3.13.7 — Block Split Tunneling

The One-Liner

If a VPN user can simultaneously browse the internet without going through your controls, CUI traffic can leak through the uncontrolled path.

What It Says

Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling).

What It Actually Means

When a user connects via VPN, all their traffic must go through the tunnel — web browsing, cloud apps, everything. No split tunneling where corporate traffic goes through the VPN but internet traffic goes direct.

Why this matters: With split tunneling, a user’s machine has two simultaneous paths — one to your corporate network and one direct to the internet. An attacker on the internet can compromise the machine through the direct path and then pivot to your corporate network through the VPN tunnel. Or CUI data can leak through the uncontrolled direct path.

The performance argument: Many organizations enable split tunneling because routing all internet traffic through VPN is slow. The counter: use a SASE/SSE solution (like Zscaler or Microsoft Entra Private Access) that provides security controls on all traffic without the performance penalty of backhauling through a VPN concentrator.

Cloud services: If M365 traffic is configured to bypass the VPN for performance, that’s split tunneling. The assessor will check. You either tunnel it or ensure equivalent controls (Conditional Access with device compliance) are in place for the bypassed traffic.

---

Pass or Fail

Your assessor needs a “yes” to every row:

#	Question	What “yes” looks like
1	Is split tunneling prevented on remote devices?	VPN configured for full tunnel — all traffic goes through the tunnel
2	Are simultaneous remote and non-remote connections prevented?	No direct internet path while connected to corporate VPN

---

What to Have Ready on Assessment Day

Documents they’ll review: System and communications protection policy; system security plan; system design documentation; VPN configuration settings; system configuration settings

People they’ll talk to: System or network administrators; personnel with information security responsibilities

Live demos they’ll ask for: VPN configuration; attempt to access internet directly while connected to VPN

---

The Assessor’s Playbook

These are the actual questions. Have answers ready.

• “Is your VPN configured for full tunnel or split tunnel?”
• “Show me the VPN configuration setting for split tunneling.”
• “While connected to VPN, try accessing a public website — does it go through the tunnel?”
• “Do any cloud services bypass the VPN? Which ones and what controls are in place?”
• “How do you handle the performance impact of full tunneling?”

Real-World Example

A contractor uses Always On VPN with full tunnel mode. All traffic — including M365 and web browsing — routes through the VPN concentrator. To mitigate performance issues, they deployed a cloud proxy that handles web filtering and inspection at the VPN exit point. The assessor tests: connects to VPN, runs a traceroute to google.com, and confirms the first hop is the VPN gateway, not the local router. M365 traffic also routes through the VPN — confirmed by checking the source IP in an M365 sign-in log (shows the VPN exit IP, not the user’s home IP).

---

Where Companies Trip Up

Split tunneling enabled for performance. Corporate traffic tunneled but internet goes direct. Most common failure mode.

M365 bypass. Microsoft recommends split tunneling for M365 performance but CMMC doesn’t allow it without equivalent controls.

SASE configured as split tunnel. Using Zscaler but only for corporate apps — personal browsing goes direct. All traffic must go through your controls.

VPN client allows user override. User can toggle split tunneling on/off. Lock the VPN configuration so users can’t change it.

---

How to Talk About This

To a CEO or Board

All VPN traffic goes through the tunnel. No internet traffic bypasses our security controls. Performance is handled at the infrastructure level, not by weakening security.

To an Engineering Team

Always On VPN: full tunnel mode enforced. No split tunnel exceptions. Cloud proxy at VPN exit for web inspection. M365: routed through VPN (confirmed via sign-in log source IP). VPN config locked — users can’t modify. Audited quarterly via VPN server logs.

---

Connected Requirements

Requirement	Why it matters here
3.1.12 — Eyes on Remote Access	Remote access monitoring depends on all traffic being visible
3.1.13 — Encrypt Remote Sessions	Encrypted tunnel that this control keeps intact
3.13.8 — Encrypt in Transit	All CUI in transit must be encrypted — split tunneling can expose unencrypted paths

---

Implementation (coming soon)

Step-by-step setup for Microsoft 365 / Entra ID, AWS, Azure, and GCP — console steps, CLI commands, and evidence screenshots.

---

CMMC Practice ID: SC.L2-3.13.7 | SPRS Weight: 1 point | POA&M Eligible: Yes