Back to Control Explorer
SC.3.184
Content
Control Acronym
SC
Family
System And Communications Protection
CMMC Level
3
800-171 Control #
3.13.7
CMMC Description
Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling).
CMMC Clarification
Split tunneling for a remote user utilizes two connections: accessing resources on the organization’s network via a VPN and simultaneously accessing an external network such as the public network or the Internet. Split tunneling introduces a vulnerability where an open unencrypted connection from the public network could allow an adversary to access resources on the network. As a mitigation strategy, the split tunneling setting should be disabled on all devices so that all traffic, including traffic for external networks or the Internet, goes through the organization’s VPN. Example You are an IT administrator at your organization responsible for configuring the network to disallow remote users from using split tunneling. You perform a review of the configuration of remote user laptops. You discover that remote users are able to access files, email, database and other services through the organization’s VPN connection. At the same time, remote users are able to access resources on the Internet through their connection to the Internet. You change the hardening procedures for the company’s laptops to include changing the configuration setting to disable split tunneling. You test a laptop that has had the new hardening procedures applied and verify that all traffic from the laptop is now routed through the VPN connection.
800-171 Description
Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling).
800-171 Discussion
Split tunneling might be desirable by remote users to communicate with local system resources such as printers or file servers. However, split tunneling allows unauthorized external connections, making the system more vulnerable to attack and to exfiltration of organizational information. This requirement is implemented in remote devices (e.g., notebook computers, smart phones, and tablets) through configuration settings to disable split tunneling in those devices, and by preventing configuration settings from being readily configurable by users. This requirement is implemented in the system by the detection of split tunneling (or of configuration settings that allow split tunneling) in the remote device, and by prohibiting the connection if the remote device is using split tunneling.
Other Source Discussion
N/A
CIS Control References
CIS Controls v7.1 12.12
NIST 800-53 Control Ref.
NIST SP 800-53 Rev 4 SC-7(7)
CMMC Derived
NIST CSF Control References
NIST 800-171 References
NIST SP 800-171 Rev 1 3.13.7
Applicable FAR Clause
NIST CSF Control Reference
NIST CSF v1.1 PR.AC-3
CERT RMM Reference
Modification of NIST 800-171B Reference
NIST 800-171B Reference
UK NCSCCyber Reference
AS ACSC Reference
Sub-Criterias
Assessment Sub-Criteria 1
SC.3.184.[a] remote devices are prevented from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks (i.e., split tunneling).