Compliance with what? I've never heard of this as part of FedRAMP, PCI, SOC2, or FINRA requirements. Another user hasn't heard of it in an ITAR restricted context. I don't see how you could ever pass an audit if employees' personal devices are in-scope. You could never check all of the other boxes you need.
The router public IP requirement in particular is an impossible one. You don't control what address your ISP gives you. No checklist is going to have an item for some random unaffiliated third party. They might be stupid, but not that stupid.
I have never asked where these requirements come from. Possibly, they are just the whims of that customer. To me, they seem to be written as a windy way to require connecting through a mobile hotspot managed by the operator.
The router public IP requirement in particular is an impossible one. You don't control what address your ISP gives you. No checklist is going to have an item for some random unaffiliated third party. They might be stupid, but not that stupid.