...
For these secure coding guidelines to have authority, it is necessary that a formal procedure be used to authorize these deviations rather than an individual programmer having discretion to deviate at will. The use of a deviation must be justified on the basis of both necessity and security. Rules Guidelines that have a high severity and/or a high likelihood require a more stringent process for agreeing to a deviation than do rules with a low severity that are unlikely to result in a vulnerability.
...