If data is not encrypted upon the lock of the device, there is the potential for an adversary to remove non-volatile memory from the device and read it directly using tools for that purpose. This attack would render other operating system controls useless. Encrypting data provides assurance that it will be protected even when memory is physically removed from the device.
Review system documentation and other IA information resources to determine how the operating system treats data in memory upon the lock of the device. The operating system may enforce this requirement in a variety of means. The reviewer should focus on the fact that the data is encrypted when the device has been shut down suddenly and not on the timing of the encryption, much of which might occur prior to device lock. If it is determined that unencrypted data still resides on the device after device lock, this is a finding.
Fix Text (F-36610r1_fix)
Configure the operating system to re-encrypt all device data in memory when the device is locked. If the operating system does not support this capability, a permanent finding must be assigned to the asset running the operating system.