Exception Management Overview

  • Release version: Yokohama
  • Updated August 1, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Exception Management Overview

    Exception Management in ServiceNow’s Security Exposure Management enables organizations to request, review, approve, or reject exceptions when they cannot comply with a published finding, security policy, standard, or guideline. This process is essential when findings or remediation tasks cannot be addressed immediately, such as when no patch or fix is available. Approved exceptions acknowledge and accept the associated risks by deferring remediation for a specified period.

    Show full answer Show less

    Administrators can manage exception cases within the Security Exposure Management Administration Console, accessible via Workspaces > Security Exposure Management Workspace > Administration > Exception Management. This interface consolidates exception configurations across Vulnerability Response, Configuration Compliance, Application Vulnerability Response, and Container Vulnerability Response apps.

    Key Features

    • Exception Lifecycle: Remediation owners request exceptions; approvers such as Vulnerability Managers or Business Analysts assess and approve requests based on configured approval workflows.
    • Multi-level Approval: Exception requests can follow multi-level approval workflows. Requests cannot be submitted without assigned approvers, ensuring governance and accountability.
    • Tracking: Exception status is tracked via the Change Approvals tab of findings or remediation tasks. Note that individual findings within a remediation task cannot be tracked separately once an action is taken at the task level.
    • Expiry Management: Expired exceptions cause findings or remediation tasks to revert to an Open state, prompting reconsideration for remediation.
    • Role Requirements: Approvers require specific roles within the Security Exposure Management Workspace to participate in the approval process.
    • Questionnaire Support: Using Smart Assessment, you can create or customize questionnaires to collect detailed context during exception requests, facilitating informed decisions by approvers.
    • Deferral and Extension: You can defer remediation tasks when no immediate fix is available and request extensions on deferred tasks before their due dates.
    • False Positive Requests: Allows users to flag findings or remediation tasks as false positives when scanners incorrectly report vulnerabilities due to classification errors or scanner logic flaws.

    Practical Benefits for ServiceNow Customers

    • Streamlines handling of unavoidable remediation delays while maintaining risk awareness and governance.
    • Enhances transparency and accountability through configurable approval workflows and tracking.
    • Improves decision-making with customizable questionnaires that gather necessary context for exceptions.
    • Supports lifecycle management of exception requests, including expiry and extension capabilities.
    • Enables accurate vulnerability management by allowing false positives to be identified and addressed appropriately.

    When your organization can't comply with a published finding or security policy, standard, or guideline, you can request an exception. Exception management entails requesting, reviewing, approving, or rejecting exceptions to a finding or remediation task (RT) that can’t be remediated.

    Some findings might not have an existing patch, fix, or solution. When an exception is approved, it also means that you're accepting a risk because you're acknowledging and agreeing to the consequences of not remediating the finding.

    Exception Management provides administrators the ability to handle, configure, and review exception cases within the Security Exposure Management Administration Console. You can navigate to Exception Management from the Workspaces > Security Exposure Management Workspace > Administration > Exception Management.

    In the Exception Management landing page, you can view the exception management configurations for all the four apps- Vulnerability response, Configuration compliance, Application Vulnerability Response, and Container Vulnerability Response. You can create a new questionnaire or to design your own questionnaire using the templates available in the smart assessment workspace to help review the exception requests for the Vulnerability Manager, Business Unit Head, or Service Owners.

    You can personalize the columns and rows with the help of the setting icon on the right.

    The Life-cycle of an exception

    Definition of an exception
    An exception is a request to defer the remediation of a finding or remediation task for a specified period. For example, as a remediation owner, you can request an exception if a patch isn’t available for a machine.
    Requesting an exception
    As the remediation owner, you can ask for an exemption for a finding or remediation task using the exception management process. After the exception approver approves this request, the finding or remediation task moves to a Deferred state.
    Approving an exception request
    Findings or remediation tasks that can't be remediated immediately are reviewed by a vulnerability manager or business analyst, assessed for risk, and approved for deferral until they can be remediated. Approval rules for Exception Management are determined based on the configured approvers and approver levels. Once the required approvals are obtained, the request state transitions according to the type of request. If defined, Exception requests can follow a multi-level approval workflow. If no approver is configured for a specific request type, the request can’t be submitted. Approvals are typically carried out by the Vulnerability Manager or by Business Users who have been assigned the appropriate Approver role.
    Tracking an exception request
    After raising the exception, you can track its status by using the Change Approvals tab of the finding or remediation task. If an action is taken on a remediation task, you can't track the status of the individual findings in that remediation task.
    Expiry of an exception request
    When an exception request for a particular finding or remediation task expires, the impacted finding or remediation task reverts to its Open state.