Remote Work VDI CMMC BYOD Home Network CMMC // 7 MIN READ

CMMC Remote Work

When Work-From-Home Devices Become In Scope

Remote work is one of the most underestimated scoping risks in CMMC. Most contractors assume that because CUI lives "in the cloud," employees' home environments are automatically out of scope. They are not.

In CMMC, any asset that processes, stores, or transmits Controlled Unclassified Information — or that provides security protections for assets that do — is in scope. Remote work doesn't change that definition. It changes which physical locations and personal devices that definition reaches.

What Remote Work Changes in Scoping Terms

In a corporate office, the facility is already part of the assessment. When an employee works from home, the "facility" becomes their private residence. Three things become potential assessment artifacts the moment a remote employee touches CUI:

  • The endpoint device: If CUI can reach the laptop, it is a CUI Asset candidate.
  • The home network: The Wi-Fi router providing the access path can enter the assessment picture.
  • The physical space: Windows, sight lines, and shared occupants are all physical facility concerns.
Taking CUI into a home office is like handling hazardous materials at home. The moment CUI is visually present on a screen, the home becomes a controlled zone under CMMC scoping.

Why "Process" Includes Viewing

Under DoD's scoping definition, an asset "processes" CUI when it accesses, enters, edits, generates, manipulates, or prints it. "Access" includes opening a browser tab or VDI window that displays CUI. The data doesn't need to download for the endpoint to be in scope.

To keep a viewing device from full CUI Asset classification, two things must work together: MDM-enforced technical controls blocking clipboard sync, screenshots, and local downloads, plus SSP documentation justifying CRMA classification rather than CUI Asset.

The question is not whether a viewing device is in scope — it is. The question is which tier of scrutiny applies, and whether your documentation defends the lower tier.

The Remote Work Scoping Boundary

⚠ High Risk — CUI Downloaded Locally
Laptop — CUI stored locally
Home Wi-Fi Router
Family / Shared Devices
Physical Home Workspace
Home network, router config, shared devices, and physical workspace all become assessment artifacts.
✓ Scope Minimized — VDI Enclave
GCC High / Azure Gov Enclave
↓ Encrypted VPN tunnel only ↓
Local Laptop — CRMA / Out-of-Scope
MDM: screenshot, print, clipboard blocked
Home network never handles CUI. Physical home stays out of assessor scope.

Remote Work Decision Rules: Is This Device In Scope?

Rule 01 Can the endpoint store CUI locally — download, sync, or save to hard drive?
YES →
Endpoint is a CUI Asset. Fully in scope. All 110 controls apply to the device and its environment.
NO →
Proceed to Rule 2.
Rule 02 Can the endpoint view CUI — in a browser, VDI session, or any application window?
YES →
Endpoint is at minimum a scoping concern. Must be controlled and justified in the SSP. Likely classified as CRMA.
NO →
Proceed to Rule 3.
Rule 03 Does the home network provide the access path to the CUI environment?
YES →
Document how the network is controlled: encrypted VPN, MFA required, no split-tunnel. Risk must be accepted and documented in SSP.
NO →
Device and network may qualify as Out-of-Scope if physical and logical isolation is documented and demonstrable.

Six Remote Work Traps That Fail Assessments

  • Local Download

    Word auto-saves a local copy of a SharePoint CUI file. The laptop is now a CUI Asset. MDM must block local sync for CUI-tagged content.

  • Screenshot

    PrtScn saves CUI locally; a phone photo achieves the same result. MDM must disable screenshot keys; the AUP must explicitly prohibit screen photography.

  • Family Devices

    A child uses the corporate laptop or a spouse logs in. The AUP must prohibit third-party use; MDM should enforce user-level restrictions.

  • BYOD

    Personal devices accessing CUI are in scope but nearly impossible to validate. Prohibit CUI access on personal devices or require MDM enrollment.

  • Travel / Public Wi-Fi

    Accessing CUI on uncontrolled networks without a VPN is a direct NIST 800-171 compliance failure. The AUP must address travel scenarios explicitly.

  • Browser-Only Illusion

    Browser rendering is processing. Browsers cache tokens and thumbnails locally. "Browser-only" is not automatically out of scope.

Evidence Checklist for Remote Work Controls

Assessors use three methods in concert — Examine, Test, and Interview. All three must be consistent and documented before assessment day.

📄
Pillar 1 — Examine
Acceptable Use Policy Signed by employee — prohibits screen photos, shared access, out-of-country travel with device
Remote Work Policy Governs home workspace: dedicated space, locked when not in use, no unauthorized occupants
SSP Documentation Confirms remote endpoint classification (CRMA or CUI Asset) and justifies compensating controls
Pillar 2 — Test
MDM Config Screenshots Console evidence (Intune, Jamf) that print-screen, local download, clipboard sync, USB are disabled
VDI Session Controls Evidence that local drive mapping and copy/paste from VDI to local desktop are technically blocked
MFA Enforcement Proof Configuration showing MFA is required for all VDI and remote access sessions — no exceptions
💬
Pillar 3 — Interview
Employee Walkthrough Employee demonstrates VDI login, explains AUP obligations, understands that no family members may use the device
Manager Confirmation Supervisor explains enforcement of remote work policy and consequences for AUP violations
IT/MSP Explanation IT or MSP explains how MDM profiles are pushed, verified, and updated for remote endpoints
A signed AUP with no MDM enforcement fails the Test pillar. MDM that blocks screenshots but an employee who can't explain the VDI workflow fails the Interview pillar. All three must be consistent — and all three must be documented before assessment day.

The Bottom Line

VDI keeps data in the cloud. MDM enforces endpoint rules. Acceptable Use Policies close the gaps technical controls cannot reach. When all three are in place and documented in the SSP, the home office stays out of the assessor's scope.

The home office does not have to be in scope. But keeping it out requires planning — not assumption.

Related Articles

CMMC Level 2 Assessment Scope ExplainedCMMC Enclaves: Scope Reduction with SegmentationHow to Write a CMMC System Security Plan (SSP)CMMC Physical Security RequirementsCMMC and MSPs: Scope, Shared Responsibility, and Evidence