Do I need to submit Compensating Control Requests and Exception Requests for a device or device type separately?
Compensating Control Requests and Exception requests should be submitted separately for each standard. The reason for this is that the consideration process for the two are different and the risk in allowing and approving exceptions is often greater. Exceptions are also an admission that a solution can not be implemented or does not exist for a standard element and implies greater risk. As with multiple Compensating Control Requests for a device or device type, Exception requests can be grouped by standard to include multiple elements in a single request. i.e. I need a compensating request for the MCSS Firewall and Authorizations elements and an Exception for the Patching and Anti-Malware elements so I submit two requests – a single Compensating Control Request containing both elements and their solutions, and a single Exception request containing both elements and the justification/description of risk.
