Subscribe to the Non-Human & AI Identity Journal
Home FAQ Cyber Security How do security teams know whether split tunneling…
Cyber Security

How do security teams know whether split tunneling is still undermining CUI protection?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated July 11, 2026 Domain: Cyber Security

They should test whether protected traffic can still reach the internet outside the enforced path while a compliant session remains active. If users can simultaneously access GCC High resources and bypass the approved routing model, the boundary is not behaving as the SSP claims. Full-tunnel validation and route testing are the evidence points that matter.

Why This Matters for Security Teams

Split tunneling is not inherently wrong, but it becomes a control problem when protected traffic can leave the approved security boundary while the same endpoint maintains access to CUI-bearing services. For teams handling CUI, the real issue is whether the documented routing model matches actual network behavior under normal user conditions, remote work pressure, and exception paths. A configuration that looks compliant on paper can still create a policy gap if the endpoint can reach the public internet outside the monitored path.

This matters because CUI protection depends on consistent enforcement, not just secure application access. If route selection, DNS resolution, or client behavior allows traffic to evade the expected inspection point, logging and DLP assumptions may no longer hold. That weakens evidence for boundary control, incident scoping, and compliance attestation. Current guidance from the NIST Cybersecurity Framework 2.0 reinforces that security outcomes depend on validated control implementation, not policy language alone. In practice, many security teams discover the split tunneling issue only after endpoint testing or audit review has already exposed a mismatch between the SSP and real network behavior.

How It Works in Practice

Security teams should treat split tunneling as a measurable routing and inspection question, not a desktop preference. The control objective is simple: when a device is in a trusted session, does all relevant traffic follow the approved path, or can some destinations bypass it? Validation should cover both the VPN or secure access client and the underlying host networking stack, because users, local networks, and endpoint tools can all influence the result.

A practical review usually includes:

  • Testing whether internet-bound traffic exits locally while CUI access remains active.
  • Verifying DNS requests, not just web traffic, to confirm where name resolution occurs.
  • Checking whether exceptions exist for video, update services, or collaboration tools that silently bypass inspection.
  • Comparing observed behavior with the SSP, routing policy, and remote access standard.
  • Confirming whether telemetry lands in the logging stack that the organisation relies on for detection and response.

For teams formalising this control, CISA Zero Trust Maturity Model is useful because it frames segmentation and traffic path control as an enforceable architecture decision rather than a convenience feature. Where split tunneling is permitted, best practice is evolving toward narrow, explicitly justified exceptions with strong monitoring. Where it is forbidden, validation should prove there is no alternate path for traffic associated with the protected session, including fallback behavior when the tunnel drops and reconnects. These controls tend to break down when remote endpoints sit on consumer networks with local DNS, overlapping routes, or client-managed exceptions because the traffic path no longer matches the security team’s assumed boundary.

Common Variations and Edge Cases

Tighter routing control often increases user friction and support overhead, requiring organisations to balance inspection depth against performance, resilience, and remote-work usability. That tradeoff becomes visible when collaboration platforms, software updates, or latency-sensitive applications are used alongside CUI workloads. In those cases, current guidance suggests documenting any exception with a clear business rationale, defined scope, and compensating monitoring, rather than assuming the exception is harmless.

There is also a real difference between split tunneling at the application level and split tunneling at the device level. A browser extension, per-app VPN rule, or SaaS connector can create a path that is not obvious from the network diagram. Endpoint posture checks, route tables, and packet-level verification may all be needed. For organisations mapping this into a formal program, the NIST Zero Trust Architecture model is helpful because it emphasises explicit policy enforcement and continuous verification. The key edge case is hybrid access: if a user can remain connected to CUI systems while simultaneously reaching public services outside the approved path, the boundary claim is weakened even if the tunnel itself is technically active.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the technical controls, while NIS2 define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-4Access pathways must enforce least privilege and approved connectivity.
NIST Zero Trust (SP 800-207)Zero Trust requires explicit policy enforcement for every traffic path.
NIS2NIS2 expects risk-based network security and operational control evidence.

Verify that remote access routes match the approved security boundary and restrict any bypass path.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org