CA-2(2) / CA-6 / RA-7 / SI-2(5) NIST SP 800-53 Rev 5

Are exceptions (cannot remediate) formally requested, approved by risk owner, time-bound, and tracked?

Demonstrate that all security and compliance exceptions are formally requested with business justification, explicitly approved by accountable risk owners, subject to time constraints, and actively tracked until remediation or renewal.

Description

What this control does

This control ensures that when security vulnerabilities, policy violations, or compliance gaps cannot be remediated within normal timelines, a formal exception process is followed. The process requires written justification, approval by a designated risk owner (typically business or system owner with accountability), documented compensating controls, and a defined expiration date. All active exceptions must be tracked in a centralized register and reviewed periodically to ensure they remain appropriate and time-limited.

Control objective

What auditing this proves

Associated risks

Risks this control addresses

Unapproved technical debt accumulates as teams self-authorize persistent security gaps without management visibility
Critical vulnerabilities remain unpatched indefinitely due to informal verbal approvals that lack documented accountability
Attackers exploit known weaknesses that were accepted as exceptions without compensating controls or expiration dates
Compliance violations persist beyond reasonable business need because exception grants have no review or renewal cycle
Risk owners are unaware of residual risks accepted on their behalf, preventing informed decision-making
Exception inventory becomes stale as systems change but exception records are never revisited or closed
Audit findings reveal that informal exception practices create liability and weaken the overall security posture

Testing procedure

How an auditor verifies this control

Obtain the current exception register or tracking system containing all active security and compliance exceptions
Select a representative sample of 15-20 exceptions spanning different risk severities, exception types, and business units
For each sampled exception, verify the presence of a formal written request documenting the issue, business justification, and requester identity
Confirm that each exception includes documented approval with signature or electronic authorization from the designated risk owner with appropriate authority
Validate that each exception record includes an explicit expiration date or next review date limiting its duration
Cross-reference a sample of recent vulnerability scans, policy audit findings, or configuration assessments to identify issues that should have triggered exception requests
Review evidence that the exception register is periodically reviewed (at least quarterly) with closed, expired, or renewed exceptions documented
Interview risk owners for a subset of exceptions to confirm their awareness of accepted risks and approval authority

Evidence required Auditor collects the complete exception tracking register (spreadsheet, GRC tool export, or ticketing system report), formal exception request forms or tickets with justifications and approvals, approval authorization matrix or delegation of authority documentation, periodic exception review meeting minutes or sign-offs, and for sampled exceptions screenshots or exports showing requester, approver, approval date, expiration date, and current status.

Pass criteria All sampled exceptions contain documented formal requests, explicit approvals from authorized risk owners, defined expiration or review dates, and the organization maintains a centralized tracking mechanism with evidence of periodic review.