In addition to NIST checklist, the following are required:
1. Encrypt all data on mobile computers/devices which carry agency data
unless the data is determined to be non-sensitive, in writing, by your
Deputy Secretary or an individual he/she may designate in writing;
2. Allow remote access only with two-factor authentication where one of
the factors is provided by a device separate from the computer gaining
access;
3. Use a "time-out" function for remote access and mobile devices
requiring user re-authentication after 30 minutes inactivity; and
4. Log all computer-readable data extracts from databases holding
sensitive information and verify each extract including sensitive data
has been erased within 90 days or its use is still required.
Also see the following for a list of Full Disc Encryption products:

That is wise. A bit late though, hence the urgency.

Now let me guess - what will the "experts", the contracting consultants
and the excellent high profile entertainers will urgently recommend in
the rest of the western states? The same; with mimics.

Kind regards
Ludovic