Exception requests should be submitted when adherence to a USNH Cybersecurity Standard or Policy is not possible for technical reasons. Examples of exception requests include but are not limited to a blocked website, a device that cannot be upgraded due to specialized instrumentation software, a required security tool is not supported by an OS or application, a legacy operating system is required for educational purposes, or a lab environment requires modified security controls.
Exception requests are reviewed on a case-by-case basis, so it is important to provide as much information as possible to support your request, including a description of the compensating controls that will provide protection. Approved exceptions are assigned an expiration date within 30, 60, or 90 days to allow time for developing a solution. If a solution cannot be determined or implemented within the timeframe, then the risk exception may move into the process for risk acceptance.