CMMC Practice SC.3.184

Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling).

Source

CMMC Version 1.02, pg. 257

Bold Coast Security Guidance

For Level 3 compliance in most organizations this will be a matter of two practices that control remote connection capabilities. For VPN, the common setting is to prohibit split-tunneling. For Active Directory Group Policy, remote printing, copy, and paste can be prohibited as well. Practice, policy and implementation plan must all be in place for this maturity level.

Discussion From Source

DRAFT NIST SP 800-171 R2 Split tunneling might be desirable by remote users to communicate with local system resources such as printers or file servers. However, split tunneling allows unauthorized external connections, making the system more vulnerable to attack and to exfiltration of organizational information. This requirement is implemented in remote devices (e.g., notebook computers, smart phones, and tablets) through configuration settings to disable split tunneling in those devices, and by preventing configuration settings from being readily configurable by users. This requirement is implemented in the system by the detection of split tunneling (or of configuration settings that allow split tunneling) in the remote device, and by prohibiting the connection if the remote device is using split tunneling.

References

  • NIST SP 800-171 Rev 1 3.13.7
  • CIS Controls v7.1 12.12
  • NIST CSF v1.1 PR.AC-3
  • NIST SP 800-53 Rev 4 SC-7(7)