APPL-11-005020 - The macOS system must implement cryptographic mechanisms to protect the confidentiality and integrity of all information at rest.


Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive and tape drive) within an organizational information system. Mobile devices, laptops, desktops, and storage devices can be lost or stolen, and the contents of their data storage (e.g., hard drives and non-volatile memory) can be read, copied, or altered. By encrypting the system hard drive, the confidentiality and integrity of any data stored on the system is ensured. FileVault Disk Encryption mitigates this risk.

Satisfies: SRG-OS-000185-GPOS-00079, SRG-OS-000404-GPOS-00183, SRG-OS-000405-GPOS-00184

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.


Open System Preferences >> Security and Privacy and navigate to the 'FileVault' tab. Use this panel to configure full-disk encryption.

Alternately, from the command line, run the following command to enable 'FileVault':

/usr/bin/sudo /usr/bin/fdesetup enable

After 'FileVault' is initially set up, additional users can be added.

See Also

Item Details


References: 800-53|SC-28, 800-53|SC-28(1), CAT|II, CCI|CCI-001199, CCI|CCI-002475, CCI|CCI-002476, Rule-ID|SV-230846r599842_rule, STIG-ID|APPL-11-005020, Vuln-ID|V-230846

Plugin: Unix

Control ID: 5f557e9c0f87a48782e3a69bb2b5c7e03556df2d858f9fbf4d6decbe1711fd53