R2 - Vendor Risk Assessment

The R2 vendor risk assessment requirement under NERC CIP-013 obliges bulk-power owners and operators to identify any third-party vendors that have access to critical systems, evaluate the security risks they pose, and document the findings. It also calls for periodic reviews of those assessments and the implementation of mitigation actions to protect the bulk-power system from supply-chain threats.