Information
Power Nap allows the system to stay in low power mode, especially while on battery power, and periodically connect to previously known networks with stored credentials for user applications to phone home and get updates. This capability requires FileVault to remain unlocked and the use of previously joined networks to be risk accepted based on the SSID without user input.
This control has been updated to check the status on both battery and AC Power. The presence of an electrical outlet does not completely correlate with logical and physical security of the device or available networks.
Rationale:
Disabling this feature mitigates the risk of an attacker remotely waking the system and gaining access.
The use of Power Nap adds to the risk of compromised physical and logical security. The user should be able to decrypt FileVault and have the applications download what is required when the computer is actively used.
The control to prevent computer sleep has been retired for this version of the Benchmark. Forcing the computer to stay on and use energy in case a management push is needed is contrary to most current management processes. Only keep computers unslept if after hours pushes are required on closed LANs.
Impact:
Power Nap exists for unattended user application updates like email and social media clients. With Power Nap disabled, the computer will not wake and reconnect to known wireless SSIDs intermittently when slept.
Solution
Graphical Method:
Perform the following steps to disable Power Nap:
Open System Preferences
Select Battery
Select Battery
Set Enable Power Nap to enabled
Select Power Adapter
Set Enable Power Nap to enabled
Select UPS
Set Enable Power Nap to enabled
Terminal Method:
Run the following command to disable Power Nap:
$ /usr/bin/sudo /usr/bin/pmset -a powernap 0
Additional Information:
man pmset
Item Details
Category: CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION
References: 800-53|CM-1, 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|5.1, CSCv7|9.2
Control ID: aebd8eaa0c1c647b81c7f609dd204876babf441658d02ea1974939a054c7bbb0