Request a Compliance Exception

Minimum Security Standards exception requests are handled separately for endpoints (laptops, desktops, and mobile devices) versus servers and applications. These are the process and acceptance criteria for each.

Review the Endpoints section to learn whether you might qualify for an exception for your laptop, desktop, or mobile device and how to request an exception.

Endpoints

Endpoint security exceptions are allowed when adherence to the Minimum Security Standards is not possible for technical reasons. Exceptions are not granted on the basis of device ownership, concerns about system performance impact, or unlikely access to High Risk Data.

These are examples of exception requests that are typically approved for endpoints:

A physically anchored desktop computer dedicated to directly controlling scientific research equipment that cannot be upgraded due to specialized software that is unavailable on an operating system that supports encryption.
A computer running an OS that has been sunsetted (ie. Mac OS 10.14) that cannot be upgraded due to specialized software. Please be able to provide written justification from the vendor stating that the software requires the specific OS. These device should still have SWDE/VLRE installed.
A classroom or kiosk computer that is re-imaged daily, physically secured, and does not copy email or other files in bulk locally.

Note: Linux systems are currently not supported by Stanford's management software. Until verifiable encryption is supported, these devices should not be used to store, process, or transmit Protected Health Information or other Moderate or High Risk Data without a formal exception.

How to submit an endpoint exception request

Because exception requests are reviewed on a case-by-case basis, it is important to provide as much information as possible to support your request, including a description of the compensating controls that will provide equivalent protection. Approved exceptions are assigned an expiration date to ensure that the request is reviewed later for validity and necessity.

Go to MyDevices or click the button below to submit a temporary endpoint exception request. Please allow five business days for your request to be processed.
Locate the device for which you are requesting the compliance exception and click the link to view device details.
Click the red Actions button and select the “Request Compliance Exception” option.
Provide your justification for requesting the exception in the form provided.
After completing the form, submit your request. You will receive a confirmation message that indicates your submission was successful.

Submit a temporary endpoint exception request

Track the request status

After you’ve submitted the endpoint exception request, you can track its status in MyDevices under the “Exception Requests” section.

Select your device from the Devices list, then scroll or click the link to the "Exceptions Requests" section.
Under the “Exception Requests” section, click the Actions button and select “View Request” to see the full details of the request.

Servers and Applications

Server and application exceptions are allowed when adherence to the Minimum Security Standards is not possible for technical reasons.

Examples of Server and Application Exception Requests

These are examples of exception requests that are typically approved for servers and applications:

A required security tool is not supported by an (up-to-date) OS or application.
An OS or application cannot be updated because of a critical dependency on version.
No updates are available for a vendor supported system.
A system does not support password complexity requirements.

How to submit a server or application exception request

Click the button to submit a server or application exception request. Allow five business days to process your request.

Submit a temporary server/application exception request