...
Deviation Procedure
Strict adherence to all rules guidelines is unlikely. Consequently, deviations associated with individual situations are permissible.
Deviations may occur for a specific instance, typically in response to circumstances that arise during the development process or for a systematic use of a particular construct in a particular circumstance. Systematic deviations are usually agreed upon at the start of a project.
For these secure coding rules guidelines to have authority, it is necessary that a formal procedure be used to authorize these deviations rather than an individual programmer having discretion to deviate at will. The use of a deviation must be justified on the basis of both necessity and security. Rules that have a high severity and/or a high likelihood require a more stringent process for agreeing to a deviation than do rules with a low severity that are unlikely to result in a vulnerability.
...