2 — Apply Secure Configurations to All System Components
11 requirements in the Apply Secure Configurations to All System Components requirement
2.1.1All security policies and operational procedures that are identified in Requirement 2 are: Documented.
2.1.2Roles and responsibilities for performing activities in Requirement 2 are documented, assigned, and understood.
2.2.1Configuration standards are developed, implemented, and maintained to: Cover all system components.
2.2.2Vendor default accounts are managed as follows: If the vendor default account(s) will be used, the default password is changed per Requirement 8.
2.2.3Primary functions requiring different security levels are managed as follows: Only one primary function exists on a system component, OR Primary functions with differing security levels that exist on the same system component are isolated from each other, OR Primary functions with differing security levels on the same system component are all secured to the level required by the function with the highest security need.
2.2.4Only necessary services, protocols, daemons, and functions are enabled, and all unnecessary functionality is removed or disabled.
2.2.5If any insecure services, protocols, or daemons are present: Business justification is documented.
2.2.6System security parameters are configured to prevent misuse.
2.2.7All non-console administrative access is encrypted using strong cryptography.
2.3.1For wireless environments connected to the CDE or transmitting account data, all wireless vendor defaults are changed at installation or are confirmed to be secure, including but not limited to: Default wireless encryption keys.
2.3.2For wireless environments connected to the CDE or transmitting account data, wireless encryption keys are changed as follows: Whenever personnel with knowledge of the key leave the company or the role for which the knowledge was necessary.