...
It is recognized that in some instances it may be necessary to deviate from the rules given in this standard. For the rules to have authority it is necessary that a formal procedure be used to authorize these deviations rather than an individual programmer having discretion to deviate at will. The use of a deviation must be justified on the basis of both necessity and security. Rules that have high severity and/or a high likelihood require a more stringent process for agreeing to a deviation, than rules and recommendations with a low severity that are unlikely to result in a vulnerability.
...