<h2>Exception Management overview</h2><br/><div style="overflow-x:auto"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><meta content="text/html; charset=UTF-8" /><meta name="copyright" content="(C) Copyright 2025" /><meta name="DC.rights.owner" content="(C) Copyright 2025" /><meta name="generator" content="DITA-OT" /><meta name="DC.type" content="concept" /><meta name="DC.title" content="Exception Management overview" /><meta name="abstract" content="When your organization can't comply with a published vulnerability management or security policy, standard, or guideline, you can request an exception. Exception management entails requesting, reviewing, approving, or rejecting exceptions to a vulnerable item (VI) or remediation task (RT) that cannot be remediated according to the policy." /><meta name="description" content="When your organization can't comply with a published vulnerability management or security policy, standard, or guideline, you can request an exception. Exception management entails requesting, reviewing, approving, or rejecting exceptions to a vulnerable item (VI) or remediation task (RT) that cannot be remediated according to the policy." /><meta name="DC.subject" content="configure exception management, create an exception, exception, exception management, manage exception, exception rules, exception rule, request exception, vulnerability response exception, exception process, exception request, vulnerability exception, exception management configuration, exception vulnerability, security exception, exception approval, exception date, exception expiration notification, exception management states, exception overview, exception vulnerabilities" /><meta name="keywords" content="configure exception management, create an exception, exception, exception management, manage exception, exception rules, exception rule, request exception, vulnerability response exception, exception process, exception request, vulnerability exception, exception management configuration, exception vulnerability, security exception, exception approval, exception date, exception expiration notification, exception management states, exception overview, exception vulnerabilities" /><meta name="DC.creator" content="ServiceNow" /><meta name="DC.contributor" content="juliana.malloy" /><meta name="DC.date.created" content="2023-02-02" /><meta name="DC.date.modified" content="2024-02-01" /><meta name="DC.date.modified" content="2024-02-06" /><meta name="DC.format" content="XHTML" /><meta name="DC.identifier" content="vr-exception-management" /><link rel="stylesheet" type="text/css" href="../../../CSS/commonltr.css" /><title>Exception Management overview</title></head><body id="vr-exception-management"> <h1 class="title topictitle1" id="ariaid-title1">Exception Management overview</h1> <div class="body conbody"><p class="shortdesc">When your organization can't comply with a published vulnerability management or security policy, standard, or guideline, you can request an exception. Exception management entails requesting, reviewing, approving, or rejecting exceptions to a vulnerable item (VI) or remediation task (RT) that cannot be remediated according to the policy.</p> <p class="p">Some vulnerabilities might not have an existing patch, fix, or solution. When an exception is approved, it also means that you're accepting a risk because you're acknowledging and agreeing to the consequences of not remediating the vulnerability.</p> <div class="section" id="vr-exception-management__section_ems_dy3_flb"><h2 class="title sectiontitle">Life cycle of an exception</h2> <div class="p"> <dl class="dl"> <dt class="dt dlterm">Definition of an exception</dt> <dd class="dd">An exception is a request to defer the remediation of a VI or RT for a specified period. For example, as a remediation owner, you can request an exception if a patch is not available for a machine.</dd> <dt class="dt dlterm">Requesting an exception</dt> <dd class="dd">As the remediation owner, you can ask for an exemption for a VI or RT using the exception management process. After the exception approver approves this request, the VI or RT moves to a <span class="ph uicontrol">Deferred</span> state.</dd> <dt class="dt dlterm">Approving an exception request</dt> <dd class="dd">VIs or RTs that can't be remediated immediately are reviewed by vulnerability analysts, assessed for risk, and approved for deferral until they can be remediated. Approving an exception request can be a two-level workflow. If only the first-level approver is present, the exception can be requested and approved. However, if there's no first-level approver, an exception can't be requested. See <a class="xref" href="../task/add-exception-approver.html" title="Add users to the approver groups so that you can request an exception.">Add an exception approver</a> for more information.</dd> </dl> <div class="note"><span class="notetitle">Note:</span> <ul class="ul" id="vr-exception-management__ul_sff_qhl_dcc"><li class="li"> <p class="p">Starting from <span class="ph">Vulnerability Response</span> v15.0, if you are deploying the VR application for the first time, the flow designer for exception management is enabled by default. If you are already using the workflow, you can update to the flow designer. In both cases, you cannot change it back to workflow. To configure approval rules for exception management and false positive, see <a class="xref" href="../task/exception-mgt-approval-rules.html" title="Starting with Vulnerability Response v15.0, use the flow designer to approve exception requests for exception management, exception rules, and false positive management. If you are deploying Vulnerability Response (VR) for the first time, the flow designer is enabled by default.">Configure approval rules for Exception Management</a>.</p> <div class="p">Once an exception request for a VI or RT is approved, you can perform the following actions:<ul class="ul" id="vr-exception-management__ul_h32_y22_4lb"><li class="li">Reopen</li><li class="li">Delete</li><li class="li">Update the <span class="ph uicontrol">Assignment to</span> or <span class="ph uicontrol">Assignment groups</span> fields</li></ul> </div> </li><li class="li">Starting with v23.0 of <span class="ph">Vulnerability Response</span>, the <span class="ph uicontrol">Exception Rule State Approval</span> workflow is deprecated and replaced by the flow Exception Rule Approval in the flow designer.</li></ul> </div> </div> </div> <div class="section" id="vr-exception-management__section_c5g_kw2_mlb"> <div class="p"><dl class="dl"> <dt class="dt dlterm">Tracking an exception request</dt> <dd class="dd">After raising the exception, you can track its status by using the <span class="ph uicontrol">State Change Approvals</span> tab of the VI or RT. If an action is taken on an RT, you can't track the status of the individual VIs in that RT.</dd> <dt class="dt dlterm">Expiry of an exception request</dt> <dd class="dd">When an exception request for a particular VI or RT expires, the impacted VI or RT reverts to its <span class="ph uicontrol">Open</span> state.</dd> </dl> <div class="fig fignone" id="vr-exception-management__fig_oyw_d3w_qlb"><span class="figcap"><span class="fig--title-label">Figure 1. </span>Exception management approval process prior to VR v15.0</span> <img class="image" id="vr-exception-management__image_w25_415_slb" src="../image/Lifecycle_of_exception_requested.png" alt="Life cycle of an exception requested for a VI or remediation task. The exception request starts with the remediation owner and ends with the exception approver L2." /> </div> </div> <p class="p">If a single VI or all the VIs in a RT pass in the next scan, then the VIs and, where applicable, the RT <span class="ph uicontrol">State</span> field changes to <span class="ph uicontrol">Closed</span> with the substate <span class="ph uicontrol">Fixed</span>.</p> </div> </div> </body></html></div>