NIST 800-53 r5 · Controls catalogue · Family PE
PE-17Alternate Work Site
Determine and document the {{ insert: param, pe-17_odp.01 }} allowed for use by employees; Employ the following controls at alternate work sites: {{ insert: param, pe-17_odp.02 }}; Assess the effectiveness of controls at alternate work sites; and Provide a means for employees to communicate with information security and privacy personnel in case of incidents.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (6)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | 10,204 | Assessing control effectiveness and providing incident communication channels at alternate sites reduces the likelihood of sensitive information exposure to unauthorized actors. |
CWE-284 | Improper Access Control | 4,832 | Mandating and assessing controls at alternate sites enforces proper access control mechanisms that would otherwise be absent or weak in uncontrolled remote locations. |
CWE-732 | Incorrect Permission Assignment for Critical Resource | 1,824 | The requirement to employ and assess controls at alternate sites includes ensuring correct permission assignments for critical resources that could otherwise be misconfigured in remote environments. |
CWE-668 | Exposure of Resource to Wrong Sphere | 779 | Requiring controls and assessments at alternate work sites prevents exposure of resources to the wrong sphere by ensuring they remain protected outside the primary facility. |
CWE-552 | Files or Directories Accessible to External Parties | 540 | Employing and evaluating controls at documented alternate sites makes files and directories less likely to be accessible to external parties through physical or environmental weaknesses. |
CWE-1263 | Improper Physical Access Control | 13 | Requiring documentation of allowed sites plus implementation and assessment of controls at alternate work sites directly prevents improper physical access to systems and data. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||