R2 - Security Patch Management

CIP-007 R2 requires owners of bulk electric system cyber assets to implement a formal security patch management program. The program must inventory hardware and software, evaluate vulnerability information, test and apply patches within defined timeframes, and retain documentation of all actions for compliance verification.