The information system implements cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas.
Verify the macOS system is configured to enforce FileVault with the following command:
dontAllowDisable=$(/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCX')\ .objectForKey('dontAllowFDEDisable').js EOS ) fileVault=$(/usr/bin/fdesetup status | /usr/bin/grep -c "FileVault is On.") if [[ "$dontAllowDisable" == "true" ]] && [[ "$fileVault" == 1 ]]; then echo "1" else echo "0" fi
If the result is not "1", this is a finding.
Fix
Refer to the FileVault supplemental to implement this rule. Configure the macOS system to enforce FileVault by installing the "com.apple.MCX" configuration profile.