategy

Many contractors still think "remote work security" means "we have a VPN."

A VPN can be useful, but it is only one part of the architecture. In some environments, a traditional VPN actually expands risk by placing remote endpoints directly on internal networks. If a home laptop is compromised and the VPN has broad network access, the attacker may inherit the same reach.

For CMMC, the right question is not whether a VPN exists. The right question is what the VPN allows.

Contractors should review:

  • Who can connect
  • Which devices can connect
  • Whether MFA is enforced
  • Whether split tunneling is allowed
  • Which internal systems are reachable
  • Whether access is segmented by role
  • Whether VPN logs are retained and reviewed
  • How stale accounts and profiles are removed
  • How vendor or MSP remote access is controlled

Least privilege applies to networks too. A remote user who only needs access to a document repository should not receive broad internal network access. An MSP technician who needs to manage a server should not use a shared remote access account. A subcontractor should not be treated like an employee unless the contract, flowdown, identity, logging, and access reviews support it.

Modern zero-trust network access, virtual desktop, and application proxy models can reduce exposure, but they are not magic either. They still need identity governance, device controls, logging, and documented procedures.

Cloud Collaboration Needs Guardrails

Remote work usually depends on cloud collaboration. Microsoft 365, Google Workspace, SharePoint, Teams, OneDrive, Box, and similar platforms can support secure work when configured properly.

They can also become CUI sprawl machines.

The common failure pattern is simple: a contractor creates a shared project folder, invites employees and subcontractors, enables external sharing, allows sync to unmanaged endpoints, and never reviews access again. Six months later, nobody knows who can see the data, where it has been downloaded, or whether CUI markings survived the process.

CUI collaboration needs guardrails:

  • Approved CUI repositories
  • Restricted external sharing
  • Role-based access groups
  • Periodic access reviews
  • Audit logging enabled
  • Download and sync rules
  • Data loss prevention where practical
  • Retention settings aligned to contract needs
  • Clear rules for Teams, chat, and meeting recordings
  • Procedures for removing users at project closeout

Employees also need plain-language instructions. They should know where CUI belongs, where it does not belong, and what to do when a customer, prime, or subcontractor sends data through an unapproved channel.

Good cloud configuration is not enough if users work around it because the approved process is unclear or painful.

Home Offices Are Part of the Risk Model

CMMC does not require a contractor to inspect every employee's home office like a secure government facility. But it does require reasonable protection of CUI outside controlled office space.

Remote workers should have rules for physical security and privacy:

  • Do not leave CUI visible to unauthorized people
  • Lock screens when stepping away
  • Store printed CUI only if explicitly approved
  • Use shredding or approved destruction methods for printed material
  • Avoid discussing CUI where conversations can be overheard
  • Do not use shared family devices for CUI
  • Report lost or stolen devices immediately
  • Use secure home Wi-Fi with modern encryption and strong passwords

Printing deserves special attention. Many small contractors casually allow remote printing because it feels operationally necessary. But printed CUI creates media protection obligations: marking, storage, transport, destruction, and incident reporting if lost. If the business cannot control those obligations, remote printing should be prohibited or tightly limited.

The same applies to screenshots, photos, meeting recordings, transcription tools, and AI assistants. If CUI can be copied into a tool the contractor has not approved, the remote work program has a leakage path.

Security Awareness Must Cover Remote Work Scenarios

Annual cybersecurity training that says "do not click suspicious links" is not enough for CMMC remote work.

Users need training that matches how they actually work:

  • How to identify CUI
  • Which systems are approved for CUI
  • How to access CUI remotely
  • What not to download or sync
  • How to handle customer files received by email
  • How to report accidental disclosure
  • What to do when traveling
  • How to protect conversations and screens
  • Why personal email, personal cloud storage, and consumer AI tools are prohibited for CUI

Training records should show who completed the training and when. Better yet, the contractor should maintain short role-based guidance for employees who routinely handle CUI remotely. An engineer, project manager, executive, and MSP administrator do not all face the same remote work risks.

The test is whether employees can answer assessor interview questions consistently. If one employee says CUI can be saved to a home desktop and another says it cannot, the policy is not operating.

What Evidence Should You Keep?

Remote work evidence should prove that the program is designed, implemented, and monitored.

Useful evidence includes:

  • Remote work and acceptable use policies
  • Access control policy and conditional access settings
  • VPN or remote access configuration exports
  • Device inventory and compliance reports
  • Encryption and endpoint protection reports
  • MFA coverage reports
  • Cloud sharing configuration
  • Access review records
  • Remote access logs
  • Privileged access logs
  • Security awareness training records
  • Incident response procedures for lost devices or suspected disclosure
  • Approved software list
  • BYOD restrictions or mobile device management evidence
  • SSP sections describing remote access and CUI data flows

The evidence should match the written policy. If the policy says only company-managed devices can access CUI, conditional access and device compliance reports should support that. If the policy says external sharing is restricted, cloud sharing settings and access review records should support that. If the policy says VPN access is reviewed quarterly, there should be a review artifact.

This is where the TalonPoint PolicyPack can help smaller contractors move faster. It gives you CMMC-aligned policy language for access control, acceptable use, media protection, incident response, configuration management, and third-party access. But the documents are only the starting point. The strongest programs tailor the language to the actual remote work architecture and then collect evidence from the tools that enforce it.

A Practical 30-Day Remote Work Hardening Sprint

If remote work grew organically in your company, start with a short sprint.

In week one, map CUI data flows. Identify systems, users, devices, cloud repositories, subcontractor access, remote access methods, and places where CUI can be downloaded, printed, synced, or shared.

In week two, tighten access. Enforce MFA, remove stale accounts, review remote access groups, restrict privileged access, and block legacy authentication. Confirm that CUI systems require managed or compliant devices where feasible.

In week three, clean up devices and collaboration platforms. Reconcile endpoint inventory, verify encryption and EDR coverage, review cloud sharing settings, disable risky external sharing, and remove unauthorized sync paths.

In week four, update documentation and evidence. Revise the SSP, remote work policy, acceptable use policy, access control procedures, and incident response playbook. Pull evidence reports and store them in the assessment binder.

By the end of the month, the goal is not perfection. The goal is a remote work model the company can explain, enforce, and prove.

The Bottom Line

Remote work is not a loophole in CMMC. It is part of the assessed environment when it touches FCI or CUI.

For defense contractors, the question is not whether employees can work from home. They can. The question is whether the company can show that remote work protects CUI with the same discipline expected inside the office: controlled access, managed devices, encrypted communications, limited data movement, logging, training, and incident response.

The contractors that handle this well will not be the ones with the fanciest tools. They will be the ones that know where CUI goes, limit where it can go, train people on the rules, and keep evidence that the rules are enforced.

That is what makes remote work defensible in a CMMC assessment.

About the Author

The TalonPoint Security team brings 30 years of cybersecurity expertise with CISM and CISSP certifications. As a practicing Chief Information Officer, our founder implements the security policies and compliance frameworks we write about. TalonPoint Security was founded to make professional CMMC compliance accessible to small and medium-sized defense contractors.

Ready to Simplify Your CMMC Compliance?

Get professional, battle-tested policy templates created by a 30-year security veteran

Continue Reading

More insights on CMMC compliance and cybersecurity