According to CISA $/$ Safecom Guide for conducting risk assessment, which of the following represents the first step in conducting a risk assessment?

$1.$

Step $1$: Identify and Document Network Asset Vulnerabilities

$2.$

Step $1$: Identify and Use Sources of Cyber Threat Intelligence

$3.$

Step $1$: Identify and Document Internal and External Threats

$4.$

Step $1$: Identify Potential Mission Impacts