--- title: "Generate ConMon (Continuous Monitoring) Report" slug: "generate-conmon-continuous-monitoring-report" updated: 2025-12-19T22:43:32Z published: 2025-12-19T22:43:32Z canonical: "help.nucleussec.com/generate-conmon-continuous-monitoring-report" --- > ## Documentation Index > Fetch the complete documentation index at: https://help.nucleussec.com/llms.txt > Use this file to discover all available pages before exploring further. # Generate ConMon (Continuous Monitoring) Report ### Generate a ConMon Report It’s not only possible to manage the POA&Ms themselves inside of Nucleus, but it is also possible to export the POA&Ms with all the updates into a ConMon report. This allows you to leverage your existing work and make the actual generation of the report a button click. You can set up this report to either run one time manually, or to set it up on a schedule to run at a time of your choosing and email the report to you. To generate the report, you will navigate to the **“Vulnerabilities > Active”**page,and click the “Reports” dropdown. Find the “POA&M Continuous Monitoring Report” option and select it. **Report Generation** ![](https://cdn.document360.io/3888970a-6501-459e-acc9-c47b71c6d64c/Images/Documentation/image(367).png) In the modal, select which options you would like to generate a report for. By default, the report will generate for all findings that have POA&Ms. If you’d like to manage multiple scopes in the same Nucleus instance, you can filter the report based on a variety of asset criteria, such as [Asset Groups](/v1/docs/asset-groups), which allows for flexibility in reporting. #### Report Version By default, Nucleus supports generating the FedRAMP Revision 5 (version 2.1) of the[POA&M template](https://view.officeapps.live.com/op/view.aspx?src=https%3A%2F%2Fwww.fedramp.gov%2Fassets%2Fresources%2Ftemplates%2FFedRAMP-POAM-Template.xlsx&wdOrigin=BROWSELINK). The previous version (Revision 4) of the template is also available as an option if required under **Options.**If the box is not checked Nucleus will generate a FedRAMP Revision 5 template. **Report Export Options** ![POA&M Continuous Monitoring Report Options](https://cdn.document360.io/3888970a-6501-459e-acc9-c47b71c6d64c/Images/Documentation/Export Modal.png) POA&M Continuous Monitoring Report Options **Note**: You have the option of including evidence files in the export of the report. Nucleus allows you to upload evidence files to the findings and the resulting POA&Ms in the console. If this option is selected, Nucleus will generate a .zip file that contains both the ConMon report as well as all the evidence files referenced in the ConMon report. You will need to have uploaded the evidence to Nucleus in order to see this behavior. ## Report Generation Overview POA&Ms with an identical Display ID will appear as a single row when the report is exported (**Active > Reports > POA&M Continuous Monitoring Report)**. This is helpful when many vulnerabilities are based on a common cause or are assigned to the same team in your organization. POA&Ms with a different display ID or with different Adjusted Risk Rating and Original Risk Rating values will always appear in different rows in the exported report. Display IDs can be updated in the user interface (**Vulnerabilities > Instances > POA&M Tracking > Display ID**) or be applied to many instances at once using the **Set Display ID**button (**Vulnerabilities > Instances > Set Display ID).**The maximum length of the Display ID is 240 characters. > [!NOTE] > Note: At least one instance must be selected for the Set Display ID to be activated. ### POA&M and Informational Findings Informational findings with POA&Ms will not appear in the generated ConMon report as these types of findings have no risk level. For a weakness to appear in the ConMon report, they should have a severity of *at* *least*Low based on the Nucleus [severity model](https://help.nucleussec.com/docs/finding-severities). ### Common Fields The following fields in the exported report will always contain the same values: 1. Adjusted Risk Rating 2. Controls 3. Weakness Name 4. Weakness Description 5. Weakness Detector Source 6. Weakness Source Identifier 7. Binding Operational Directive 22-01 Tracking 8. Binding Operational Directive 22-01 Due Date 9. CVE ### Derived Fields The following fields in the exported report will contain derived information from each POA&M: 1. The **Asset Identifier** field will contain all assets from each POA&M in a comma separated list 2. The **Point of Contact** field will contain all **email addresses** for each Nucleus point of contact from each POA&M 3. The **Resources Required** field will contain all values from each POA&M 4. The **Overall Remediation Plan**field will contain all values from each POA&M 5. The **Original Detection Date**field will contain the earliest date among all POA&Ms 6. The**Scheduled Completion Date**field will contain the earliest date among all POA&Ms 7. The **Planned Milestones**field will contain all values organized by asset 8. The **Milestone Changes**field will contain all values organized by asset 9. The **Status Date**field will contain the latest date among the grouped instances 10. The **Vendor Dependency**field will contain “Yes” if at least one POA&M has a vendor dependency 11. The**Last Vendor Check-in Date**field will contain the latest date among all POA&Ms 12. The **Vendor Dependent Product Name**field****will contain all values from each POA&M 13. The **Risk Adjustment**field will contain “Yes” or “No” based on the values of the Adjusted Risk Rating and Original Risk Rating. 14. The **False Positive**field will contain “No” if all instances are not false positives and Pending if some are false positives. If all instances are false positives the grouped POA&M will appear in the resolved tab and the field value will be Yes. 15. The **Operational Requirement**will contain “Yes” if at least one grouped POA&M instance has this field set to “Yes” 16. The **Deviation Rationale**field will contain all severity change comments from all all POA&Ms 17. The **Supporting Documents**will contain the filename of any supporting documents 18. The **Comments**field will contain all values from each POA&M 19. The **Auto-Approve**will contain “No” if at least one grouped POA&M instance has this field set to “No” 20. The **Service Name**will contain all values from each POA&M