When an approved exception is reasonable
Use approved exceptions for temporary, understood risk where remediation is planned, blocked, staged, or dependent on a third party.
PQC approved exception management guide
Not every PQC migration finding can be fixed immediately. Exception management keeps temporary risk visible, owned, approved, time-bound, and connected to evidence.
What every approved exception needs
- Owner and approving policy context.
- Rationale and affected scope.
- Linked policy and triggered control.
- Expiry date and review cadence.
What to avoid
Avoid open-ended spreadsheet exception records that lose approving policy context, ownership, evidence, and expiry as the migration changes.
How to show progress
Track which approved exceptions are still active, which have expired, which are remediated, and which systems remain affected.
Approval workflow
1. Request
Describe the blocked finding
Link the request to the affected policy, control, application or service, and remediation owner.
2. Review
Decide whether risk is acceptable
Check rationale, compensating controls, affected scope, expiry, and whether remediation has a credible path.
3. Approve
Record the policy decision
Capture approver, approving policy context, evidence required before renewal, and the date the decision expires.
4. Close or renew
Force the next decision
Close the exception when remediated, or require fresh evidence and a new approval before renewal.
Approved exception request template
Finding or control
Which policy, triggered rule, and application/service does this request cover?
Affected scope
List systems, environments, certificates, gateways, and users affected.
Business rationale
Explain why remediation cannot happen immediately and what dependency blocks it.
Compensating controls
Describe monitoring, isolation, reduced exposure, or process controls in place.
Owner and approver
Name the remediation owner and the person or group approving the exception.
Expiry and review
Set an expiry date, review cadence, and evidence required before renewal.
Keep approved exceptions connected to the baseline
Crypto Posture keeps approved exception decisions connected to applications, services, policy templates, evaluation records, remediation work, and evidence snapshots.