Deferring remediation in Application Vulnerability Response

  • Release version: Zurich
  • Updated July 31, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Deferring remediation in Application Vulnerability Response

    Starting with version 20.0 of Application Vulnerability Response (AVR), you can defer remediation by moving application vulnerable items (AVIs) and remediation tasks into anAwaiting Implementationstate. This manual state transition is available only from theUnder Investigationstate and signals that research and preparation are complete, but the actual fix or patch is not yet ready for deployment.

    Show full answer Show less

    Use Case

    Remediation specialists use the Awaiting Implementation state to communicate that a remediation fix is prepared but pending deployment, such as waiting for a maintenance window to apply a software patch.

    Required Fields and Configuration

    • Remediation commitment date: The planned date for remediation.
    • Remediation plan: Description of the remediation approach, displayed in the record’s Notes section.

    Two system properties control the behavior of the modal prompt when transitioning to Awaiting Implementation:

    • snvul.remediationfields: By default true, makes the commitment date and plan mandatory; setting it to false makes them optional.
    • snvul.awaitingimplementation: By default true, displays the modal prompt; setting it to false allows changing to Awaiting Implementation without prompt.

    Tracking Missed Remediation Dates

    You can monitor AVIs that have missed their remediation commitment dates through the Missed Remediation Commitment Date module located at:

    Application Vulnerability Response > Vulnerable items > Missed Remediation Commitment Date

    State Roll Down and Override Functionality

    The Awaiting Implementation state transition button is available only on AVIs and remediation tasks in the Under Investigation state. When transitioning a remediation task to Awaiting Implementation, you have the option to Override existing AVIs in that task which are already in Awaiting Implementation.

    • Override existing AVIs: If selected, the remediation commitment date and plan on the remediation task roll down to update the AVIs, overwriting their existing data.
    • If not selected, AVIs already in Awaiting Implementation retain their original date and plan values, unaffected by the task’s state change.

    Note that AVIs in Resolved or Closed-fixed states will not be reverted to Awaiting Implementation when overriding due to state precedence rules. Also, if the task is moved back to Open or Under Investigation, AVIs in Awaiting Implementation remain in that state.

    Practical Implications for ServiceNow Customers

    This functionality allows your teams to better communicate remediation progress when fixes are prepared but cannot be immediately applied, improving coordination and tracking. The mandatory commitment date and plan fields ensure clear accountability and scheduling. The override option provides flexibility in synchronizing remediation task details with individual AVIs, ensuring consistency or preserving existing data as appropriate.

    Starting with v20.0, you can defer remediation with the Awaiting Implementation state that is available for application vulnerable items (AVI)s and remediation tasks as they move through their life cycles. You can only transition records to this state manually by selecting Awaiting Implementation from AVI and remediation task records in the Under Investigation state.

    Use case

    As a remediation specialist, you can move a record into Awaiting Implementation to let your team know that your research and work on a task is complete. You might choose this update if you find that a fix is ready for implementation but isn't available. An example of an unavailable fix is a software patch. If the maintenance window for a patch isn't available when you finish your research, you can move the task to Awaiting Implementation until the patch can be deployed.

    Required fields

    There are two required, editable fields on the AVI and remediation task records that are in the Awaiting Implementation state:

    Remediation commitment date
    The planned remediation date.
    Remediation plan
    The description of the remediation plan for remediation. This text is displayed in the Notes on the record.

    Fields and system properties

    There are two system properties that are set to true by default for the modal that appears when you transition a record to Awaiting Implementation. If left in their default settings:

    sn_vul.remediation_fields
    Sets Remediation commitment date and Remediation plan as mandatory fields. If set to false, these fields are optional.
    sn_vul.awaiting_implementation
    Displays the modal with the Remediation commitment date, Remediation plan fields after you select Awaiting Implementation on a record. If set to false, you can change the state of an AVI to Awaiting implementation without a prompt for entering a commitment date or a plan.

    Missed Remediation Commitment Date Module

    View any AVIs that have missed their Remediation commitment dates in the Missed Remediation Commitment Date module. Navigate Application Vulnerability Response > Vulnerable items > Missed Remediation Commitment Date to view the list.

    State roll down from remediation tasks to AVIs

    The UI action button to transition a record into Awaiting Implementation is only visible on application vulnerable item and remediation task records in the Under Investigation state. For state roll down, on the modal that appears when you select Awaiting Implementation on a remediation task, there's an option to Override existing AVIs.

    Option Description
    Select Override existing AVIs.

    Select this option to override the Remediation commitment dates and Remediation plans any existing AVIs in the task already in the Awaiting Implementation state.

    If selected, this feature rolls down the date and plan data on the remediation task to the AVIs.
    Leave Override existing AVIs deactivated.

    Leave the option deactivated to keep the date and plan values intact for any existing AVIs on the task already in the Awaiting Implementation state.

    If deactivated, AVIs already in Awaiting Implementation preserve their existing date and plan data and are not impacted by state roll down.

    Roll down examples

    Say you want to transition a remediation task from Open to Awaiting Implementation so that you can update the task’s commitment date and plan information for a software patch maintenance window. Assume that there is an AVI in this task in the Awaiting Implementation state, and you want to update its commitment date and plan information to match the remediation task.

    To overwrite the AVIs date and plan data so it matches the remediation task, select the check box to Override existing AVIs when prompted. The AVI’s date and plan values become the plan and date values that you enter for the task in the prompt when you select Awaiting Implementation.

    If you don’t select the override option in this case, and there is an AVI in Awaiting Implementation, the original date and plan data on the AVI remains intact. The plan and date values that you enter for the task in the prompt when you select Awaiting Implementation aren't used on any AVIs already in the Awaiting Implementation state in the task.

    If an AVI on a task is in Resolved or Closed-fixed and you transition the task to Awaiting Implementation, selecting Override existing AVIs doesn't change the AVIs from Closed-fixed and Resolved to Awaiting Implementation due to a higher state precedence.

    If override is not selected while moving the task to Awaiting Implementation and there's an AVI already in Awaiting Implementation and you move the task back to Open or Under Investigation, the AVI remains in Awaiting Implementation.