Requirement
NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - SC.L2-3.13.7 – Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling).
Understanding the Requirement
This control requires preventing remote endpoints that connect to your corporate network (for example via a VPN) from also using an alternate path to the public internet or local networks at the same time — a behavior known as split tunneling. A secure configuration enforces a full-tunnel VPN or equivalent routing so that remote device traffic to external resources is controlled and inspected by organizational defenses. Meeting this objective reduces the risk that an attacker on a remote device can access the corporate network while also using an uncontrolled external connection (NIST SP 800-171 REV.2 / CMMC 2.0 Level 2).
Technical Implementation
- Inventory VPN and remote-access technology: Identify every VPN appliance, cloud VPN gateway, and client software in use. Document vendor, firmware/version, and whether the product supports split-tunnel controls and centralized client configuration.
- Disable split tunneling at the gateway and client profile: In the VPN gateway (appliance, cloud VPN, or SASE policy), turn off split tunneling and configure "force all traffic through VPN" or equivalent. Lock the client configuration profile so users cannot enable local LAN access or add exclusions.
- Enforce client configurations via endpoint management: Use your MDM/endpoint management tool to push VPN profiles and prevent users from altering routing settings. For Windows/macOS/Linux, configure the client to add 0.0.0.0/0 route via the VPN interface and disable local network access options where the client supports it.
- Network and host-based controls: Implement firewall and NAC rules that require devices to use the corporate gateway for internet-bound traffic when the VPN is active. On endpoints, use host firewall rules or scripts to block non-VPN egress while the VPN session exists. For cloud-based work, use secure web gateway or proxy to ensure traffic is inspected.
- Monitoring, detection, and logging: Generate and collect logs showing VPN session parameters and routing changes. Create alerts for devices that establish simultaneous local and VPN connections or show external connections that bypass corporate proxies. Periodically audit VPN client configurations and run network scans to detect split-tunnel routing.
- Policy, roles, and exception process: Define a written policy that prohibits split tunneling except for approved, documented exceptions. Assign responsibility to system/network administrators and employees with information security responsibilities to review exceptions, apply compensating controls, and re-evaluate periodically.
Example in a Small or Medium Business
Acme Engineering is a 75-person SMB that relies on a cloud-hosted file server and a small VPN concentrator for remote access. The IT manager inventories their remote access tools and finds the VPN client has a "local LAN access" option that was enabled by default. IT disables split tunneling on the concentrator and updates the VPN client profile through the company MDM, forcing all traffic through the corporate tunnel and disabling users' ability to toggle the setting. A field engineer who previously printed to a home printer while connected to the VPN can no longer reach the printer — but can still access internal file shares and corporate applications. IT updates the remote-access policy, communicates the change to staff, and documents a formal exception process for contractors who need split tunneling for a specific, time-limited task; any exception requires additional controls such as host-based EDR, stricter firewall rules, and daily monitoring. IT also adds an alert in the SIEM to flag any endpoint that has both a VPN session and local internet traffic to review for misconfiguration or compromise. Quarterly checks confirm the client profiles remain locked and no unapproved split-tunnel sessions appear in logs.
Summary
Disabling split tunneling and enforcing full-tunnel routing through a combination of VPN gateway configuration, endpoint management, network/firewall policies, logging, and a clear policy with an exception workflow meets the control's objective by ensuring remote devices cannot simultaneously access corporate systems and an uncontrolled external network path. For SMBs, the most practical path is to inventory remote-access tools, push locked VPN profiles via MDM, apply network-level enforcement, and monitor for deviations — with system/network administrators and security staff owning the process and periodic reviews to maintain compliance.
