DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This communication is in response to a terminal disclaimer filed on 01/22/2021 and the pre-brief conference request received on 01/19/2021.
Claims 1-20 are currently pending in this application.
No new IDS has been filed.

Response to Arguments
The double patenting rejections to the claims 1-15 have been withdrawn in response to filing of a terminal disclaimer, which was approved on 01/22/2021.
The previous 103 rejections to the claims 1-15 have been withdrawn in response to the applicants’ amendments/remarks.

Allowable Subject Matter
Claims 1-20 are allowed.

Examiner’s Statement for Reasons for Allowance
The following is an examiner’s statement of reasons for allowance:
Regarding independent claims 1, 10 and 15,

Sood et al. (US 2016/0337329 A1) teaches technologies for bootstrapping virtual network functions (VNF) in a network functions virtualization (NFV) network architecture. A VNF bootstrap service (VBS) agent is configured to execute a secure VNF bootstrap capture protocol in the NFV network architecture. The NFV network architecture includes a NFV security services controller for managing and enforcing security monitoring and secure message transmission and transmitting a security monitoring policy. The VBS agent security credential module is configured to provide a valid security credential (e.g., a certificate, a signed hash result, etc.) for VBS agent being registered during execution of the VBS capture protocol - see abstract; fig. 4; paras. [0019], [0022] and [0064] of Sood.

Arramreddy et al. (US 2017/0118173 A1) teaches a method and system for a distributed firewall and virtual network services on a network. A plurality of predefined security groups are stored, wherein each group has a set of predefined security rules for network packets configured to be transmitted between virtual machines (VMs). An outgoing network packet from a sending VM to a receiving VM is filtered in response to the predefined security rules associated with the predefined security groups (SGs) associated with the sending VM to validate the communication desired in the outgoing network packet. The distributed firewall and virtual network services policy includes security domains, security group memberships, security rules to determine whether a packet can be allowed or denied, etc. The security domain identifier (e.g., security tag) is the most unique identifier for a data center tenant that is using the resources in the data center – see abstract; figs. 4A, 7; paras. [0011], [0052] and [0053] of Arramreddy.

Antony et al. (US 2016/0380909 A1) teaches a method to provide quality of service (QoS) for a container in a virtualized computing environment. The method may comprise receiving a traffic flow of packets from a virtual machine (VM) and identifying a container from which the traffic flow originates based on content of the received traffic flow of packets. A QoS policy may be configured for the container (e.g., “C1”). When a traffic flow of packets is received from “VM1”, “C1” may be identified based on content in the packets and forwarded according to the QoS policy. Traffic flow differentiation may be implemented based on tag data added to packets originating from the “C1”. When “C1” sends a traffic flow packets, VM1 may add tag data to the header data of each packet to generate tagged traffic flow. Different tag data may be used for different containers. A guest agent that hooks onto a network stack of guest OS may be used to add the tag data – see abstract; figs. 1-3; paras. [0026], [0031] and [0032] of Antony.

However, the prior art of record does not teach or render obvious the limitations, specific and combination with other limitations, for the claims 1, 10 and 15 in a system, method or media comprising:
a first computing device comprising at least one processor, the first computing device configured to run a hypervisor, a virtual machine 
a second computing device comprising at least one processor, the second computing device configured to run a control plane configured to:
receive a request from the metavisor for at least one key for accessing the protected resource, the request comprising an identity document and a token having a tag associated with a policy, the identity document comprising metadata corresponding to the meta visor; and
determine whether the metavisor is allowed to obtain the at least one key and authorize access by the guest operating system to the protected resource based on the policy and the identity document.

Dependent claims 2-9, 11-14 and 16-20 are allowed as they depend from allowable independent claim 1, 10 or 15.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled "Comments on Statement of Reasons for Allowance".

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MAUNG T LWIN whose telephone number is (571)270-7845.  The examiner can normally be reached on Monday - Friday 10:00 am - 6:00 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.