Remote Work VDI CMMC BYOD Home Network CMMC // 7 MIN READ

CMMC Remote Work

When Work-From-Home Devices Become In Scope

Remote work is one of the most underestimated scoping risks in CMMC. Most contractors assume that because CUI lives "in the cloud," employees' home environments are automatically out of scope. They are not.

CMMC remote work scoping is the process of determining which home office devices, networks, and physical spaces fall within the CMMC Level 2 assessment boundary when employees handle Controlled Unclassified Information (CUI) outside the corporate facility. Under 32 CFR Part 170 and NIST SP 800-171, any asset that processes, stores, or transmits CUI — or that provides security protections for assets that do — is in scope. Remote work doesn't change that definition. It changes which physical locations and personal devices that definition reaches.

Is my home office in scope for CMMC?

In a corporate office, the facility is already part of the assessment. When an employee works from home, the "facility" becomes their private residence. Three things become potential assessment artifacts the moment a remote employee touches CUI:

  • The endpoint device: If CUI can reach the laptop, it is a CUI Asset candidate.
  • The home network: The Wi-Fi router providing the access path can enter the assessment picture.
  • The physical space: Windows, sight lines, and shared occupants are all physical facility concerns.
Taking CUI into a home office is like handling hazardous materials at home. The moment CUI is visually present on a screen, the home becomes a controlled zone under CMMC scoping.

Does viewing CUI on a remote device make it in scope?

Under DoD's scoping definition, an asset "processes" CUI when it accesses, enters, edits, generates, manipulates, or prints it. "Access" includes opening a browser tab or VDI window that displays CUI. The data doesn't need to download for the endpoint to be in scope.

To keep a viewing device from full CUI Asset classification, two things must work together: MDM-enforced technical controls blocking clipboard sync, screenshots, and local downloads, plus SSP documentation justifying CRMA classification rather than CUI Asset.

The question is not whether a viewing device is in scope — it is. The question is which tier of scrutiny applies, and whether your documentation defends the lower tier.

How does a VDI enclave minimize remote work CMMC scope?

⚠ High Risk — CUI Downloaded Locally
Laptop — CUI stored locally
Home Wi-Fi Router
Family / Shared Devices
Physical Home Workspace
Home network, router config, shared devices, and physical workspace all become assessment artifacts.
✓ Scope Minimized — VDI Enclave
GCC High / Azure Gov Enclave
↓ Encrypted VPN tunnel only ↓
Local Laptop — CRMA / Out-of-Scope
MDM: screenshot, print, clipboard blocked
Home network never handles CUI. Physical home stays out of assessor scope.
Figure: Remote work scoping comparison — local CUI storage puts entire home environment in scope vs VDI enclave with MDM controls minimizing scope to the cloud environment only.

How do you determine if a remote device is in scope for CMMC?

Rule 01 Can the endpoint store CUI locally — download, sync, or save to hard drive?
YES →
Endpoint is a CUI Asset. Fully in scope. All 110 controls apply to the device and its environment.
NO →
Proceed to Rule 2.
Rule 02 Can the endpoint view CUI — in a browser, VDI session, or any application window?
YES →
Endpoint is at minimum a scoping concern. Must be controlled and justified in the SSP. Likely classified as CRMA.
NO →
Proceed to Rule 3.
Rule 03 Does the home network provide the access path to the CUI environment?
YES →
Document how the network is controlled: encrypted VPN, MFA required, no split-tunnel. Risk must be accepted and documented in SSP.
NO →
Device and network may qualify as Out-of-Scope if physical and logical isolation is documented and demonstrable.
Figure: Three-rule decision tree for classifying remote work devices — local storage, CUI viewing capability, and network access path determine scoping tier.

What remote work mistakes cause CMMC assessment failures?

  • Local Download

    Word auto-saves a local copy of a SharePoint CUI file. The laptop is now a CUI Asset. MDM must block local sync for CUI-tagged content.

  • Screenshot

    PrtScn saves CUI locally; a phone photo achieves the same result. MDM must disable screenshot keys; the AUP must explicitly prohibit screen photography.

  • Family Devices

    A child uses the corporate laptop or a spouse logs in. The AUP must prohibit third-party use; MDM should enforce user-level restrictions.

  • BYOD

    Personal devices accessing CUI are in scope but nearly impossible to validate. Prohibit CUI access on personal devices or require MDM enrollment.

  • Travel / Public Wi-Fi

    Accessing CUI on uncontrolled networks without a VPN is a direct NIST 800-171 compliance failure. The AUP must address travel scenarios explicitly.

  • Browser-Only Illusion

    Browser rendering is processing. Browsers cache tokens and thumbnails locally. "Browser-only" is not automatically out of scope.

What evidence do C3PAO assessors need for remote work controls?

Assessors use three methods in concert — Examine, Test, and Interview. All three must be consistent and documented before assessment day.

📄
Pillar 1 — Examine
Acceptable Use Policy Signed by employee — prohibits screen photos, shared access, out-of-country travel with device
Remote Work Policy Governs home workspace: dedicated space, locked when not in use, no unauthorized occupants
SSP Documentation Confirms remote endpoint classification (CRMA or CUI Asset) and justifies compensating controls
Pillar 2 — Test
MDM Config Screenshots Console evidence (Intune, Jamf) that print-screen, local download, clipboard sync, USB are disabled
VDI Session Controls Evidence that local drive mapping and copy/paste from VDI to local desktop are technically blocked
MFA Enforcement Proof Configuration showing MFA is required for all VDI and remote access sessions — no exceptions
💬
Pillar 3 — Interview
Employee Walkthrough Employee demonstrates VDI login, explains AUP obligations, understands that no family members may use the device
Manager Confirmation Supervisor explains enforcement of remote work policy and consequences for AUP violations
IT/MSP Explanation IT or MSP explains how MDM profiles are pushed, verified, and updated for remote endpoints
Figure: Three-pillar evidence checklist for remote work CMMC controls — Examine (policies), Test (MDM/VDI configurations), and Interview (employee/manager/IT walkthrough).
A signed AUP with no MDM enforcement fails the Test pillar. MDM that blocks screenshots but an employee who can't explain the VDI workflow fails the Interview pillar. All three must be consistent — and all three must be documented before assessment day.

The Bottom Line

To keep home offices out of CMMC scope, implement these three controls in sequence: deploy VDI through a FedRAMP Moderate-authorized environment (GCC High or equivalent) so CUI never leaves the cloud enclave. Configure MDM (Intune, Jamf) to block local downloads, clipboard sync, screenshots, and USB access on every remote endpoint. Draft and enforce a Remote Work Acceptable Use Policy — signed by every remote employee — that prohibits screen photography, shared device access, and CUI handling on uncontrolled networks. Document all three in your SSP with the specific CRMA justification for each remote endpoint.

For every remote employee: deploy VDI, enforce MDM, collect signed AUPs, and document the endpoint classification in the SSP. Verify all three evidence pillars (Examine, Test, Interview) are satisfied before assessment day. The home office stays out of scope only when all three controls are technically enforced and documented.

Related Articles

CMMC Level 2 Assessment Scope ExplainedCMMC Enclaves: Scope Reduction with SegmentationHow to Write a CMMC System Security Plan (SSP)CMMC Physical Security RequirementsCMMC and MSPs: Scope, Shared Responsibility, and Evidence