CMMC Requirement SC.L2-3.13.7 – Split Tunneling: Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling).
This document provides assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 2. This document offers extensive guidance on remote access risk including split tunneling scenarios. A focused advisory on VPN use and configuration best practices, which directly supports the split tunneling control. This NIST special publication provides information on security considerations for several types of remote access solutions. This NIST Special Publication offers recommendations for designing, configuring, and managing IPSec VPN solutions. In this “As the CMMC Churns” they take a look at the keywords (e.g., remote devices, simultaneous, non-remote connections, et al) and describe how the requirement, when implemented operates as intended.
Split tunneling might be desirable by remote users to communicate with local system resources such as printers or file servers. However, split tunneling allows unauthorized external connections, making the system more vulnerable to attack and to exfiltration of organizational information. This requirement is implemented in remote devices (e.g., notebook computers, smart phones, and tablets) through configuration settings to disable split tunneling in those devices, and by preventing configuration settings from being readily configurable by users. This requirement is implemented in the system by the detection of split tunneling (or of configuration settings that allow split tunneling) in the remote device, and by prohibiting the connection if the remote device is using split tunneling.
Further Discussion
Split tunneling for a remote user utilizes two connections: accessing resources on the internal network via a VPN and simultaneously accessing an external network such as a public network or the internet.
Split tunneling presents a potential opportunity where an open unencrypted connection from a public network could allow an adversary to access resources on internal network. As a mitigation strategy, the split tunneling setting should be disabled on all devices so that all traffic, including traffic for external networks or the internet, goes through the VPN.