Turn on FileVault Disk Encryption (unauthorized disclosure of all information) FileVault Disk Encryption must be enabled. This ensures that any data stored on the hard drive will be protected by cryptographic means when the system is powered off, mitigating the risk of unauthorized disclosure of that data. Selection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields).

[]

To check if FileVault 2 is enabled, run the following command: sudo fdesetup status If FileVault is 'Off', and the device is a laptop, this is a finding.