Under M-06-16, what security measure is required for mobile data when the data resides on mobile devices?

Protecting data at rest on mobile devices is essential because a lost or stolen device can expose sensitive information. The required measure is encryption of all data stored on mobile devices. By encrypting data at rest, the information remains unreadable without the decryption key, even if the device falls into the wrong hands. This directly addresses the risk of data exposure when the device is not connected or secured. This focus on encryption for data at rest is different from data in transit (encryption during network transmission). Simply backing up or replicating data to the cloud, relying on biometric login alone, or denying remote access does not guarantee that stored data on the device itself is protected if the device is compromised. Encrypting all data on the device satisfies the policy requirement to safeguard mobile data where it resides.