GRCWatch
Sign inStart free trial

Split Tunneling Prevention: NIST 800-171 Control 3.13.7

Split tunneling—where remote devices connect to your network while simultaneously accessing external resources—creates a critical security gap. Control 3.13.7 requires you to block this practice to prevent unauthorized data exfiltration and maintain network perimeter integrity. This is non-negotiable for organizations handling controlled unclassified information (CUI).

What this means

Split tunneling occurs when a remote employee's device routes some traffic through your VPN while other traffic connects directly to the internet. This dual-path approach allows attackers or compromised devices to bypass your security controls, potentially exposing sensitive data or introducing malware. NIST 800-171 3.13.7 mandates that your remote access policies and technical controls prevent this behavior—ensuring all remote traffic flows through your security infrastructure where you can inspect, log, and protect it.

How to comply

  1. 1.Configure VPN clients to block all local network traffic when connected to your organization's network
  2. 2.Implement forced tunneling at the gateway level to route all remote device traffic through your security infrastructure
  3. 3.Deploy endpoint detection and response (EDR) tools to monitor for unauthorized local connections on remote devices
  4. 4.Establish remote access policies that explicitly prohibit split tunneling and include user acknowledgment requirements
  5. 5.Test split tunneling controls regularly through simulated remote access scenarios to verify enforcement
  6. 6.Document all split tunneling prevention measures and include them in your system security plan

Evidence auditors look for

  • VPN configuration files showing forced tunneling enabled and split tunneling disabled
  • Firewall rules blocking direct outbound connections from remote devices while connected to VPN
  • Endpoint security logs demonstrating blocked local network connection attempts during VPN sessions
  • Remote access policy documentation signed by users confirming acknowledgment of split tunneling prohibitions
  • EDR dashboards showing zero instances of simultaneous VPN and external connections over a review period
  • Penetration test reports confirming split tunneling prevention controls are functioning as designed

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automatically monitors your remote access configurations and flags devices attempting split tunneling in real-time, eliminating manual log reviews and giving you continuous 3.13.7 compliance visibility.

See how GRCWatch handles this control automatically

Start free trial

Related controls

3.13.1 — Organization-Defined Remote Access Allowed3.13.2 — Secure Remote Sessions3.13.3 — Remote Access Encryption3.13.4 — Remote Access Monitoring3.13.5 — Dual Authentication for Remote Access3.13.6 — Remote Access Resource Restrictions