SC.L2-3.13.7 — Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling).

What this control requires

Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling).

Source: CMMC L2 v2.13 SC.L2-3.13.7 / NIST SP 800-171 R2 3.13.7 (official control text).

Why this matters

When remote workers connect via VPN to access organizational systems, split tunneling allows their device to simultaneously route some traffic through the VPN and other traffic directly to the internet. This creates a dangerous bridge: an attacker who compromises the remote device through its unprotected internet connection can pivot through that device into the protected organizational network. Split tunneling also enables data exfiltration—malware can copy sensitive files from organizational systems and send them out the unsecured internet path while the VPN connection remains active. Disabling split tunneling ensures all traffic from remote devices flows through organizational security controls, preventing the device from becoming an unmonitored gateway between trusted and untrusted networks.

What evidence assessors expect

Assessors typically look for: screenshot, configuration export, PDF. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls