Configuration Compliance Exception Management overview

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Configuration Compliance Exception Management overview

    Configuration Compliance Exception Management enables organizations to handle situations where they cannot comply with published vulnerability management or security policies, standards, or guidelines. It allows users to request, review, approve, or reject exceptions for remediation tasks that cannot be addressed immediately as per the policy. This process is essential because approving an exception means accepting the associated risk of not remediating a configuration-related vulnerability.

    Show full answer Show less

    Exception management is supported within the Vulnerability Manager Workspace and IT Remediation Workspace. It involves managing the lifecycle of exceptions, which includes requesting, approving, tracking, and handling the expiry of exception requests.

    Key Features

    • Exception Requesting: Remediation owners can request an exception to defer remediation for a specified time. The remediation task stays in "In review" state until approval, after which it moves to "Deferred". Exception requests can be submitted from the IT Remediation Workspace.
    • Exception Approval: Exception requests undergo a risk assessment and approval process, which may include a two-level workflow. At least one approver is required to enable exception requests. Approvals and rejections can be managed in the Vulnerability Manager Workspace. Rejected requests revert the remediation task to its prior state, with comments documented in work notes.
    • Tracking Exceptions: Users can monitor the status of exception requests via the State Change Approvals tab on the remediation task. Note that once action is taken on a remediation task, individual test result tracking is not available.
    • Exception Expiry: When an exception expires, the remediation task automatically reverts to the "Open" state, prompting further remediation efforts.
    • Terminology Updates: From version 14.9 onward, terminology was updated to reflect clearer roles, such as changing "Test Result Group" to "Remediation Task Group" and other related terms.
    • Workflow Updates: Since Configuration Compliance version 13.0, the flow designer is used by default for exception management workflows, replacing previous workflow engines and not allowing reversion.

    Practical Benefits for ServiceNow Customers

    This feature helps ServiceNow customers effectively manage compliance risks when immediate remediation is not feasible. By formally handling exceptions, customers can document acceptance of risk, maintain audit trails for compliance purposes, and ensure clear visibility and control over remediation task statuses. The integration with Vulnerability Manager and IT Remediation Workspaces streamlines the exception handling process within familiar interfaces, supporting efficient collaboration between remediation owners and approvers.

    When your organization can't comply with a published vulnerability management or security policy, standard, or guideline, you can request an exception. Exception management entails requesting, reviewing, approving, or rejecting exceptions for a remediation task that cannot be remediated according to the policy.

    Important:
    Exception management is supported in the Vulnerability Manager Workspace and IT Remediation Workspace.
    Note:
    Starting with v14.9 of Configuration Compliance, the following terms have been renamed:
    Table 1. Changes in terminology
    Terminology prior to v14.9 Terminology v14.9 onwards
    Test Result Group Remediation Task
    Group Rules Remediation Task Rules
    Policy Test group

    Some vulnerabilities might not have an existing patch, fix, or solution. When an exception is approved, it also means that you're accepting a risk because you're acknowledging and agreeing to the consequences of not remediating the configuration-related vulnerability.

    Life cycle of an exception

    An exception is a request to defer the remediation of a remediation task for a specified period.

    The life cycle of an exception is as follows:
    • Requesting an exception
    • Approving an exception request
    • Tracking an exception request
    • Expiry of an exception request
    Requesting an exception

    As the remediation owner, you can ask for an exemption for a remediation task using the exception management process. During the approval process, the remediation task remains in In review state. After the exception approver approves this request, the remediation task moves to a Deferred state.

    Important:
    You can request an exception from the IT Remediation Workspace. For more information, see Request an exception in the IT Remediation Workspace.
    Approving an exception request
    Remediation tasks that can't be remediated immediately are reviewed, assessed for risk, and approved for deferral until they can be remediated. Approving an exception request can be a two-level workflow. If only the first-level approver is present, the exception can be requested and approved. However, if there's no first-level approver, an exception can't be requested. See Add an exception approver for Configuration Compliance for more information.
    Important:
    You can approve or reject an exception request from the Vulnerability Manager Workspace. For more information, see Request exceptions for remediation tasks and records in the Vulnerability Manager Workspace.
    Note:

    Starting from Configuration Compliance v13.0, if you are deploying the CC application for the first time, the flow designer for exception management is enabled by default. If you are already using the workflow, you can update to the flow designer. In both cases, you cannot change it back to workflow.

    Once an exception request for a remediation task is approved, you can perform the following actions:
    • Reopen
    • Delete
    Note:
    Rejection comments are shown in the Work notes for a remediation task. If an exception request is rejected, this remediation task reverts to its previous state.
    Tracking an exception request

    After raising the exception, you can track its status by using the State Change Approvals tab of the remediation task. If an action is taken on a remediation task, you can't track the status of the individual test results in that remediation task.

    Expiry of an exception request

    When an exception request for a remediation task expires, the remediation task reverts to its Open state.

    Figure 1. Exception management approval process prior to CC v13.0
    Exception management life cycle for CC