| ๐ผ 2.1 Processes and mechanisms for applying secure configurations to all system components are defined and understood. | 2 | | | |
| ย ย ย ย ๐ผ 2.1.1 All security policies and operational procedures identified in Requirement 2 are documented, kept up to date, in use, and known to all affected parties. | | | | |
| ย ย ย ย ๐ผ 2.1.2 Roles and responsibilities for performing activities in Requirement 2 are documented, assigned, and understood. | | | | |
| ๐ผ 2.2 System components are configured and managed securely. | 7 | | | |
| ย ย ย ย ๐ผ 2.2.1 Configuration standards are developed, implemented, and maintained. | | | 2 | |
| ย ย ย ย ๐ผ 2.2.2 Vendor default accounts are managed. | | | 2 | |
| ย ย ย ย ๐ผ 2.2.3 Primary functions requiring different security levels are managed. | | | | |
| ย ย ย ย ๐ผ 2.2.4 Only necessary services, protocols, daemons, and functions are enabled, and all unnecessary functionality is removed or disabled. | | | | |
| ย ย ย ย ๐ผ 2.2.5 If any insecure services, protocols, or daemons are present, business justification is documented. | | | 3 | |
| ย ย ย ย ๐ผ 2.2.6 System security parameters are configured to prevent misuse. | | | 1 | |
| ย ย ย ย ๐ผ 2.2.7 All non-console administrative access is encrypted using strong cryptography. | | | 4 | |
| ๐ผ 2.3 Wireless environments are configured and managed securely. | 2 | | | |
| ย ย ย ย ๐ผ 2.3.1 For wireless environments connected to the CDE or transmitting account data, all wireless vendor defaults are changed at installation or are confirmed to be secure. | | | | |
| ย ย ย ย ๐ผ 2.3.2 For wireless environments connected to the CDE or transmitting account data, wireless encryption keys that are changed. | | | | |