Full Disk Encryption (FDE) is a Data-at-Rest (DAR) solution. It ensures that when the data on the drive is not in use it is full encrypted, but it can be decrypted (unlocked) as needed.When a Mac sleeps, the encryption keys remain in memory so that the drive is encrypted but unlocked. There are attacks available to interact with the OS and data on the unlocked drive. FileVault volumes should be locked when not in use to resist attack. Rationale:The purpose of DAR is to ensure data is encrypted while at rest. If the volume is always unlocked it is not sufficient. Impact:The laptop will require a user to log in with their username and password, not TouchID, into the OS after the FileVault key is destroyed. Audit: Terminal Method: Run the following command to verify the that FileVault keys are destroyed on standby or sleep: $ /usr/bin/sudo /usr/sbin/system_profiler SPHardwareDataType | /usr/bin/grep -e MacBook If there is an output, run the following: $ /usr/bin/sudo /usr/bin/pmset -b -g | /usr/bin/grep DestroyFVKeyOnStandby DestroyFVKeyOnStandby 1 Remediation: Run the following command to ensure FileVault keys are set to be destroyed on standby: $ /usr/bin/sudo /usr/bin/pmset -a destroyfvkeyonstandby 1 NOTE: By default File vault keys are retained even when system goes to standby. If the keys are destroyed, user will be prompted to enter the password while coming out of standby mode.

[Yes/No]

Run the following command to ensure FileVault keys are set to be destroyed on standby: $ /usr/bin/sudo /usr/bin/pmset -a destroyfvkeyonstandby 1