Remote Work Is Your Biggest CMMC Blind Spot
Home offices, personal devices, and the compliance gaps assessors find
You've configured your office. You've set up your cloud platform. You've worked through the documentation requirements, maybe even started collecting evidence. You're feeling like you've got a handle on this.
Now: what happens when your team logs in from home?
For most small defense contractors, this is the question that breaks otherwise solid compliance work. Remote work is genuinely complicated territory under CMMC — not because the requirements are unfair, but because every home setup is different, the judgment calls are real, and most compliance guides skip this chapter entirely.
This guide won't skip it. We're going to walk through the specific gaps that appear most often in home office and remote work setups, explain what the CMMC framework expects, and be honest about where the right answer requires expert judgment rather than a generic checklist.
What We'll Cover
- First: Is your home office even in scope?
- Gap 1 — Home network security
- Gap 2 — Personal device use (BYOD)
- Gap 3 — Physical access and printed materials
- Gap 4 — Screen lock and unattended device policies
- Gap 5 — VPN: when you need it and when you don't
- Gap 6 — Documentation: can you prove remote workers are compliant?
- Platform-specific remote considerations: GWS vs. M365
- What a complete remote work compliance picture looks like
First: Is Your Home Office Even In Scope?
Before we talk about gaps, we need to talk about scope — because this is where a lot of confusion starts.
CMMC compliance applies to systems that process, store, or transmit Federal Contract Information (FCI). So the first question isn't "how do I make my home office compliant?" — it's "does FCI flow through my home office at all?"
For many small contractors, the answer is yes. If your employee's home laptop is the device they use to access email containing contract details, open documents in your cloud platform, or communicate with your prime contractor — then that home setup is part of your CMMC boundary.
The Scoping Reality for Remote Teams
A well-scoped CMMC environment for a remote team typically includes:
- The cloud platform your team uses for work (Microsoft 365 or Google Workspace)
- The devices your employees use to access that platform
- The networks those devices connect through — including home networks
- Any physical locations where FCI might be stored or viewed (yes, including home offices)
This doesn't mean your employees' entire home life is in scope. It means the parts of their environment that touch FCI are in scope — and that line requires a thoughtful judgment call.
The good news: scoping your remote environment thoughtfully can significantly reduce the compliance burden. A consultant who helps you define scope carefully is giving you real value — not just telling you everything is in scope and handing you a 400-page policy binder.
The Six Remote Work Compliance Gaps
These are the gaps we encounter most often when working with small contractors whose teams work from home. They're not hypothetical — they come up in consultation sessions regularly, and they're the areas where DIY compliance tends to have the biggest holes.
Home Network Security
The risk: A home network is a fundamentally different environment from a corporate network. There's typically no enterprise firewall, no IT-managed router, and no network monitoring. The same WiFi your employee uses to access contract work is often shared with family members, streaming devices, smart home gadgets, and sometimes neighbors if the router password hasn't been changed in years.
What compliant looks like: CMMC Level 1 physical protection requirements don't stay at the office door — they extend to wherever FCI is accessed. For home networks, this generally means ensuring the work device connects to a reasonably secured network: strong WiFi password, WPA2 or WPA3 encryption, and ideally guest network separation for IoT and personal devices.
The judgment call: There's no CMMC requirement that employees have enterprise-grade home networks. But there's also no free pass for networks that present obvious risk. Where that line falls — and how you document your position on it — is exactly the kind of question that benefits from expert input. "We use WPA2 with a strong password and IoT devices are on a separate guest network" lands very differently than "we're not sure what settings the router is on."
Personal Device Use (BYOD)
The risk: Personal devices are one of the most common sources of compliance gaps in remote setups. If an employee accesses your Microsoft 365 or Google Workspace tenant from their personal laptop — a device that isn't managed, doesn't have compliant security settings, and may have software installed that you'd never approve on a work device — you have a problem that doesn't disappear because you didn't ask about it.
What compliant looks like: The cleanest CMMC position is company-owned, company-managed devices only. If that's not realistic for your team right now, BYOD under CMMC is possible — but it requires clear policies, device enrollment, and platform-specific enforcement (conditional access in M365, context-aware access in Google Workspace). "We asked employees not to use personal devices" is not a compliant BYOD policy.
The judgment call: Personal devices create real complexity. If an employee reads a work email with contract details on their personal iPhone, is that phone in scope? These questions don't have clean universal answers — they depend on your specific setup, what your policies say, and what you can actually enforce. Experienced guidance prevents you from either over-scoping (treating every device any employee owns as a compliance problem) or under-scoping (ignoring genuine risk because you didn't want to deal with it).
Physical Access and Printed Materials
The risk: CMMC has explicit physical protection requirements. "Limit physical access to organizational systems" doesn't just apply to office buildings — it applies wherever your systems and FCI are located. In a home office, that means thinking about who else can access the physical space, whether documents get printed and left on a shared desk, and whether a guest or family member could view contract information on an unlocked screen.
What compliant looks like: At minimum, employees should understand that printed FCI materials are controlled documents — not items to leave on the kitchen counter. Home offices don't need to be physical vaults, but there should be documented awareness and expectations around physical handling of contract materials. If employees regularly print contract documents, that practice needs to be addressed in your policies.
The judgment call: Physical protection requirements for home offices are among the most variable in CMMC. An employee with a dedicated home office and a closed door is a very different situation from someone working at a shared kitchen table with three roommates. Your policies need to acknowledge this variability and establish appropriate expectations — which means you need to actually know what your employees' home setups look like.
Screen Lock and Unattended Device Policies
The risk: CMMC requires session lock after inactivity. In an office, enforcing screen lock via group policy or MDM is straightforward. At home, the same technical controls should apply — but enforcement is harder to verify, and the risks are different. A laptop sitting open on a home desk with a work session active is a real exposure when others are in the space.
What compliant looks like: Screen lock settings need to be configured on every device that accesses FCI — whether it's in the office or at home. This is a technical control, not just a policy statement. You need evidence showing screen lock is configured to activate after an appropriate inactivity period on all managed devices. "We have a policy that employees should lock their screens" is not the same as "we have configuration evidence showing screen lock is enforced at 5 minutes of inactivity on all managed devices."
The judgment call: Screen lock is more straightforward than some remote work requirements — it's a technical control that can and should be enforced centrally. The gap isn't usually in knowing the requirement exists. It's in having documentation that proves it's implemented everywhere, including remote devices, and that addresses what happens when employees use personal devices.
VPN Requirements — When You Need It and When You Don't
The risk: Whether remote workers need a VPN comes up constantly, and the answer is genuinely more nuanced than most guides acknowledge. If your FCI lives entirely in a properly secured cloud platform (Microsoft 365 or Google Workspace), a VPN may not be required — because FCI is protected at the application layer by the cloud platform itself. However, if you have any on-premises infrastructure, VPN becomes a different conversation entirely.
What compliant looks like: For cloud-only environments, the security question shifts to the platform itself. Is your Microsoft 365 or Google Workspace configured with appropriate conditional access policies, MFA, and session controls? If yes, remote access over a home network may have adequate security. If no, you have more fundamental problems to solve first.
The judgment call: VPN is a tool, not a magic compliance checkbox. Whether you need one, what type, and how it's configured depends heavily on your infrastructure. This is also an area where the wrong decision creates compliance problems that aren't obvious until an assessor asks about your remote access architecture. The right answer depends on your specific environment — and it's a question you need a clear, documented answer to.
Documentation — Can You Prove Remote Workers Are Compliant?
The risk: This gap catches people off guard even when they've done everything else reasonably well. You may have thought through home networks, locked down device policies, and addressed BYOD. But can you show evidence of all of it? For remote workers specifically, assessors will want to know: How do you ensure remote worker compliance? What documentation covers home office setups? What training have remote workers received? What evidence shows their devices are configured correctly?
What compliant looks like: Remote work compliance documentation should include: a remote work or telework policy that addresses home office security requirements; device configuration evidence for all remote devices; employee acknowledgment records showing remote workers received and understood the policy; and evidence that platform-level controls (conditional access, MFA, device enrollment) are active and applied.
The judgment call: The depth of documentation required scales with your risk profile and setup specifics. But the baseline is clear: "we trust our employees to handle this" is not an assessable compliance position. You need artifacts that demonstrate the controls exist and are implemented — not just that you intended to implement them.
Remote Work Is Where We Find the Most Gaps
Home office configurations are the most variable element in CMMC compliance — and they're where we spend the most time in our consultation sessions. Every setup is different, which means generic checklists don't cut it here. Let's look at yours specifically.
Schedule Your Free 30-Minute Consultation Explore the Turnkey PackagePlatform-Specific Remote Work Considerations
How you address remote work compliance depends significantly on whether your team runs on Google Workspace or Microsoft 365. The controls exist in both platforms — but they're configured differently, and the specific questions to answer are different.
Key Remote Work Controls
- Context-Aware Access — Restrict access to Workspace based on device security posture, network location, or both. Personal devices without endpoint verification can be blocked or limited.
- Device Policies via Admin Console — Enforce screen lock, encryption, and OS version requirements on enrolled devices, including remote employee machines.
- Mobile Device Management — Manage both company-owned and BYOD devices, with the ability to wipe access remotely if a device is lost or an employee departs.
- Login Challenges — Additional verification when access is attempted from an unrecognized device or location.
- 2-Step Verification Enforcement — Mandatory MFA at the org level ensures remote employees can't bypass it.
- Session Controls — Configure session duration limits to reduce risk from unattended sessions.
Key Remote Work Controls
- Conditional Access Policies — Gate access to M365 resources based on device compliance status, location, and risk score. Home networks can trigger MFA challenges or block access from unmanaged devices.
- Microsoft Intune — Enforce device configuration policies (screen lock, encryption, OS version) on enrolled devices, including remote machines. BYOD enrollment enables policy enforcement without full device management.
- Azure AD Identity Protection — Risk-based controls that flag unusual sign-in behavior, including from unfamiliar locations.
- Compliant Device Requirement — Conditional Access can require a device to pass Intune compliance checks before accessing M365 data.
- MFA Enforcement — Security Defaults or Conditional Access policies ensure remote employees authenticate with MFA.
- Session Timeout Policies — Configurable for inactive sessions in SharePoint, Teams, and other M365 services.
Both platforms have the controls you need for remote worker compliance — but neither platform configures them for you by default. Out-of-the-box Google Workspace and Microsoft 365 do not enforce compliant remote work policies. These controls need to be intentionally configured, documented, and maintained. That's not a criticism of the platforms; it's the reality of enterprise software that serves a broad range of customers with different needs.
The Configuration Gap
The remote work conversation isn't just "does my platform support this?" — it does. The question is "have I configured it correctly, can I prove it, and does my documentation cover my remote employees specifically?" In our experience, the answer to the documentation question is most often no — even when the technical configuration is mostly right.
What a Complete Remote Work Compliance Picture Looks Like
A small contractor with remote workers who is genuinely CMMC Level 1 compliant for remote setups has addressed all of the following:
Policy and Documentation Layer
- A remote work or telework policy covering home office security expectations
- Scope documentation clearly defining what's in scope for remote workers and what's out
- Employee acknowledgment records showing remote workers received and understood the policy
- A BYOD policy — or a documented prohibition on BYOD (both are defensible, depending on your setup)
- Physical media and print handling guidance for home office environments
Technical Controls Layer
- MFA enforced at the platform level for all users, including remote employees
- Screen lock enforced via device management — not just a policy request
- Device enrollment for all devices that access FCI, including remote worker devices
- Platform-level conditional access or context-aware access controls in place
- Evidence that these configurations are active and applied to remote devices specifically
Evidence Layer
- Screenshots or exports showing device policy enforcement is active
- MFA enrollment records for all users
- Device compliance reports from Intune or Google Admin Console
- Signed policy acknowledgments from remote employees
- Evidence of regular review (annual policy review, periodic device audits)
This is achievable. None of it requires enterprise IT infrastructure, a dedicated security team, or a six-month implementation timeline. But it does require knowing what to build, how to configure the controls in your specific platform, and how to organize the evidence in a way that holds up to scrutiny.
Why DIY Compliance Most Often Stalls Here
Remote work compliance is the area where self-directed implementation most commonly has gaps — not because the requirements are unusually complex, but because they require judgment. Every home setup is different. Whether a personal device is adequately secured isn't answered by a checkbox — it's answered by understanding what controls are available in your platform and what policies are enforceable given your team's actual situation.
Generic templates don't answer these questions. A remote work policy downloaded from the internet doesn't know whether your team uses Chromebooks or Windows laptops, whether you have BYOD or company-owned devices, or how your home networks are structured. You need documentation that reflects your actual environment.
That's the whole point of platform-specific consultation sessions: not to give you a template to fill out alone, but to work through your specific setup — who's working from home, what devices they're on, how your platform is configured — and build documentation that accurately reflects what you've actually implemented.
How the Turnkey Package Addresses Remote Work
The L1 Turnkey Package ($2,495/year, limited time — save $500) includes platform-specific guidance for both Google Workspace and Microsoft 365 remote configurations — not generic templates, but configuration guides and artifact templates built around the actual controls in your platform.
The 8 bi-weekly consultation sessions are where remote work specifics get addressed. You bring your setup — what devices your team uses, where they work, what your home office situations look like — and we work through the scope questions, configuration requirements, and documentation together. The 142 artifacts cover everything needed to document remote worker compliance: policies, procedures, configuration evidence templates, and employee acknowledgment forms.
Most clients complete their full Level 1 assessment in 2–4 weeks. Remote work doesn't have to be the part that slows you down.
The Honest Takeaway
Remote work compliance isn't impossibly complex. It's variable — and that variability is what makes it hard to do well without guidance. The gaps are real, they come up in assessments, and they're exactly where DIY compliance tends to leave the most holes.
The good news: if you've addressed the technical controls, the documentation is achievable. A thoughtful scope definition can significantly reduce your burden. And with a structured approach — platform-specific configuration guides, clear policy templates, and expert review of your specific setup — remote work compliance becomes the solved problem it should be, not the lingering uncertainty it often is.
Every home office is different. That's precisely why this one needs a conversation, not a checklist.
Let's Talk About Your Remote Setup Specifically
Remote and home office configurations are where we find the most gaps — and where we add the most value. Schedule a free 30-minute consultation and we'll work through your specific situation: what devices your team uses, how your platform is configured, and what documentation you need to cover remote workers in your self-assessment.
No sales pitch. Just an honest look at where you stand and what you need to do next.
Schedule Your Free Consultation Learn About the Turnkey PackageAbout Overwatch Tools
Overwatch Tools specializes in CMMC Level 1 and Level 2 self-assessment compliance solutions for small defense contractors. Founded by government contracting veterans with 25+ years of experience, we built the L1 Turnkey Package to give small contractors everything they need — platform-specific templates, configuration guides, expert consultation, and structured evidence collection — without enterprise bloat or $50K consultant fees.
Website: overwatchtools.com | Email: info@overwatchtools.com | Chesapeake, Virginia