Request an exception using GRC: Policy and Compliance Management

Release version: Australia

Updated June 16, 2026

1 minute to read

Request policy exceptions using the GRC policy exception management capability in the Policy and Compliance Management application from within Vulnerability Response.

Before you begin

Before you can use the Policy Exception Integration to request policy exceptions, you must download the GRC: Policy and Compliance Management application from the ServiceNow Store.

Role required: sn_vul.remediation_owner

Procedure

Navigate to Workspaces > Security Exposure Management > findings (or Remediation Tasks)>All, and open the item or group for which you want to request an exception.
The selected item or group must be in Open, Under investigation, or Awaiting implementation state.
On the selected form, click Request Exception.

On the form, fill in the fields.

Table 1. Request Exception form
Field	Description
Policy	Vulnerability Management policy that you are requesting an exception for.
Control objective	Control objectives that are associated with the policy you selected. If a policy is not selected, all the control objectives are listed.
Valid from	Date when the exception will start. The default value is the current date. This date cannot be in the past.
Valid until	Date that the policy exception expires and the state of the vulnerable item or group changes from Deferred to Open. Note: The number of days that the policy exception is valid cannot exceed the Maximum exception duration (days) that you set for the policy in Policy and Compliance. For more information, see Create a policy.
Reason	Reason for requesting an exception.
Justification	Details that are related to the reason why this request is being made. This mandatory field must be filled in by the remediation owner.

Click Submit.
For more information on the Policy Exception Integration and the hand-off between the remediation owner and the compliance manager, see Policy and Compliance optional setup.