System and Communications Protection 3.13.7 (3.13.7)

Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling).

Get Full Guidance

What Is This CMMC Control?

This control requires organizations to prevent remote workers from using split tunneling, which is when a device connects to both the organization's network (via VPN) and the internet directly at the same time. Split tunneling creates security risks because it allows unauthorized connections and potential data leakage. Organizations must configure remote devices to force all traffic through the VPN when connected, and must detect and block devices attempting to use split tunneling.

Control Intent

Prevent unauthorized external network connections and data exfiltration by ensuring remote devices route all traffic through the organization's controlled network infrastructure when accessing organizational systems.

Who This Control Applies To

  • Organizations with remote workers accessing CUI or organizational systems
  • VPN solutions used for remote access to organizational networks
  • Remote devices including laptops, tablets, smartphones, and other mobile devices
  • Network access control systems that authenticate remote connections
  • Remote desktop solutions and virtual desktop infrastructure (VDI)
  • Cloud-based applications accessed by remote workers handling CUI
  • Contractor and third-party users with remote access to organizational systems

Not Applicable When

  • Organization has no remote workers or remote access capabilities
  • All work is performed exclusively on-site with no remote connectivity
  • Remote users only access completely isolated systems with no CUI
  • Organization uses zero-trust architecture where all connections are treated as external (implementation may differ but intent is met)

Key Objectives

  • 1Prevent simultaneous connections between remote devices and both organizational systems and external networks
  • 2Eliminate unauthorized pathways for data exfiltration from organizational systems
  • 3Ensure all remote access traffic is subject to organizational security controls and monitoring
  • 4Detect and prevent split tunneling configurations on remote devices accessing organizational systems

Sample Self-Assessment Questions (Partial)

Do you have employees, contractors, or other users who work remotely and access company systems from outside the office?

Do remote workers use VPN to connect to your network?

Implementation Approaches (High-Level)

VPN Client-Side Split Tunneling Prevention

Configure VPN client software to disable split tunneling and prevent users from modifying this setting

VPN Server-Side Split Tunneling Prevention

Configure VPN concentrator or server to enforce full tunneling regardless of client configuration

Network Access Control (NAC) Split Tunneling Detection

Deploy NAC solution that detects split tunneling and blocks non-compliant devices from accessing the network

Endpoint Management Platform Enforcement

Use endpoint management tools (MDM, GPO, configuration management) to deploy and enforce VPN settings that prevent split tunneling

Zero Trust Network Access (ZTNA) Architecture

Implement zero trust architecture where all connections are treated as untrusted and split tunneling is not applicable because there is no traditional VPN tunnel

Evidence & Assessment Notes

Expected Evidence

Organizations should maintain documentation and evidence demonstrating compliance with this control. This may include policy documentation, configuration records, audit logs, access reviews, and other relevant artifacts that show how the control is implemented and maintained.

Plan of Action & Milestones (POA&M)

If split tunneling is currently allowed, create POA&M with milestone to disable it in VPN configuration within 30-60 days If VPN client settings can be modified by users, create POA&M to implement technical controls (GPO, MDM) to prevent modification within 60-90 days If no detection mechanism exists for split tunneling, create POA&M to implement NAC or monitoring solution within 90-120 days If BYOD devices are not controlled, create POA&M to implement MDM or restrict BYOD access until controls are in place within 60-90 days If legacy VPN clients don't support split tunneling prevention, create POA&M to upgrade or replace within 90-180 days For each POA&M, document compensating controls such as enhanced monitoring, restricted access scope, or additional user training Ensure POA&M includes specific technical milestones, not just policy updates Consider phased approach: disable split tunneling for high-risk users first, then expand to all users Document business impact if split tunneling prevention breaks legitimate use cases and identify alternative solutions

Related CMMC Controls

3.1.123.1.133.1.143.5.43.13.13.13.83.13.113.14.6

Frequently Asked Questions

What exactly is split tunneling and why is it a security risk?

Split tunneling occurs when a remote device is connected to the organization's network via VPN while simultaneously maintaining a direct internet connection. This creates two network paths: one through the secure VPN tunnel and one directly to the internet. The security risk is that malware or attackers on the internet can use the direct connection to compromise the device, then pivot through the VPN tunnel to access organizational systems and CUI. Split tunneling also allows data to be exfiltrated directly to the internet, bypassing organizational monitoring and data loss prevention controls.

Does this control mean remote workers can never access local resources like printers?

Correct - when connected to the organizational VPN, all traffic must go through the VPN tunnel, which typically prevents access to local resources like home printers or local file shares. Organizations can address this by providing alternative solutions such as cloud printing services, virtual desktop infrastructure (VDI) where printing is handled server-side, or requiring users to disconnect from VPN when they need to access local resources (though this means they cannot access organizational systems during that time). The security requirement takes precedence over convenience.

How do we handle employees who work from home and need to access both company systems and personal internet services?

Employees can access both company systems and personal internet services, but not simultaneously through split tunneling. All internet traffic must route through the VPN tunnel when connected to organizational systems. This means personal internet browsing, streaming, and other activities will go through the organization's internet connection and security controls. Alternatively, employees can disconnect from the VPN to access personal services, then reconnect when they need to access company systems. Some organizations implement virtual desktop infrastructure (VDI) to separate work and personal activities.

What if our VPN performance is poor and users complain that forcing all traffic through the VPN is too slow?

Poor VPN performance is not a valid justification for allowing split tunneling under CMMC. Organizations must address performance issues through technical solutions such as upgrading VPN infrastructure capacity, implementing VPN optimization technologies, using regional VPN gateways closer to remote users, or adopting modern solutions like SD-WAN or zero trust network access (ZTNA) that provide better performance while maintaining security. A POA&M may be appropriate while infrastructure upgrades are in progress, but must include compensating controls and a clear timeline for resolution.

Do we need to prevent split tunneling if we use a zero trust architecture instead of traditional VPN?

Zero trust network access (ZTNA) architectures inherently prevent split tunneling because they don't create a traditional network tunnel. Instead, users authenticate to individual applications through identity-aware proxies, and each connection is independently secured and inspected. If your organization has fully implemented ZTNA with no traditional VPN, you meet the intent of this control through a different technical approach. However, you must document your architecture and demonstrate that users cannot establish unauthorized external connections while accessing organizational systems. Many organizations have hybrid environments with both VPN and ZTNA, and must prevent split tunneling in the VPN components.

How is this control verified during a CMMC assessment?

Assessors will request VPN configuration files and settings to verify split tunneling is disabled. They will ask to see sample remote devices and observe the VPN client configuration, attempting to verify that users cannot enable split tunneling. Assessors may request logs showing the organization detects split tunneling attempts, and will ask how connections are blocked when split tunneling is detected. They will also verify that technical controls (not just policy) prevent users from modifying VPN settings. For organizations using alternative approaches like ZTNA, assessors will review architecture documentation and verify that the implementation prevents unauthorized simultaneous connections.

How ConformatIQ Helps With CMMC Readiness

ConformatIQ is an AI-assisted CMMC readiness platform designed to help organizations prepare for assessments more efficiently. The platform supports document generation such as SSPs and POA&Ms, guided readiness workflows, centralized evidence tracking, and interview preparation for assessments.

Learn More About ConformatIQ

Ready to Get Full Guidance?

Access complete implementation details, detailed assessment questions, evidence requirements, and expert guidance for this control.

Request Full Guidance

Information sourced from NIST SP 800-171 Rev. 2. See full disclaimer.