NIST SP 800-171
Control 3.13.7
Prevent Remote Devices from Split Tunneling
CMMC-RP Certified Team
24+ Years Experience
2,500+ Clients Served
Official Requirement
Prevent remote devices from simultaneously establishing non-remote connections with the information system and communicating via some other connection to resources in external networks.
What This Means in Plain English
When a remote user connects to your network via VPN, their device should not simultaneously maintain connections to the internet that bypass your security controls. This prevents the remote device from being a bridge between untrusted networks and your internal systems.
How Petronella Implements This Control
Petronella Technology Group implements this control through:
- FortiGate VPN configured with full-tunnel mode routing all traffic through the corporate gateway
- Conditional Access policies blocking access when split tunnel is detected
- Sophos XDR monitoring for concurrent VPN and direct internet connections
- VPN client configuration preventing local network access while connected
- ComplianceArmor documenting the split-tunnel prohibition policy
Assessment Guidance
Assessors will verify VPN tunnel configuration (full tunnel vs. split tunnel), test that internet traffic routes through the corporate gateway while connected to VPN, check that split-tunnel detection is in place, and review VPN client configurations.
Common Implementation Gaps
- Split tunnel VPN allowing direct internet access while connected
- VPN configuration allowing local network access
- No monitoring for concurrent VPN and direct internet connections
- Users bypassing VPN to access internet directly for performance
- No policy addressing split tunnel prohibition
Cross-Framework Mapping
| Framework | Mapped Controls |
|---|---|
| NIST SP 800-53 | SC-7(7) |
Need Help Implementing 3.13.7?
Our CMMC-RP certified team can assess your current compliance posture and build a remediation plan.
Schedule a Compliance Assessment