Exception Plan Statuses

To learn more about Exception Plans, please read the following:

This article will explain the steps and lifecycle of an Exception Plan from creation to expiration.

Swimlanes - Frame 5

The above image describes the daily workflow process by persona swimlane.

We'll be going over the Exception Plan workflow in this document.

Exception Plan Review Setting

Admins can configure their platform to either automatically approve all exception plan requests (by leaving the Exception Plan Review setting turned off) or require that all exception plans be reviewed and manually approved (by enabling the Exception Plan Review setting).

We will note what happens when the setting is either enabled or disabled in the items below.

Exception Plan is Created, ie. Submitted

An Exception Plan can be created from four places, all the same way:

Prioritize Page: Select one or more vuln instances, vulnerabilities, or targets and click Create Exception Plan.
A Vuln Instance Details page: Open a specific vuln instance details page and if the instance is not in a plan already, you will see a blue Create Exception Plan button which you can press.
A Remediation Plan Details page: Go to Remediate and find a Remediation Action then view it's details page to see its list of Remediation Plans. Open a specific Remediation Action Details page and you will be shown the vuln instances inside that plan. You can select one or more instances and create an Exception Plan with them. The Exception Plan created will reference the Remediation plan these instances came from.
An Attack Path Details page: Go to Attack Paths, find a path you're interested in and you can create an Exception Plan of items from that path.

Exception Review Disabled:

Once a plan is created it will automatically move from Submitted to Approved.

Exception Review Enabled:

Once a plan is created its status will become Submitted.

Exception Plan is Approved or Denied

Exception Review Disabled:

Once a plan is created it will automatically move from Submitted to Approved.
All vuln instances in the exception plan will have their status change from OPEN to RISK_ACCEPTED or FALSE_POSITIVE depending on the exception plan type.

Exception Review Enabled:

Once a plan is created its status will become Submitted.
It will remain in Submitted status until either it is Approved, Denied, or Expired.
While in Submitted status, all vuln instances maintain their original statuses and will continue being updated by the platform depending on scans. This means that vuln instances can become CLOSED in the time from plan submitted to approved/denied.

Review Process

- Users with the permission of: Exception Plan Edit, may approve or deny exception plans.
  - By default, the Admin, Manager, and Exception Manager role types have this permission enabled.
  - Custom roles may enable this permission.
- Users may go to the Remediate Page and filter by the teams they would like to review for open/submitted Exception Plans.
- Once they review the Exception Plan details they may choose to Approve or Deny the plan.

Exception Plan is Cancelled

Exception Review Disabled:

Privileged users may cancel an approved plan by clicking Cancel on the Remediation Plan level.

Exception Review Enabled:

Privileged users may cancel an approved plan by clicking Cancel on the Remediation Plan level.

Exception Plan is Expired

Exception Review Disabled:

When the exception plan expiration date is reached the plan will move from Approved or Submitted to Expired.
All vuln instances in plan will be released from the plan and their statuses will revert from RISK_ACCEPTED or FALSE_POSITIVE to OPEN if open, or remain CLOSED if validated by scanner as closed.

Exception Review Enabled:

When the exception plan expiration date is reached the plan will move from Approved or Submitted to Expired.
All vuln instances in plan will be released from the plan and their statuses will revert from RISK_ACCEPTED or FALSE_POSITIVE to OPEN if open, or remain CLOSED if validated by scanner as closed