DETAILED ACTION
Claims 1-20 are pending in the present application and are under examination on the merits. This communication is the first action on the merits (FAOM).
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
No Information Disclosure Statement has been filed in regard to this application. As such, no IDS has yet been considered for this application. 

Drawings
The drawings are objected to as failing to comply with 37 CFR 1.84(p)(5) because they include the following reference numerals not mentioned in the description: 1204 in Fig. 12. Corrected drawing sheets in compliance with 37 CFR 1.121(d), or amendment to the specification to add the reference character(s) in the description in compliance with 37 CFR 1.121(b) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows: 
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title
Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.
In the instant case, claims 9-14 are directed towards a process, and claims 1-8 and 15-20 are directed towards a machine or article of manufacture.
Regarding claim 1, the claim is directed to the judicial exception of certain methods of organizing human activity such as managing personal behavior or relationships or interactions between people, including social activities, teaching, and following rules or instructions. The following claim limitations are analogous to court identified abstract ideas that are representative of certain methods of organizing human activity: “store original text from a corpus of security questionnaires, and values associated with the original text from the corpus of security questionnaires,” “the values indicating a section, a control, or a question of the original text,” “identify a set of latent topics present in the original text from the corpus of security questionnaires,” “score portions of the original text based on one or more of presence and absence of one or more latent topics of the set of latent topics present in the original text, wherein the portions are identified based on the values associated with the original text,” “receive a new security questionnaire comprising new text, “score portions of the new text from the new security questionnaire based on presence or absence of the latent topics,” “determine score differences between the scored portions of the original text from the corpus of security questionnaires and the scored portions of the new text from the new security questionnaire,” and “link portions of the original text from the corpus of security questionnaires to portions of the new text from the new security questionnaire with a smallest score difference.” The concepts described in the limitations when taken both as a whole and individually are not meaningfully different than those found by the courts to be abstract ideas and are similarly considered to be certain methods of organizing human activity such as managing personal behavior or relationships or interactions between people, including social activities, teaching, and following rules or instructions. 
Additionally, the claims do not recite a practical application of the abstract concepts in that there is no specific use or application of the method steps other than to make conclusory determinations. The claims do not recite any particular use for these determinations that improve upon the underlying computer technology. Additionally, the claims recite the additional elements of: “A system to establish a security profile, the system comprising: a memory to store: … a processing unit to,” (computer processor and memory with computer instructions). Additionally, independent claims 9 and 15 recite further additional elements: “A system for responding to security questionnaires, the system comprising: a memory to store a corpus of security questionnaires; and a processor to,” (computer processor and memory with computer instructions). Examiner notes that the implementation of the abstract concepts utilizing technology in this way is generally linking the use of the judicial exception to a particular technological environment or field of use (See MPEP 2106.05(h)). Accordingly, Examiner does not find that the claims recite a practical application of the abstract concepts recited by the claims.
Additionally, the elements of the instant process, when taken in combination, together do not recite significantly more than the abstract idea itself. In regard to the claims showing significantly more, the claims do not recite “significantly more” because the claim is not either 1) 
The method and system, as claimed by the applicant, is no more than a general linking of the use of the abstract idea (an idea of itself) to a particular technological environment (the use of computers to calculate and transmit data). The recitation of well-known computer functions does not meet the “significantly more” threshold. Additionally, the application of computer technology amounts to merely applying the abstract concepts via computer elements. (see Applicant’s disclosure for implementation of computer components in Paragraph Numbers [0092]-[0104]). The recited computer elements and functions that are applied to the abstract idea in the claims are “A system to establish a security profile, the system comprising: a memory to store: … a processing unit to,” (computer processor and memory with computer instructions). Additionally, independent claims 9 and 15 recite further additional elements: “A system for responding to security questionnaires, the system comprising: a memory to store a corpus of security questionnaires; and a processor to
Claim 9 recites a method that contains substantially similar subject matter as claim 1 and is rejected for the same reasons put forth above in regard to claim 1.
Claims 2-8, 10-14, and 16-20 when analyzed as a whole, are held to be patent ineligible under 35 U.S.C. 101 because the additional recited limitation(s) are rejected based upon the same rationale, wherein the claim language does not recite “significantly more” than the abstract idea. Specifically, claims 2-8, 10-14, and 16-20 further narrow the abstract idea in that they recite additional computations or calculations that are a part of the above identified abstract idea. Additionally, claims 2-8, 10-14, and 16-20 do not recite any additional elements that are not part of the above identified abstract idea.
Regarding claims 1-8 and 15-20, the claim is directed to an apparatus/system and computer readable media for performing the method steps as described above and are rejected in that the recited computer components in the apparatus/system and computer readable media claims add nothing of substance to the underlying abstract idea. The application of computer technology in the claims merely serves to facilitate computerized implementation of the abstract idea. (see Applicant’s disclosure for implementation of computer components in Paragraph Numbers [0092]-[0104]).
The claims as a whole, do not amount to significantly more than the abstract idea itself. This is because the claims do not effect an improvement to another technology or technical field; the claims do not amount to an improvement to the functioning of a computer itself; and the claims do not move beyond a general link of the use of an abstract idea to a particular technological environment.  In addition, the claims are not necessarily
Accordingly, the Examiner concludes that there are no meaningful limitations in the claims that transform the judicial exception into a patent eligible application such that the claims amount to significantly more than the judicial exception itself.
Note:  The analysis above applies to all statutory categories of invention.  As such, the presentment of any claim otherwise styled as a machine or manufacture, for example, would be subject to the same analysis. 	

Claim Rejections - 35 USC § 102 
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102(A)(2) that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(A)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention
Claims 1-5, 7-12, 14-17, 19, and 20 are rejected under 35 U.S.C. 102(A)(2) as being anticipated by U.S. Patent Application Publication Number 2018/0129989 to Bowers (hereafter referred to as Bowers).
As per claim 1, Bowers teaches:
A system to establish a security profile, the system comprising: a memory to store: … a processing unit to: (Paragraph Number [0400] teaches the computing device 10000 includes a processor 10002, a memory 10004, a storage device 10006, a high-speed interface 10008 connecting to the memory 10004 and multiple high-speed expansion ports 10010, and a low-speed interface 10012 connecting to a low-speed expansion port 
original text from a corpus of security questionnaires, and values associated with the original text from the corpus of security questionnaires (Paragraph Number [0169] teaches the term "questionnaire" refers to one or more unique sets of questions, formatted to follow a template, that are created for the purpose of assessing vendor risk. Paragraph Number [0192] teaches when adding a new vendor product, the system 100 may present the end-user with a list of questions associated with the product.  The questions may include a request for the vendor name, the product name, the product type, and a risk level.  The risk level may be defined as low, medium, high, and undefined (as corresponding to the risk level 304).  Alternatively, the risk level may be an input from the risk-assessment module 214. Paragraph Number [0255] teaches the system 100 may provide a graphical user interface configured to display one or more prompts for user entries associated with a risk assessment of a given vendor product where the user entries are in response to a set of questionnaires).
the values indicating a section, a control, or a question of the original text (Paragraph Number [0256] teaches following interaction with the onboarding module, a template is created which specifies a set of global variables that apply to all the questionnaires created by the FI. The template further specifies rules for determining a final risk score, such as, for example, section weighting, question weighting, or other score settings).
identify a set of latent topics present in the original text from the corpus of security questionnaires (Paragraph Number [0257] teaches once at least one questionnaire has been created and saved, a risk assessment may be performed for a vendor or product.  The user can identify a vendor or product for assessment (step 1704), and select a questionnaire from a list of available saved questionnaires.  One or more contributors, referring to individuals or entities that complete part or all of the selected questionnaire, for the risk assessment are identified)
score portions of the original text based on one or more of presence and absence of one or more latent topics of the set of latent topics present in the original text, wherein the portions are identified based on the values associated with the original text (Paragraph Number [0256] teaches a web-based system allows for user-friendly, step-by-step preparation of vendor-specific risk assessment reports using a template and a questionnaire.  FIG. 17 depicts an example workflow of the system to guide a user at a financial institution to conduct a risk assessment associated with one or more vendors or products in accordance with an embodiment of the invention.  Prior to beginning a risk assessment, a user at a FI interacts with an onboarding module to select one of various operating paths 1702a-c, e.g., selected based on the user's expertise.  The most basic path 1702a automates the substantial majority of the Risk Assessment process (such as the selection of templates, questionnaires, and settings), while the most advanced path 1702c allows the user complete control over creation of the template, questionnaires, and settings used to conduct the risk assessment. Following interaction with the onboarding module, a template is created which specifies a set of global variables that apply to all the questionnaires created by the FI.  In certain embodiments, the template further specifies 
receive a new security questionnaire comprising new text (Paragraph Number [0258] teaches following response to the questionnaire by the one or more contributors, a two-part risk assessment is carried out which evaluates inherent risk as well as residual risk.  Finally, a final risk score is calculated (step 1710) based on the determined inherent risk and residual risk, as well as on the rules specified in the template.  One or more approvers must review the assessments and may approve or reject an assessment and provide commentary to support their decision.  In these embodiments, a risk assessment is not complete until it is approved by the approvers, and rejection of an assessment may either generate a new risk assessment, or the user may revise and resubmit their current assessment based upon the approver's comments.  Once complete, a risk assessment becomes part of a vendor's overall documentation and is stored in a Risk Assessment history location (step 1712)).
score portions of the new text from the new security questionnaire based on presence or absence of the latent topics (Paragraph Number [0258] teaches following response to the questionnaire by the one or more contributors, a two-part risk assessment is carried out which evaluates inherent risk as well as residual risk.  Finally, a final risk score is calculated (step 1710) based on the determined inherent risk and residual risk, as well as on the rules specified in the template.  One or more approvers must review the assessments and may approve or reject an assessment and provide commentary to support their decision.  In these embodiments, a risk assessment is not complete until it is approved by the approvers, and rejection of an assessment may either generate a new risk 
determine score differences between the scored portions of the original text from the corpus of security questionnaires and the scored portions of the new text from the new security questionnaire (Paragraph Number [0288] and FIG. 43 shows an example inherent risk assessment in accordance with an embodiment of the invention.  A list of questions 4302 is displayed.  The inherent risk assessment workspace displays information regarding inherent risk, including: "how likely is something to happen, and what is the effect of that event if it should happen?" Rating bars are preset at mid-range which is determined by the number of settings on the risk assessment scale that were specified within the template. In certain embodiments, 3-5 levels of risk may be identified (e.g., low, moderate, and high) (see, e.g., widgets 4304). The user (e.g., contributor) must hover over and select the rating of choice, while leaving it at the default value will mark the question incomplete. Paragraph Number [0291] and FIG. 46 is another example of an inherent risk assessment workspace in accordance with an embodiment of the invention. The inherent risk assessment workspace comprises a questionnaire heading which reflects the current overall score (e.g., heading 4602), and may use color coding as well as a label.  A second heading can reflect the current scoring (e.g., heading 4604) for a given section, e.g., Strategic Risk.  The answer format for each risk assessment depends on the template and can vary; e.g., in the illustrated example, there are five levels of scoring from low to high.  In certain embodiments, the user may hover over the scoring bar 4606 and drag to the left or right to "set" the score).
link portions of the original text from the corpus of security questionnaires to portions of the new text from the new security questionnaire with a smallest score difference (Paragraph Number [0375] teaches the Risk at the Assessment Question Level may include reviewing risk scores for each question within the Risk Assessment Questionnaire across multiple vendor products and may be associated with a Risk tag.  The Risk Score by Areas of Risk may include a grid that returns risk scores for each category of risk assessed (e.g., "How many vendor products have a high-risk rating for financial risk?") and may be associated with a Risk tag.  The Vendor Products may include a report showing high level data relating to all vendor products that can be limited to specific vendors only and may be associated with a General tag. Paragraph Number [0256] teaches the template further specifies rules for determining a final risk score, such as, for example, section weighting, question weighting, or other score settings.  Once the template has been built, one or more questionnaires may be created and saved).
As per claim 9, Bowers teaches:
A method of responding to a security questionnaire, the method comprising: identifying a set of latent topics present in a corpus of security questionnaires (Paragraph Number [0257] teaches once at least one questionnaire has been created and saved, a risk assessment may be performed for a vendor or product.  The user can identify a vendor or product for assessment (step 1704), and select a questionnaire from a list of available saved questionnaires.  One or more contributors, referring to individuals or entities that complete part or all of the selected questionnaire, for the risk assessment are identified).
determining a distribution of latent topics throughout questions, controls, and sections within the corpus of security questionnaires (Paragraph Number [0169] teaches the term "questionnaire" refers to one or more unique sets of questions, formatted to follow a template, that are created for the purpose of assessing vendor risk. Paragraph Number [0192] teaches when adding a new vendor product, the system 100 may present the end-user with a list of questions associated with the product.  The questions may include a request for the vendor name, the product name, the product type, and a risk level.  The risk level may be defined as low, medium, high, and undefined (as corresponding to the risk level 304).  Alternatively, the risk level may be an input from the risk-assessment module 214. Paragraph Number [0255] teaches the system 100 may provide a graphical user interface configured to display one or more prompts for user entries associated with a risk assessment of a given vendor product where the user entries are in response to a set of questionnaires).
wherein the distribution scores the questions, controls, and sections based on a presence or absence of each latent topic within the set of latent topics (Paragraph Number [0169] teaches the term "questionnaire" refers to one or more unique sets of questions, formatted to follow a template, that are created for the purpose of assessing vendor risk. Paragraph Number [0192] teaches when adding a new vendor product, the system 100 may present the end-user with a list of questions associated with the product.  The questions may include a request for the vendor name, the product name, the product type, and a risk level.  The risk level may be defined as low, medium, high, and undefined (as corresponding to the risk level 304).  Alternatively, the risk level may be an input from the risk-assessment module 214. Paragraph Number [0255] teaches the system 
scoring a new text based on the presence or absence of each latent topic within the set of latent topics (Paragraph Number [0256] teaches a web-based system allows for user-friendly, step-by-step preparation of vendor-specific risk assessment reports using a template and a questionnaire.  FIG. 17 depicts an example workflow of the system to guide a user at a financial institution to conduct a risk assessment associated with one or more vendors or products in accordance with an embodiment of the invention.  Prior to beginning a risk assessment, a user at a FI interacts with an onboarding module to select one of various operating paths 1702a-c, e.g., selected based on the user's expertise.  The most basic path 1702a automates the substantial majority of the Risk Assessment process (such as the selection of templates, questionnaires, and settings), while the most advanced path 1702c allows the user complete control over creation of the template, questionnaires, and settings used to conduct the risk assessment. Following interaction with the onboarding module, a template is created which specifies a set of global variables that apply to all the questionnaires created by the FI.  In certain embodiments, the template further specifies rules for determining a final risk score, such as, for example, section weighting, question weighting, or other score settings).
comparing a score of the new text to the distribution of latent topics throughout the questions, controls, and sections within the corpus of security questionnaires (Paragraph Number [0288] and FIG. 43 shows an example inherent risk assessment in accordance with an embodiment of the invention.  A list of questions 4302 is displayed.  
identifying a question, control, or section that is scored within the distribution that is nearest the score of the new text (Paragraph Number [0375] teaches the Risk at the Assessment Question Level may include reviewing risk scores for each question within the Risk Assessment Questionnaire across multiple vendor products and may be associated with a Risk tag.  The Risk Score by Areas of Risk may include a grid that returns risk scores for each category of risk assessed (e.g., "How many vendor products have a high-risk rating for financial risk?") and may be associated with a Risk tag.  The 
associating the new text and the identified question, control, or section (Paragraph Number [0375] teaches the Risk at the Assessment Question Level may include reviewing risk scores for each question within the Risk Assessment Questionnaire across multiple vendor products and may be associated with a Risk tag.  The Risk Score by Areas of Risk may include a grid that returns risk scores for each category of risk assessed (e.g., "How many vendor products have a high-risk rating for financial risk?") and may be associated with a Risk tag.  The Vendor Products may include a report showing high level data relating to all vendor products that can be limited to specific vendors only and may be associated with a General tag. Paragraph Number [0256] teaches the template further specifies rules for determining a final risk score, such as, for example, section weighting, question weighting, or other score settings.  Once the template has been built, one or more questionnaires may be created and saved).
As per claim 15, Bowers teaches:
A system for responding to security questionnaires, the system comprising: a memory to store a corpus of security questionnaires; and a processor to (Paragraph Number [0400] teaches the computing device 10000 includes a processor 10002, a memory 10004, a storage device 10006, a high-speed interface 10008 connecting to the 
identify a set of latent topics present in the corpus of security questionnaires (Paragraph Number [0257] teaches once at least one questionnaire has been created and saved, a risk assessment may be performed for a vendor or product.  The user can identify a vendor or product for assessment (step 1704), and select a questionnaire from a list of available saved questionnaires.  One or more contributors, referring to individuals or entities that complete part or all of the selected questionnaire, for the risk assessment are identified).
determine a distribution of latent topics throughout questions, controls, and sections within the corpus of security questionnaires (Paragraph Number [0169] teaches the term "questionnaire" refers to one or more unique sets of questions, formatted to follow a template, that are created for the purpose of assessing vendor risk. Paragraph Number [0192] teaches when adding a new vendor product, the system 100 may present the end-user with a list of questions associated with the product.  The questions may include a request for the vendor name, the product name, the product type, and a risk level.  The risk level may be defined as low, medium, high, and undefined (as corresponding to the risk level 304).  Alternatively, the risk level may be an input from the risk-assessment module 214. Paragraph Number [0255] teaches the system 100 may 
wherein the distribution scores the questions, controls, and sections based on a presence or absence of each topic within the set of latent topics (Paragraph Number [0169] teaches the term "questionnaire" refers to one or more unique sets of questions, formatted to follow a template, that are created for the purpose of assessing vendor risk. Paragraph Number [0192] teaches when adding a new vendor product, the system 100 may present the end-user with a list of questions associated with the product.  The questions may include a request for the vendor name, the product name, the product type, and a risk level.  The risk level may be defined as low, medium, high, and undefined (as corresponding to the risk level 304).  Alternatively, the risk level may be an input from the risk-assessment module 214. Paragraph Number [0255] teaches the system 100 may provide a graphical user interface configured to display one or more prompts for user entries associated with a risk assessment of a given vendor product where the user entries are in response to a set of questionnaires).
score a new text based on the presence or absence of each topic within the set of latent topics (Paragraph Number [0258] teaches following response to the questionnaire by the one or more contributors, a two-part risk assessment is carried out which evaluates inherent risk as well as residual risk.  Finally, a final risk score is calculated (step 1710) based on the determined inherent risk and residual risk, as well as on the rules specified in the template.  One or more approvers must review the assessments and may approve or reject an assessment and provide commentary to support their decision.  In these 
compare a score of the new text to the distribution of latent topics throughout the questions, controls, and sections within the corpus of security questionnaires (Paragraph Number [0288] and FIG. 43 shows an example inherent risk assessment in accordance with an embodiment of the invention.  A list of questions 4302 is displayed.  The inherent risk assessment workspace displays information regarding inherent risk, including: "how likely is something to happen, and what is the effect of that event if it should happen?" Rating bars are preset at mid-range which is determined by the number of settings on the risk assessment scale that were specified within the template. In certain embodiments, 3-5 levels of risk may be identified (e.g., low, moderate, and high) (see, e.g., widgets 4304). The user (e.g., contributor) must hover over and select the rating of choice, while leaving it at the default value will mark the question incomplete. Paragraph Number [0291] and FIG. 46 is another example of an inherent risk assessment workspace in accordance with an embodiment of the invention. The inherent risk assessment workspace comprises a questionnaire heading which reflects the current overall score (e.g., heading 4602), and may use color coding as well as a label.  A second heading can reflect the current scoring (e.g., heading 4604) for a given section, e.g., Strategic Risk.  The answer format for each risk assessment depends on the template and can vary; e.g., in the illustrated example, 
identify a question, control, or section that is scored within the distribution that is nearest the score of the new text (Paragraph Number [0375] teaches the Risk at the Assessment Question Level may include reviewing risk scores for each question within the Risk Assessment Questionnaire across multiple vendor products and may be associated with a Risk tag.  The Risk Score by Areas of Risk may include a grid that returns risk scores for each category of risk assessed (e.g., "How many vendor products have a high-risk rating for financial risk?") and may be associated with a Risk tag.  The Vendor Products may include a report showing high level data relating to all vendor products that can be limited to specific vendors only and may be associated with a General tag. Paragraph Number [0256] teaches the template further specifies rules for determining a final risk score, such as, for example, section weighting, question weighting, or other score settings.  Once the template has been built, one or more questionnaires may be created and saved).
populate an unanswered question field associated with the new text with an answer variable associated with the identified question, control, or section (Paragraph Number [0383] and FIG. 88 shows an example save as custom report form interface in accordance with an embodiment of the invention. When the user selects save as custom report 8510, the report name 8802 and description 8804 may be pre-populated and the original tag 8806 may be re-assigned.  The user can edit the name and description as well as manage tags assigned to the custom report.  The save as custom report form may 
As per claim 2, Bowers teaches each of the limitations of claim 1. 
In addition, Bowers teaches:
wherein the memory is further used to store answer objects associated with portions of the original text (Paragraph Number [0256] teaches the template further specifies rules for determining a final risk score, such as, for example, section weighting, question weighting, or other score settings.  Once the template has been built, one or more questionnaires may be created and saved. Paragraph Number [0373] and FIG. 80 shows a block diagram of the components of an example system for customizing reports.  Reports may include Data Reports 8002 and Visual Reports 8004.  Reports may be downloaded or shared, which may cause the system 100 to generate an entry in Report History 8008.  Reports may also be saved as Custom Reports 8006.  Similarly, Custom Reports 8006 may be downloaded or shared, which may cause the system 100 to generate an entry in Report History 8008.  Scheduled Reports 8010 may be generated from Custom Reports 8006 at user-defined frequencies.  Items in Report History 8008 may be downloaded, shared, or deleted).
wherein the processing unit is further to link an answer object associated with a portion of the original text to a portion of the new text linked to the portion of the original text, such that the answer object is common to both the portion of the original text and the portion of the new text. (Paragraph Number [0241] teaches the system 100 may allow the end-user to retrieve additional documents (1128) related to the vendor product.  A selection of this input (1128) may direct the end-user to the document storage page 206, 
As per claims 3, 11, and 16, Bowers teaches each of the limitations of claims 1, 9, and 15 respectively. 
In addition, Bowers teaches:
wherein the processing unit is further to request that portions of the original text and portions of the new text that are linked be displayed for review (Paragraph Number [0230] and FIG. 8 is an example workspace 800 for matching collected end-user's document to a list of suggested documents in accordance with an embodiment of the invention.  The workspace 800 may display a list of collected documents uploaded by the end-user (802).  The list may include documents collected in the compliance document folder, as described in relation to FIG. 5.  The workspace 800 may display a list of suggested documents (804) for the examination. The list of suggested documents (804) may be a pre-defined list of documents that is organized by risk levels. Paragraph Number [0235] teaches the method 600 may include displaying (step 614) all of the 
As per claims 4, 12, and 17, Bowers teaches each of the limitations of claims 1, 9 and 11, 15 and 16 respectively. 
In addition, Bowers teaches:
wherein the processing unit is further to receive an input indicating acceptance or rejection of linking of the portions of the original text and the portions of the new text. (Paragraph Number [0258] teaches following response to the questionnaire by the one or more contributors, a two-part risk assessment is carried out which evaluates inherent risk as well as residual risk.  Finally, a final risk score is calculated (step 1710) based on the determined inherent risk and residual risk, as well as on the rules specified in the template. One or more approvers must review the assessments and may approve or reject an assessment and provide commentary to support their decision. A risk assessment is not complete until it is approved by the approvers, and rejection of an assessment may either generate a new risk assessment, or the user may revise and resubmit their current assessment based upon the approver's comments.  Once complete, a risk assessment becomes part of a vendor's overall documentation and is stored in a Risk Assessment history location (step 1712)).
As per claims 5 and 10, Bowers teaches each of the limitations of claims 1 and 9 respectively. 

wherein the processing unit is further to populate an unanswered answer object associated with the new security questionnaire based on the portions of the original text that are linked to the portions of the new text. (Paragraph Number [0383] and FIG. 88 shows an example save as custom report form interface in accordance with an embodiment of the invention. When the user selects save as custom report 8510, the report name 8802 and description 8804 may be pre-populated and the original tag 8806 may be re-assigned.  The user can edit the name and description as well as manage tags assigned to the custom report.  The save as custom report form may include an interface 8808 through which the user can select where in the Custom Reports interface to save a report).
As per claims 7, 14, and 19, Bowers teaches each of the limitations of claims 1, 9, and 15 respectively
In addition, Bowers teaches:
wherein the processing unit is further to determine a standardized questionnaire within the corpus of security questionnaires that correlates to the new security questionnaire (Paragraph Number [0263] and FIG. 22 is an example template management workspace to build, set up, or edit a template for a Risk Assessment in accordance with an embodiment of the invention.  Users who selected either Level 1 or Level 2 operating paths will have a template preloaded for them, while users who selected Level 3 may create their own template.  Template settings can include risk levels (e.g., from three to five levels), inclusion/exclusion of residual risk, the ability to add weighted values to questions, determination of answer format, inclusion/exclusion of 
As per claims 8 and 20, Bowers teaches each of the limitations of claims 1 and 7, and 15 and 20 respectively. 
In addition, Bowers teaches:
wherein the processing unit is further to cause the standardized questionnaire to be transmitted as a response to the new security questionnaire (Paragraph Number [0263] and FIG. 22 is an example template management workspace to build, set up, or edit a template for a Risk Assessment in accordance with an embodiment of the invention.  Users who selected either Level 1 or Level 2 operating paths will have a template preloaded for them, while users who selected Level 3 may create their own template.  Template settings can include risk levels (e.g., from three to five levels), inclusion/exclusion of residual risk, the ability to add weighted values to questions, determination of answer format, inclusion/exclusion of standard section headings and the ability to create new ones, and the entering of standard text for an Executive Summary. Each of these elements can be included in every subsequent questionnaire that is created for this FI as long as this template remains in force. Templates may be edited. If there is at least one questionnaire in progress, the template cannot be altered.  Completed questionnaires can retain the original template's format. Any or all subsequent new questionnaires can be built using an updated template).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
A person shall be entitled to a patent unless –
(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains.  Patentability shall not be negatived by the manner in which the invention was made.

Claims 6, 13, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. Patent Application Publication Number 2018/0129989 to Bowers (hereafter referred to as Bowers) in view of U.S. Patent Application Publication Number 2019/0377867 to Murphy et al. (hereafter referred to as Murphy)
As per claims 6, 13, and 18, Bowers teaches each of the limitations of claims 1, 13, and 18. 
Bowers teaches identifying topics relevant to determining security and risk of vendors, but does not explicitly teach where the identification is made using a generative statistical model which is taught by the following citations from Murphy:
wherein the processing unit is further to identify the set of latent topics by processing the original text using a generative statistical model (Paragraph Number [0042] teaches when processing information 58, probabilistic process 56 may use probabilistic modeling to accomplish such processing, wherein examples of such probabilistic modeling may include but are not limited to discriminative modeling, generative modeling, or combinations thereof).
Both Bowers and Murphy are directed to determining security of vendors. Bowers discloses identifying topics relevant to determining security and risk of vendors. Murphy 

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MATTHEW H. DIVELBISS whose telephone number is (571) 270-0166. The fax phone number is 571-483-7110. The examiner can normally be reached on M-Th, 7:00 - 5:00. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jerry O'Connor can be reached on (571) 272-6787. 
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/M. H. D./
Examiner, Art Unit 3624


/Jerry O'Connor/Supervisory Patent Examiner,Group Art Unit 3624