Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control
The organization:
a. Employs [Assignment: organization-defined security controls] at alternate work sites;
b. Assesses as feasible, the effectiveness of security controls at alternate work sites; and
c. Provides a means for employees to communicate with information security personnel in case of security incidents or problems.
NIST 800-53 (r4) Supplemental Guidance
Alternate work sites may include, for example, government facilities or private residences of employees. While commonly distinct from alternative processing sites, alternate work sites may provide readily available alternate locations as part of contingency operations. Organizations may define different sets of security controls for specific alternate work sites or types of sites depending on the work-related activities conducted at those sites. This control supports the contingency planning activities of organizations and the federal telework initiative. Related controls: AC-17, CP-7.
NIST 800-53 (r5) Discussion
Alternate work sites include government facilities or the private residences of employees. While distinct from alternative processing sites, alternate work sites can provide readily available alternate locations during contingency operations. Organizations can define different sets of controls for specific alternate work sites or types of sites depending on the work-related activities conducted at the sites. Implementing and assessing the effectiveness of organization-defined controls and providing a means to communicate incidents at alternate work sites supports the contingency planning activities of organizations.
38North Guidance:
Meets Minimum Requirement:
Defines security controls in place at alternate work sites, including telework security arrangements.
Evidence that alternative worksite security is assessed.
Incorporate into incident response plans alternative methods of communication and acceptable use (e.g. personal cellphones, personal email, alternative corporate arrangements, etc.)
Best Practice:
Maintain alternate sites with identical security controls (e.g. a hot site) assessed as part of the boundary.
If hot site is not feasible, have alternate corporate controlled spaces (e.g. an office building) in unique geographic areas that can securely absorb staff.
Have plans for the secure transfer of critical personnel to secure locations, including trigger criteria.
Test regional evacuation plans.
If secure telework is a planned approach, equip personnel with organization-owned, hardened and managed devices to be used in the telework scenario.
For personnel with local access only, have plans for securely escalating privileges to allow remote access temporarily, in the event offsite work is required due to an emergency.
Unofficial FedRAMP Guidance:
TBD
Assessment Evidence:
Review documentation describing continuity of operations plans and associated security controls.
Interview personnel to ensure that they understand their responsibilities in the event of a disaster.
Determine if alternate sites are within the boundary (e.g. a hot site) and assess accordingly.
If alternate sites are not part of the boundary, review other documentation to determine if organization makes any effort to assess those controls.
Review alternate site work agreements, if applicable.
CSP Implementation Tips:
AWS: Fully inherited.
Azure: Fully inherited.
GCP: Fully inherited.
Page updated
Report abuse