Is there any way to create an exception rule for a compliance scan? Meaning, if there is a setting that will fail a CIS rule for Cisco IOS - because that is how it is deliberately configured on a network device - is there a way that a compliance scan will KNOW that is an exception to a rule, and not flag it as a compliance violation?

If not, is there a way to avoid using the particular compliance rule for checking (for example, commenting out scan rule), or some other way that makes sense to easily differentiate "false positive" scan results?

Many thanks for any responses.