Organizations that cannot meet one or more of these provisions may submit a separate written request for approval of an exception as an attachment to this guideline; any request for exception(s) to these Security Guidelines must include information on compensating controls.
Compensating controls are the security measures the requesting organization has in place that do not specifically comply with one or more provisions of the Security Guidelines but address the underlying security requirement referenced in the Security Guidelines provision(s).
Organizations are responsible for mapping their existing certifications and security measures to the SPARCS guidelines. We encourage organizations to review the guidelines thoroughly and identify the provisions requiring exceptions. Supporting documentation demonstrating compliance and detailed compensating controls should be submitted for review and consideration.
If compensating controls are submitted, we are happy to review them prior to the signing of the security guidelines to address any potential concerns.