Exception Management Overview

Release version: Australia

Updated March 12, 2026

2 minutes to read

Summarize

Summarized using AI

Summary of Exception Management Overview

Exception Management in ServiceNow enables organizations to formally request, review, approve, or reject exceptions when they cannot comply with a published security finding, policy, standard, or guideline. It is designed to handle cases where findings or remediation tasks cannot be immediately remediated, such as when no patch or fix is available. Approved exceptions represent an accepted risk and acknowledge the consequences of deferring remediation.

Show full answer Show less

Administrators manage exception cases through the Security Exposure Management Administration Console. This is accessible via Workspaces > Security Exposure Management Workspace > Administration > Exception Management. The console provides configurations across four applications: Vulnerability Response, Configuration Compliance, Application Vulnerability Response, and Container Vulnerability Response.

Key Features

Exception Request and Approval: Remediation owners can request exceptions to defer remediation. Approval workflows can be multi-level and depend on configured approvers and their roles. Without assigned approvers, requests cannot be submitted.
Lifecycle Tracking: Exception requests can be tracked via the Change Approvals tab on findings or remediation tasks, except when actions are taken on the entire remediation task.
Expiry Management: Expired exception requests revert findings or remediation tasks to the Open state, requiring remediation action.
Questionnaire Integration: The Smart Assessment workspace supports customizable questionnaires within the exception management process. This allows remediation owners to provide detailed context and approvers to use conditional questions for informed decisions.
Deferral and Extension: Users can defer remediation tasks safely when fixes are unavailable and request extensions for deferred tasks before their due dates.
False Positive Requests: The workspace supports marking findings or remediation tasks as false positives when scanners incorrectly identify vulnerabilities.

Key Outcomes

Provides a structured process to manage unavoidable security exceptions while maintaining risk awareness.
Enables clear visibility and control over exception requests and their approval status.
Supports detailed information gathering through configurable questionnaires, enhancing decision quality.
Facilitates compliance management by tracking expiration and reversion of exceptions to ensure timely remediation.
Allows remediation owners to proactively manage exceptions, including deferrals, extensions, and false positive validations, improving operational efficiency.

When your organization can't comply with a published finding or security policy, standard, or guideline, you can request an exception. Exception management entails requesting, reviewing, approving, or rejecting exceptions to a finding or remediation task (RT) that can’t be remediated.

Some findings might not have an existing patch, fix, or solution. When an exception is approved, it also means that you're accepting a risk because you're acknowledging and agreeing to the consequences of not remediating the finding.

Exception Management provides administrators the ability to handle, configure, and review exception cases within the Security Exposure Management Administration Console. You can navigate to Exception Management from the Workspaces > Security Exposure Management Workspace > Administration > Exception Management.

In the Exception Management landing page, you can view the exception management configurations for all the four apps- Vulnerability response, Configuration compliance, Application Vulnerability Response, and Container Vulnerability Response. You can create a new questionnaire or to design your own questionnaire using the templates available in the smart assessment workspace to help review the exception requests for the Vulnerability Manager, Business Unit Head, or Service Owners.

You can personalize the columns and rows with the help of the setting icon on the right.

The Life-cycle of an exception

Definition of an exception: An exception is a request to defer the remediation of a finding or remediation task for a specified period. For example, as a remediation owner, you can request an exception if a patch isn’t available for a machine.
Requesting an exception: As the remediation owner, you can ask for an exemption for a finding or remediation task using the exception management process. After the exception approver approves this request, the finding or remediation task moves to a Deferred state.
Approving an exception request: Findings or remediation tasks that can't be remediated immediately are reviewed by a vulnerability manager or business analyst, assessed for risk, and approved for deferral until they can be remediated. Approval rules for Exception Management are determined based on the configured approvers and approver levels. Once the required approvals are obtained, the request state transitions according to the type of request. If defined, Exception requests can follow a multi-level approval workflow. If no approver is configured for a specific request type, the request can’t be submitted. Approvals are typically carried out by the Vulnerability Manager or by Business Users who have been assigned the appropriate Approver role.

Tracking an exception request: After raising the exception, you can track its status by using the Change Approvals tab of the finding or remediation task. If an action is taken on a remediation task, you can't track the status of the individual findings in that remediation task.
Expiry of an exception request: When an exception request for a particular finding or remediation task expires, the impacted finding or remediation task reverts to its Open state.