SC.L2-3.13.7  

Reference: CMMC 2.11

Family: SC

Level Introduced: 2

Title: Split Tunneling

Practice:
Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling).

CMMC Clarification:
Split tunneling for a remote user utilizes two connections: accessing resources on the organization's network via a VPN and simultaneously accessing an external network such as the public network or the Internet. Split tunneling introduces a vulnerability where an open unencrypted connection from the public network could allow an adversary to access resources on the network. As a mitigation strategy, the split tunneling setting should be disabled on all devices so that all traffic, including traffic for external networks or the Internet, goes through the organization's VPN.

Example
You are an IT administrator at your organization responsible for configuring the network to disallow remote users from using split tunneling. You perform a review of the configuration of remote user laptops. You discover that remote users are able to access files, email, database and other services through the organization's VPN connection. At the same time, remote users are able to access resources on the Internet through their connection to the Internet. You change the hardening procedures for the company's laptops to include changing the configuration setting to disable split tunneling. You test a laptop that has had the new hardening procedures applied and verify that all traffic from the laptop is now routed through the VPN connection.

Source: CMMC v2.0