Due to vulnerabilities in CPEs' embedded software and default
configuration, these devices have been the target of several types of
abuse. This scenario, that entails additional costs to Internet
Service Providers, has been the motivation for several anti-abuse and
network operators' working groups to come together and define a set of
minimum security requirements for CPEs.  This paper is a case study,
which describes the process of building these security requirements in
a multistakeholder working group, that had the participation of
professionals with different expertise areas and from several
countries. We also present the main consensus points, that are part of
the final recommendations of the working group.