Request a bulk exception using GRC: Policy and Compliance Management

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read

    • Select a group of vulnerable items and submit a bulk exception.

    Before you begin

    Before you can use the Policy Exception Integration to request bulk exceptions, you must download the GRC: Policy and Compliance Management application from the ServiceNow Store.
    Note:
    To use this feature, you must upgrade GRC: Policy and Compliance Management before upgrading Vulnerability Response. If you have already upgraded Vulnerability Response before GRC: Policy and Compliance Management, and want to use this feature, you must perform the upgrade procedures again in the correct order.

    Persona and granular roles are available to help you manage what users and groups can see and do in the Vulnerability Response application. For an initial assignment of the persona roles in Setup Assistant, see Assign the Vulnerability Response persona roles using Setup Assistant. For more information about managing granular roles, see Manage persona and granular roles for Vulnerability Response.

    Role required: sn_vul.remediation_owner

    You can also request exceptions in the classic environment in Vulnerability Response.

    Procedure

    1. Navigate to All > Vulnerability Response > Vulnerable Items > All and select the items that you want to request an exception for.
      The selected items must be in Open, Under investigation, or Awaiting implementation state.
    2. Click Bulk Edit.
    3. On the form, fill in the fields.
      Table 1. Vulnerable Item Bulk Edit form
      Field Description
      Record selection Records that you selected for a bulk edit.
      State State of the vulnerable item. Select the Deferred state to request an exception for the selected items.
      Short description Name of the task that you are creating.
      Preferred solution Solution that you are targeting for remediating all the vulnerable items that you selected for bulk edit.
      Assignment group Assignment group for the VI. You can select a group manually or use Assignment Recommendations if that feature is enabled.
      Work notes Notes to be added.
    4. Click OK.
      A remediation task is created with the selected vulnerable items.
    5. On the form, fill in the fields.
      Table 2. Request Exception form
      Field Description
      Policy Vulnerability Management policy that you are requesting an exception for.
      Control objective Control objectives that are associated with the policy that you selected. If a policy is not selected, all the control objectives are listed.
      Valid from Date when the exception will start. The default value is the current date. This date cannot be in the past.
      Valid until Date that the policy exception expires and the state of the vulnerable item or group changes from Deferred to Open.
      Note:
      The number of days that the policy exception is valid cannot exceed the Maximum exception duration (days) that you set for the policy in GRC: Policy and Compliance Management. For more information, see Create a policy.
      Reason Reason for requesting an exception.
      Justification Details that are related to the reason why this request is being made. This mandatory field must be filled in by the remediation owner.
    6. Click Submit.
      For more information on the Policy Exception Integration and the hand-off between the remediation owner and the compliance manager, see Policy and Compliance Management optional setup.