Log in links for this page

Security Policy Exception

Request for an exception for issues identified through vulnerability scan or another compliance issue that can't be resolved. Request must include a plan to mitigate the vulnerability.

EOTSS End User and IT Service Support


Support for Commonwealth end users and IT support personnel

The Details   of Security Policy Exception

Features   for Security Policy Exception

Compliance with enterprise security and standards is mandatory for the Executive Department including all executive offices, boards, commissions, agencies, departments, divisions, councils, and bureaus.  In addition to enterprise security and standards, the vulnerability management program scans various environments and must comply with the standards. 

A policy exception may be granted only if the benefits of the exception outweigh the increased risks, as determined by the Commonwealth CISO.

Pricing   for Security Policy Exception

There is no charge for this service.

How to request   Security Policy Exception

Service Level Expectation (SLE)   for Security Policy Exception

Security Policy Exception


Fulfillment:  Due to the variable nature of this request item, fulfillment time will differ on a case-to-case basis. SLE will be communicated following the finalization of customer requirements.


  • Responsible for adhering to the EOTSS Standard Rules of Engagement.
  • Responsible for submitting accurate information to EOTSS during the intake and discovery process.
  • Sharing complete requirements will ensure that accurate SLEs are provided and met.
  • Responsible for including a plan to mitigate the identified risks when submitting a request for this service.
  • Upon receiving approval from the Enterprise Risk Management Team, customers are responsible for initiating a new request for implementation.  The ERM approval document should be attached to the implementation request.


  • Responsible for coordinating discovery meeting(s) with the customer.
  • Once all requirements are collected/finalized following intake and discovery, EOTSS will determine the appropriate SLE for the request and communicate to the customer.
  • Responsible for providing a ruling on the exception pending review of the request.
  • For approved requests ONLY: Responsible for communicating decision to the customer and providing the exception expiration date.  

Policies   for Security Policy Exception

Contact   for Security Policy Exception

Help Us Improve Mass.gov  with your feedback

Please do not include personal or contact information.