Skip to content

CMMC Device Security Requirements

 

Learn about CMMC requirements for Virtual Desktop Infrastructure, remote work, BYOD, physical security requirements, alternate work site requirements, and more through the Frequently Asked Questions (FAQs) below. If you are looking for certified CMMC Professionals and a customised solution for your organization, please schedule a free consultation.

Table of Contents

Is remote work permitted under CMMC, and what controls are required for remote employees handling CUI? 

 

Summary: Remote work is explicitly permitted under CMMC Level 2 for employees handling CUI, provided that all applicable NIST SP 800-171 Rev 2 security controls are implemented at the remote work location, with specific requirements governed by Physical Protection (PE) domain control PE.L2-3.10.6 (alternate work sites) and Access Control (AC) domain controls AC.L2-3.1.12 and AC.L2-3.1.13 (remote access). 

PE.L2-3.10.6 requires that contractors implement safeguarding measures for CUI at alternative work sites, including home offices, that are equivalent to those in primary facilities. Remote employees who handle CUI must use company-managed, compliant devices; connect through encrypted VPN connections into the organization’s CUI environment; and operate within an environment that prevents unauthorized physical access to CUI-handling systems. 

AC.L2-3.1.12 requires monitoring and controlling remote access sessions, with VPN or other encrypted tunnels for all CUI-related remote connections. AC.L2-3.1.13 requires that remote sessions employ cryptographic mechanisms compliant with SC.L2-3.13.11 (FIPS-validated encryption). Split tunneling, where a remote device simultaneously accesses the organizational network via VPN and the public internet directly, is prohibited under SC.L2-3.13.7. All remote access configurations must be documented in the System Security Plan (SSP).

 

Is BYOD (Bring Your Own Device) allowed under CMMC compliance? 

 

Summary: BYOD, allowing employees to use personal devices to access organizational information systems that handle CUI, is not explicitly prohibited by CMMC, but it creates significant compliance complexity that most organizations find impractical to manage, because personal devices that access CUI become in-scope CUI Assets subject to all 110 NIST SP 800-171 Rev 2 controls. 

The core CMMC principle governing BYOD is scope-based: any device that processes, stores, or transmits CUI is in scope for CMMC assessment. If an employee accesses CUI from a personal laptop or smartphone, that device becomes a CUI Asset requiring full NIST SP 800-171 control implementation. Applying controls such as FIPS-validated encryption, audit logging, MFA enforcement, and remote wipe capabilities to personally owned devices raises significant privacy and legal concerns. 

The practical alternative widely adopted in the DIB is Virtual Desktop Infrastructure (VDI), a solution where CUI is processed on a remote server and the personal device merely displays screen output without any CUI data touching the device locally. When properly configured as a CUI enclave, VDI can place personal device endpoints outside the assessment boundary. Organizations considering BYOD should consult legal counsel regarding privacy implications before implementing any technical controls on personally owned devices. 

 

How does Virtual Desktop Infrastructure (VDI) affect CMMC scoping for remote and BYOD endpoints? 

 

Summary: Virtual Desktop Infrastructure is a technology architecture delivering a desktop computing environment from a centralized server, rendering only screen output to the endpoint device with no CUI data stored locally, and when properly configured as part of a CMMC-compliant enclave, VDI can place remote and BYOD endpoint devices outside the CMMC assessment scope. 

The scoping principle is straightforward: if no CUI is processed, stored, or transmitted on the physical endpoint, because all computation and data storage occurs on the remote VDI server, the endpoint is not a CUI Asset. This scope exclusion is conditional on proper VDI implementation. The VDI server and infrastructure are definitively in scope as CUI Assets and must be fully compliant with all 110 controls. 

Clipboard redirection, local drive mapping, and file transfer capabilities that would allow CUI to be pulled from the VDI environment to the local device must be disabled. Print redirection that would enable CUI to be printed locally must also be controlled. If any of these transfer paths are enabled, the endpoint re-enters scope. VDI also does not protect against screen capture or photography, organizations using VDI must address these physical exposure risks in their remote work policies.

 

What are the physical security requirements for facilities that handle CUI under CMMC? 

 

Summary: CMMC Level 2 requires contractors to implement physical security controls for all facilities containing CUI-handling systems under the Physical Protection (PE) domain’s 6 requirements in NIST SP 800-171 Rev 2, governing access control, visitor management, and physical monitoring. 

Key physical security obligations include: limiting physical access to organizational information systems, equipment, and operating environments to authorized personnel only through mechanisms such as key card access, locks, and physical access control systems; escorting visitors and monitoring visitor activity in any area where CUI systems are present, unescorted visitor access to CUI-handling areas is a direct control failure; maintaining audit logs of physical access events including entries, exits, and visitor sign-ins; and controlling and managing physical access devices such as keys, key cards, and access badges. 

Facilities housing CUI systems must have defined physical perimeters with controlled entry points. Physical access logs must be retained and reviewed periodically. Physical security gaps, unlocked server rooms, unescorted visitors, and missing physical access logs, are commonly cited findings during CMMC Level 2 assessments. 

 

What is the alternate work site requirement under CMMC and what does it require employees to do? 

 

Summary: The alternate work site requirement under CMMC Level 2 is Physical Protection domain control PE.L2-3.10.6, requiring contractors to implement safeguarding measures for CUI at alternative work sites, including home offices, satellite locations, and client sites, that are equivalent to the protections in place at the primary organizational facility. 

This control applies to every employee who handles CUI from a location other than the primary facility. The requirement means the employee’s alternative work site must have: a dedicated, lockable workspace where CUI-handling activities take place and where unauthorized individuals cannot observe the screen or access CUI materials; compliant, organization-managed devices for all CUI work; encrypted VPN connections for all CUI-related network activity; and FIPS-validated encryption on all devices storing CUI. 

The organization must document its alternate work site policy in the SSP, provide training to remote employees on their PE.L2-3.10.6 obligations, and include alternate work site security in its security awareness training program. Home offices where family members, roommates, or visitors can easily observe CUI screens or access CUI materials do not meet this requirement without additional physical controls. 

 

Explore Blogs, Webinars and other Resources

Trusted by Reputed Companies

pVerify, Inc.
Electronic Data Solutions
Bernard Robinson & Company
Avance Care
iCliniq
Botsplash
Logically
Mr.Internet Systems
Vision Radiology
Tangible Solutions
Tangible Solutions
WorkSmart
Triyam
Med First Primary and Urgent Care
Arizona State Radiology
DataCaliper
Dose Spot Company Logo
DoseSpot
Forsyte I.T. Solutions
Tego Data

Accreditations and Associations

* Disclaimer: This list of accreditations is held by our team of employees and consultants.

What Our Clients Say

We used databrackets (formerly EHR 2.0) in our small medical practice for our risk analysis assessment to be in compliance with meaningful use. Their response was fast, the final report is detailed but simple and easy to follow. They were always available to answer our questions.
E. Compres
Pulmonary and Sleep Center of the Valley
I never miss the opportunity to learn something new …that’s why I am always registering to all free seminars offered on the web. databrackets (formerly EHR 2.0) happened to be the friendliest, comprehensive and up-to- date source of HIPAA Privacy and Security updates.
Alexandra V.
Community Healthcare Network
Today’s presentation was great! Thank you for sending the slides. My only feedback is that it would be fabulous to have the slides ahead of time so I could print them and take notes on the slides.Thanks for your time and knowledge today!
T.B., PM
Community Health Network
Particularly interesting was the flow chart on Administrative Simplification. I utilize all of the Security subcategories you list under the Security tile and appreciate knowing that I am hitting all of the relevant topics during my employee training.
Jessica B.
JD, CHC
I have re-worked our original risk assessment….We are using databrackets' (formerly EHR 2.0) Meaningful Use Security Risk Analysis Toolkit and it meets our needs. It was easy to use and I believe that it very beneficial to our meeting meaningful use.
Bill Curtis
Neurosurgical Associates Of Texarkana, TX
Information (webinars) presented by databrackets (formerly EHR 2.0) highlights some of today’s most demanding healthcare topics. The webinars help to direct those operating in today’s rapidly changing environment in the right direction.
Candace M.
Privacy and Security Officer, Springhill Medical Center

Our Growing List of Credentials

0 +
Assessments
0 +
Clients
0 +
Assessment Libraries
0 +
Years of Experience
0 +
No. of Staff Trained
0 +
HIPAA
0 +
SOC 2 Readiness
0 +
Pen Testing
0 +
ISO 27001 Certifications
0 +
Dollars Saved in Compliance Penalties