When working on government projects, security compliance is not a box-ticking exercise—it’s a contractual requirement with real impact on deployment timelines, payment milestones and long-term credibility.
But what happens when a project component doesn’t fully meet the SSCT or Cybersecurity requirements? Are you out of options? Not necessarily.
The Role of Waivers in SSCT or Cybersecurity Compliance
Government security frameworks like Singapore’s Security-by-Design and Security Compliance Testing (SSCT) are strict—but not entirely inflexible. Agencies understand that vendors sometimes face technical constraints, legacy limitations or edge-case scenarios that make full compliance impractical.
That’s where a compliance waiver comes in.
A waiver isn’t a shortcut. It’s a formal justification where a vendor explains why a security requirement can’t be met, and proposes compensating controls to manage the risk. When handled properly, a waiver can help a project move forward without compromising overall security posture.
Common Scenarios That Require Waivers
In our experience working with vendors and system integrators supporting public sector deployments, waiver requests are often triggered by the following:
Weather-Resistant or Ruggedized Devices
Some industrial or outdoor switches are designed for extreme weather but come with stripped-down firmware. Features like protocol hardening or secure management access may be unavailable or non-configurable.
Embedded Systems with Limited Access
Devices like sensors, display panels, or smart lighting controllers often run embedded OSes with no administrator interface. You can’t install agents, configure firewalls or change default services—even if you wanted to.
Legacy Systems from OEM Vendors
Some government projects inherit legacy cameras, building management gateways, or PLCs that no longer receive updates—or cannot be patched without voiding warranty.
Network Constraints
Strict air-gapped or segmented environments may prevent internal vulnerability scanning or cloud-based patching solutions.
Locked or Black-Box Appliances
Third-party appliances may encrypt or restrict OS-level access, preventing changes to account policies, logging configurations, or default credentials.
In most cases, vendors don’t plan for these issues. They only become apparent after procurement is done, and compliance testing begins—by then, remediation is costly and timeline-sensitive.
How to Craft a Strong Waiver Justification
A credible waiver doesn’t just say “we can’t do it.” It shows that:
- You understand the risk and implication of non-compliance
- You’ve put in compensating controls to contain or eliminate the risk
- You’re not leaving the system exposed or unmanaged
Here’s how to build a convincing waiver justification:
1. Clearly Identify the Non-Compliant Item
Example:
“The ruggedized outdoor switch (Model XYZ) does not support disabling Telnet or configuring SNMPv3.”
2. Explain Why the Gap Exists
Example:
“This switch is designed for extreme temperature and high-humidity environments. Its firmware has a limited feature set to reduce power draw and ensure long-term resilience. Disabling Telnet or changing SNMP settings is not possible through the available interface.”
3. Assess the Risk (But Don’t Dismiss It)
Example:
“Telnet and SNMPv2 transmit management data in plaintext, exposing them to sniffing or manipulation if the device is on an open or hostile network.”
4. List Specific Compensating Controls
This is the most important part. Show that even though the control isn’t met as specified, the risk is being managed by other means. Examples include:
✔ Network Segmentation
- Device is placed in a management VLAN isolated from production or public traffic
- Only accessible via a jump server with MFA
- ACLs restrict access to authorized internal IPs only
✔ Physical Access Controls
- Device is installed in a secured cabinet or equipment room with restricted access
- Not accessible from public or shared areas
✔ Monitoring & Logging
- Device is actively monitored via NMS
- Any unauthorized access or abnormal behavior triggers alerts
✔ No External Connectivity
- No routing to or from external networks
- Management interface not exposed over WAN or cloud
✔ Operational Controls
- Documented SOP ensures Telnet/SNMP access is only used via secure internal workflows
- Engineers are trained to avoid using insecure protocols when alternatives exist
✔ Future Risk Reduction
- Vendor commits to replacing the device with a hardened version during next upgrade cycle
- Procurement criteria updated to exclude devices lacking modern security features
5. Reinforce That Risk Is Acceptable
Example:
“While the device does not support SNMPv3, the risk of credential compromise is mitigated by network-level restrictions, physical security and active monitoring. The residual risk is minimal, and no sensitive data traverses the device.”
How Perennial Helps
Many vendors we support are specialists in hardware integration, systems delivery, CCTV or Building Management —but are not always familiar with cybersecurity frameworks or government audit expectations.
At Perennial, we provide technical advisory and project-level support to:
- Identify Cybersecurity (SSCT) gaps early through configuration audits
- Craft waiver justifications with risk-based reasoning
- Propose alternative or layered controls
- Engage stakeholders to clarify intent, avoid over-remediation and ensure expectations are met
- Help vendors avoid costly remediation and delayed deployments
Waivers Aren’t a Weakness—They’re a Smart Response
A waiver doesn’t mean you failed—it means you’re handling complexity with transparency and accountability. When well-documented and aligned with a security-first mindset, waivers demonstrate maturity, responsibility, and stakeholder trust.
Need Help with Waiver Justifications?
At Perennial Consultancy, we’ve helped vendors navigate SSCT audits across BMS, CCTV, AV, networking and smart infrastructure systems. We speak the language of both engineers and auditors, and we know how to balance security, feasibility, and project delivery.
Visit our site or Talk to us today before audit findings turn into project blockers.
