Following the loss of 26 million records containing PII, M-06-16 requires which of the following?

Protecting PII requires layered protections that cover data at rest, data in transit, and access controls. Encrypting all data on mobile devices ensures that if a device is lost or stolen, the information it stores remains unreadable without the proper keys. Implementing remote access with two-factor authentication where one factor is provided by a device separate from the computer adds a strong barrier against credential theft, since an attacker would need both factors and cannot rely on a single stolen credential. A time-out function that requires re-authentication after 30 minutes of inactivity helps prevent someone else from taking over an unattended session. Together, these measures address multiple risk vectors and contribute to a defense-in-depth approach, making all of the above the most protective option.