Importing POA&Ms

Overview

Nucleus can manage existing POA&M information you may have already created, either manually or from other software systems inside your organization.

Supported Versions

Nucleus supports FedRAMP revision 5 (v2.1) and FedRAMP 4 (v2.0) templates for import and report generation
Note: The filename must begin with “FedRAMP-POAM-” with extension .xlsx.

Supported Asset Types

Import Procedure

Navigate to “Integration Hub > Import Via File”, select the POA&M xlsx report and upload it to the data ingest page.
1. Note: This can also be done using the API but for a one time upload we recommend doing this in the User Interface (UI)
Nucleus will automatically detect the POA&M report and try to import all the POA&Ms into Nucleus.
1. We start by checking the “Asset Identifier” field and trying to match an asset that exists in Nucleus with the host identifiers in the report.
2. If we get an asset match, we then try to match on the “Weakness Name” + “Weakness Source Identifier” fields.
3. If we match both of the above, we will automatically create a POA&M in Nucleus and associated the relevant information from the report to the findings in Nucleus.
4. Note: If a POA&M already exists in Nucleus for that finding, we will populate any empty fields.
5. Note: Nucleus will import your “POA&M ID” column as the “Display ID” in Nucleus. This allows you to use a custom identifier to group POA&Ms into the report, while still associating them with findings in Nucleus.
Nucleus will generate a “POA&M Upload Report” that can be found under “Analyze > Reports”. This will give you a detailed view of every asset, finding, and POA&M that was ingested, as well as provide errors and warnings around what was not matched, as well as why.
Feel free to upload the same report multiple times, but already imported POA&Ms will not be imported again and will generate an error in the upload report.

Troubleshooting Common Import Problems

If you encounter difficulty importing an existing POA&M report, please check the following list of common problems and solutions:

Problem	Details	Solution
I can’t import my existing report	I am getting the following messages when I upload my POA&M report: Failure! Unable to import data Details: We did not understand the uploaded scan file. Please contact support for help	Ensure your POA&M report has the correct filename. It must begin with “FedRAMP-POAM-”. For example, if your original file was called MyPOAM.xlsx, you would rename it to: “FedRAMP-POAM-MyPOAM.xlsx”
Not all POA&Ms are imported	It looks like one of my POA&M rows didn’t get attached to a finding in Nucleus but I don’t see an error or warning message under “Analyze > Reports”	Ensure your POA&M report matches the official template. In particular, ensure the first 5 rows match. Nucleus will begin importing POA&Ms on row 6

Problem

Details

Solution

I can’t import my existing report

I am getting the following messages when I upload my POA&M report:

Failure! Unable to import data

Details: We did not understand the uploaded scan file. Please contact support for help

Ensure your POA&M report has the correct filename. It must begin with “FedRAMP-POAM-”. For example, if your original file was called MyPOAM.xlsx, you would rename it to: “FedRAMP-POAM-MyPOAM.xlsx”

Not all POA&Ms are imported

It looks like one of my POA&M rows didn’t get attached to a finding in Nucleus but I don’t see an error or warning message under “Analyze > Reports”

Ensure your POA&M report matches the official template. In particular, ensure the first 5 rows match. Nucleus will begin importing POA&Ms on row 6

Upload Report Details

This section describes the possible success, warning and error messages generated (Analyze > Reports) after importing an existing POA&M template:

Message	Type	Description	Troubleshooting
All fields imported correctly	Success	Nucleus matched in the imported POA&M with no errors or warnings	None
POA&M imported but only empty fields populated	Warning	Nucleus matched the imported POA&M to a finding but one or more fields were empty	Check the values in your import sheet to ensure this is expected.
Finding matched, but Point of Contact does not exist in Nucleus:	Warning	Nucleus matched the imported POA&M to a finding but has determined that the Point of Contact does not exist in Nucleus	Check the value of Point of Contact or add the corresponding User to Nucleus (Global Administration → Users)
Not able to match to an existing host by Asset Identifier	Error	Nucleus could not match the Asset in the Asset Identifier field to a finding in Nucleus	Double check the value of the Asset Identifier field in Nucleus. Multiple assets should be separated by a newline
Not able to match existing finding by plugin ID or CVE number	Error	Nucleus could not match the POA&M to a finding in Nucleus	Check the value of the Weakness Source Identifier and Weakness name - ensure they are not blank.
Duplicate entry	Error	Nucleus has determined that the POA&M entry already exists in the import sheet and has been skipped	Check the values in your import and remove duplicate rows in your POA&M sheet