R3 - Vulnerability Assessments

R3 mandates that owners of critical cyber assets perform systematic vulnerability assessments to identify security weaknesses in their systems, document the findings, and develop remediation plans. The assessments must be conducted at least annually or whenever significant changes occur, and results are to be reported to the appropriate reliability authority. This ensures that identified gaps are addressed to maintain the integrity and reliability of the bulk electric system.