Exception Management overview

  • Release version: Zurich
  • Updated July 31, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Exception Management overview

    Exception Management in ServiceNow Vulnerability Response allows organizations to formally request, review, approve, or reject exceptions when they cannot comply with a vulnerability management or security policy, standard, or guideline. This applies to vulnerable items (VIs) or remediation tasks (RTs) that cannot be remediated as required. Exception approval signifies acceptance of the associated risk due to deferral of remediation.

    Show full answer Show less

    Starting with Vulnerability Response v30.0, the Exception Management UI is enhanced to provide approvers with better insights directly within Change Approval records and a new Approver landing page in the Security Exposure Management workspace. These improvements streamline the approval process by offering richer context and reducing manual effort.

    Life cycle and process

    • Definition: An exception is a request to defer remediation of a VI or RT for a specified time, for example, when no patch is available.
    • Requesting an exception: Remediation owners submit exception requests via the exception management process.
    • Approving exceptions: Vulnerability analysts review requests and approve deferrals after assessing risk. There may be a two-level approval workflow; if no first-level approver exists, exceptions cannot be requested.
    • Post-approval actions: Once approved, exceptions move the VI or RT to a Deferred state. Users can reopen, delete, or update assignment fields.
    • Tracking: Exception request status is tracked via the State Change Approvals tab on VIs or RTs. Note that actions on RTs do not track individual VIs separately.
    • Expiry: When an exception expires, the VI or RT reverts to Open state and must be remediated.

    Key features and changes

    • Exception Rule State Approval workflow deprecated in favor of flow designer Exception Rule Approval starting v23.0.
    • Flow designer enabled by default for new deployments starting v15.0; existing users can upgrade but cannot revert.
    • Scheduled job tracks multiple deferrals, logging counts when VIs or RTs are deferred more than once.

    Practical implications for ServiceNow customers

    This capability helps your organization manage unavoidable remediation delays while maintaining visibility and control over security risks. The enhanced UI and approval workflows provide approvers with the context needed to make timely, informed decisions. Tracking deferrals and expiries ensures exceptions are monitored and addressed appropriately to reduce long-term exposure.

    To implement effectively, configure approval rules, add exception approvers as needed, and use the provided workspace modules to request and manage exceptions for both vulnerable items and remediation tasks.

    When your organization can't comply with a published vulnerability management or security policy, standard, or guideline, you can request an exception. Exception management entails requesting, reviewing, approving, or rejecting exceptions to a vulnerable item (VI) or remediation task (RT) that cannot be remediated according to the policy.

    Note:
    Starting with v30.0 of Vulnerability Response, the Exception Management UI has been enhanced to provide improved insights directly within the Change Approval record, enabling approvers to quickly make informed decisions without navigating to related records. Additionally, an Approver landing page has been introduced within the Security Exposure Management workspace for all findings that introduces an improved table view with additional columns, offering better visibility and context. Together, these enhancements streamline the approval workflow, reduce manual effort, and accelerate decision-making for exception requests. For more information, see Exception Management Overview , Unified Approvals View
    Some vulnerabilities might not have an existing patch, fix, or solution. When an exception is approved, it also means that you're accepting a risk because you're acknowledging and agreeing to the consequences of not remediating the vulnerability.

    Life cycle of an exception

    Definition of an exception
    An exception is a request to defer the remediation of a VI or RT for a specified period. For example, as a remediation owner, you can request an exception if a patch is not available for a machine.
    Requesting an exception
    As the remediation owner, you can ask for an exemption for a VI or RT using the exception management process. After the exception approver approves this request, the VI or RT moves to a Deferred state.
    Approving an exception request
    VIs or RTs that can't be remediated immediately are reviewed by vulnerability analysts, assessed for risk, and approved for deferral until they can be remediated. Approving an exception request can be a two-level workflow. If only the first-level approver is present, the exception can be requested and approved. However, if there's no first-level approver, an exception can't be requested. See Add an exception approver for more information.
    Note:

    • Starting from Vulnerability Response v15.0, if you are deploying the VR application for the first time, the flow designer for exception management is enabled by default. If you are already using the workflow, you can update to the flow designer. In both cases, you cannot change it back to workflow. To configure approval rules for exception management and false positive, see Configure approval rules for Exception Management.

      Once an exception request for a VI or RT is approved, you can perform the following actions:
      • Reopen
      • Delete
      • Update the Assignment to or Assignment groups fields
    • Starting with v23.0 of Vulnerability Response, the Exception Rule State Approval workflow is deprecated and replaced by the flow Exception Rule Approval in the flow designer.
    Tracking an exception request
    After raising the exception, you can track its status by using the State Change Approvals tab of the VI or RT. If an action is taken on an RT, you can't track the status of the individual VIs in that RT.
    Expiry of an exception request
    When an exception request for a particular VI or RT expires, the impacted VI or RT reverts to its Open state.
    Figure 1. Exception management approval process prior to VR v15.0
    Life cycle of an exception requested for a VI or remediation task. The exception request starts with the remediation owner and ends with the exception approver L2.

    If a single VI or all the VIs in a RT pass in the next scan, then the VIs and, where applicable, the RT State field changes to Closed with the substate Fixed.

    Multiple deferrals

    Track the number of times a record or a remediation task is deferred. A scheduled job, set deferral counts, runs daily to post counts for the records that are deferred more than once in the Deferral count column in the Multiple deferrals module for VR. All counts for records associated with a remediation task are collected and posted if a remediation task is deferred more than one time.