...
Compliance with recommendations is not necessary to claim compliance with this standard. It is possible, however, to claim compliance with recommendations (especially in cases in which compliance can be verified).
Deviation Procedure
Strict adherence to all rules is unlikely. Consequently, deviations associated with individual situations are permissible.
Deviations may occur for a specific instance, typically in response to circumstances which arise
during the development process, or for a systematic use of a particular construct in a particular circumstance. Systematic deviations are usually agreed upon at the start of a project.
For these secure coding It is recognized that in some instances it may be necessary to deviate from the rules given in this standard. For the rules to have authority, it is necessary that a formal procedure be used to authorize these deviations rather than an individual programmer having discretion to deviate at will. The use of a deviation must be justified on the basis of both necessity and security. Rules that have a high severity and/or a high likelihood require a more stringent process for agreeing to a deviation than rules and recommendations with a low severity that are unlikely to result in a vulnerability.
Software developers must be able to produce documentation as to which systematic and specific deviations have been permitted during development on request to claim compliance with this standard.
...