SC.L2-3.13.7

SC.L2-3.13.7: Split Tunneling

Prevent remote devices from simultaneously establishing non-remote connections.

Split tunneling allows a remote worker to use a VPN while simultaneously surfing the open internet or connecting to other networks. This creates security risk because an attacker on the internet could compromise the worker’s device and use the non-VPN connection to access internal resources. SC.L2-3.13.7 requires disabling split tunneling. Related to SC.L2-3.13.1 (boundary protection) and AC.L2-3.1.1 (remote access control).

Family System and Communications Protection
Practice SC.L2-3.13.7
Difficulty Medium
Key evidence VPN configuration, documented policy, client deployment verification

What the assessor is actually evaluating

The assessor will examine:

  1. VPN configuration: Your VPN client (or VPN appliance) should be configured to disable split tunneling. All traffic from the remote device must flow through the VPN tunnel.

  2. Documented policy: You should have a policy requiring that all remote access traffic goes through the VPN, with no exceptions.

  3. Enforcement: The assessor may ask remote workers or sample a VPN client configuration to verify split tunneling is disabled.

What a realistic SSP definition looks like

Policy: “The organization requires that all remote access to company networks occurs through a VPN tunnel. Split tunneling is disabled in the VPN client configuration. All remote devices must route all traffic through the VPN when connected.”

Supporting details:

  • VPN solution: Cisco AnyConnect or equivalent.
  • Configuration: VPN client is deployed via Group Policy with split tunneling explicitly disabled. Configuration is set to “Force tunnel all traffic.”
  • Policy enforcement: Remote users are required to use the VPN client. Unauthorized VPN clients or configurations are not permitted.
  • Verification: When a user connects via VPN, their device has no route to external networks except through the VPN tunnel.

How to present your evidence

  • Remote access policy document: Describes the VPN requirement and split tunneling prohibition.
  • VPN client configuration: Screenshots or configuration files showing split tunneling is disabled. Display the setting explicitly showing “all traffic routed through VPN” or similar.
  • Group Policy screenshots: If VPN is deployed via Group Policy, show the policy settings enforcing the VPN configuration.
  • Client deployment verification: Show that the VPN client is deployed to remote users with the correct configuration (e.g., a list of installed clients or deployment logs).
  • Testing evidence: If possible, connect to the VPN and verify that only the VPN interface has connectivity. Show that direct internet access is blocked when VPN is active.
Assessment room tips

Keep answers short. Show the evidence, don't describe it. Let the assessor drive. For more on how to present in the assessment room, see How to Present Evidence in the Assessment Room.

Assessor: “Describe your remote access setup. How do you handle VPN connections?”

You: “Remote users connect via VPN using Cisco AnyConnect. Split tunneling is disabled, so all traffic from the remote device goes through the VPN tunnel.” [Pull up the VPN policy and a screenshot of the client configuration showing split tunneling disabled]

Assessor: “Show me the VPN client configuration on a user’s machine.”

You: [Connect to a remote device or pull up a screenshot showing the VPN settings with split tunneling disabled]

Assessor: “What happens if someone tries to enable split tunneling?”

You: “The configuration is enforced via Group Policy and cannot be changed by the user. Even if they try to modify the client, the group policy settings override it.” [Show the Group Policy configuration]

Common failures

Split tunneling is enabled: The VPN client configuration allows split tunneling. A remote user can access the VPN and simultaneously browse the public internet.

No policy addressing remote access: There is no documented requirement that remote users use VPN or disable split tunneling.

Outdated or non-compliant VPN client: Users are using an older version of the VPN client that does not support disabling split tunneling, or they are using an alternative VPN solution not approved by the organization.

Split tunneling disabled in client configuration: The VPN client configuration explicitly disables split tunneling and forces all traffic through the tunnel.

Enforced via Group Policy: The configuration cannot be circumvented by users. Group Policy ensures the correct VPN configuration is applied.

Get assessment room tips in your inbox

Short, practical breakdowns of what assessors actually ask and how to answer. No compliance jargon, no sales pitch. Subscribe free on Substack.

From the assessment room

Microsoft recommends split tunneling for Teams performance in GCC High and other cloud environments. Some assessors accept vendor guidance as justification for enabling it. Not all do. How you frame the business case matters. If you enable split tunneling, document the vendor recommendation, explain the performance trade-off, and show traffic monitoring to prevent data leakage through the non-VPN path.

If you use an MSP/MSSP

If your MSP manages VPN or remote access, ensure the MSP is configuring VPN clients with split tunneling disabled. Request evidence that the setting is enforced. If remote users are supported by the MSP, verify they are also required to use the organization’s VPN configuration.

This guide is for reference only and does not replace official CMMC documentation or professional compliance advice.

New practice breakdowns and assessment tips every week. Follow on Substack to stay current as the November 2026 deadline gets closer.

← SC.L2-3.13.8: CUI in Transit All Practices SC.L2-3.13.6: Network Communication by Exception →