DETAILED ACTION
This is in response to amendment/RCE filed on 02/01/2021.  Claims 1-15 are pending and claims 1, 14, and 15 are independent.  Claim 1 and 14-15 have been amended. No claims have been added.  No claims have been canceled.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Continued Examination Under 34 CFR 1.114
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 02/01/2021 has been entered. 

Response to Arguments
In previous office actions primary reference Lim was overlooked for all of its content and after a closer look and review of the primary reference thoroughly office has determined that actually Lim reference would be an anticipatory reference to the independent claim 1, 14, and 15.
Regarding applicant’s argument on page 4 of the remarks that “Lim does not teach, in response to a request for a file system operation in respect of data for the software application, retrieving a security policy definition.”  Examiner appreciates the applicant’s interpretation and respectfully disagrees.  Lim cites in paragraphs below when a security policy is being retrieved and that such security policy is defined and enforce to encrypting the a file, a document, an email, and/or an attachment of an email in paragraph 0084, the information management system can encrypt (e.g., as directed or based on a policy) the information or content before it is stored, e-mailed to another user, and so forth. In this case, even when the information management system is not operating or in effect, the information will not be viewable unless the user unencrypts the information first. In paragraph 0093, when a document classified as "confidential" is sent by an employee as an attachment of an e-mail, a policy directs a policy enforcer to encrypt the document before allowing the e-mail to be sent.  Lim in this paragraph retrieves the security policy and in paragraph 0097, figure 6, Lim recites, a policy enforcer 601 includes one or more interceptors 602, a policy engine 603, and one or more obligation handlers 604. The policy enforcer interacts with encryption service add-on 605 via an encryption handler. In the figure, the obligation handlers include the encryption handler. In another 
Applicant’s argument with respect to rejection of claims 1 and 15 under 35 U.S.C 101 is persuasive based on amended claims thus, the rejection to claims under 101 is withdrawn.
Applicant’s argument filed on 12/07/2020 with respect to claims 1 and 14-15 have been considered but are moot in view of modify/new grounds of rejection are rendered below.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claim 14 is rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter. 
Independent claim 14 is directed to non-statutory subject matter.  The claim(s) does/do not fall within at least one of the four categories of patent eligible subject matter because the claim is not directed towards a device/a system/an apparatus claim as it recites " A data storage device providing secure data storage for a software application executed by an operating system in a computer system comprising: a file system operation interceptor executing …; a file system operation analyzer that is responsive to …; a comparator that compares …; and 5Application No. 16/073,396 a cryptographic unit that performs at least one or data encryption or data decryption using one or more cryptographic functions; wherein the cryptographic unit is operable ... " without at least one hardware component in the body of the claim as part of the system, thus claim 14 as a whole is interpreted to be software per se. An attempt to claim a device (i.e. an apparatus or a system) with no tangible structural component in the body of the claim is not patent eligible. See New Interim Patent Subject Matter Eligibility Examination Instructions 35 USC 101, August 24, 2009 (http://www.uspto.gov/patents/law/comments/2009-08- 25_interim_101_instructions.pdf). Although a computer may be patent eligible if it "is  instructions from program software," In re Alappat, 33 F.3d 1526, 1545 (Fed. Cir. 1994), here, there is no hardware in the body of the claim that executes the claimed limitation.

Claim Rejections - 35 USC § 102
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claim(s) 1-2 and 5-15 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Lim et al. (US PGPUB No. 2012/0036370).

Regarding claim 1. Lim does disclose, a computer implemented method of secure data storage for a software application executed by an operating system in a computer system comprising [Lim, para. 0060, FIG. 3, shows a system block diagram of computer system 201 used to execute the software of the present invention. As in FIG. 2, computer system 201 includes monitor 203, keyboard 209, and mass storage devices 217. Computer system 201 further includes subsystems such as central processor 302, system memory 304; paragraph 0005-0006 disclose “secure data storage”]:
in response to a request for a file system operation in respect of data for the software application, the request identified by a file system operation interceptor executing on the computer system [Lim, para. 0072, 0102, and FIG. 4, shows a simple block diagram of a policy enforcer for implementing one or more policies according to a specific implementation of the invention. A policy enforcer 404 is installed on a workstation (e.g., a computer) 408 to protect documents on the workstation and documents accessible from the workstation. As shown in the figure, the policy enforcer includes an interceptor 412, a policy engine 416, and an obligation handler 420.  (Para. 0102), the decision to encrypt a file is based on an attribute associated with a directory (directory enclosed all files). When encryption service intercepts an operation to create a file on a file system, the encryption service attempts to locate an encryption required attribute associated with the directory where the file will be created.],
identifying attributes associated with the requested file system operation [Lim, para. 0197, FIG. 12, In a step 1212, the policy enforcer forwards the open document operation, along with other information related to the open document operation, to a policy engine. This related information can include identifying information (e.g., who the user is, what device is being used, what time the open operation occurs, what file is being opened, application identifying information) (e.g., attributes associated with the requested file system operation) and other information.] 
retrieving a security policy definition defining circumstances in which application data can be cryptographically processed;  [Lim, para. 0084, 0093, 0102, FIG. 6, (Examiner equates the encryption operation that based on a policy as the definition of cryptographic processes and the a policy directing a policy enforces as retrieving the policy to encrypt the document) the information management system can encrypt (e.g., as directed or based on a policy) the information or content before it is stored, e-mailed to another user, and so forth. (Para. 0093), a declarative policy instructs a policy enforcer to encrypt a document if the document is classified "top secret" and the document is saved by an employee.  (Para. 0102) the decision to encrypt a file is based on an attribute associated with a directory. When encryption service intercepts an operation to create a file on a file system, the encryption service attempts to locate an encryption required attribute associated with the directory where the file will be created. If an encryption required attribute exists and it specifies a file created in the directory should be encrypted, the encryption service will encrypt all data written to the file. If the encryption required attribute is absent or it specifies a file created in the directory should not be encrypted, no encryption will be performed on the file by the encryption service. (Paragraphs 0090, 0092, 0095, 0095, 0097, 0100, and 0103 further recite the response to this limitation) ]; and
comparing the attributes and the security policy definition and, responsive to the comparison, performing a cryptographic operation and the file system operation on the data [Lim, para. 0197 (step 1216 and steps 1228-1244), the policy engine evaluates at least one policy related to the operation, including an open document policy. In an implementation, the policy is a declarative policy.  (Steps 1228-1244) access to a document is allowed. The policy enforcer invokes encryption service to decrypt the document. In a step 1232, the encryption service extracts key ring name and key identifier from header of the document. In other implementations, the key ring name and key identifier may be stored at the end of an encrypted document, other parts of a document, or outside a document (e.g., a NTFS.RTM. stream). In a step 1236, the encryption service requests an encryption key from a policy enforcer using the key ring name and key identifier. In a step 1240, the policy enforcer returns an encryption key to the encryption service. In a step 1244, the encryption service opens the document and associates the encryption key with the opened document. Subsequent read operations can use the same encryption key to decrypt the data.].
Regarding claim 2. Lim does disclose, the method of claim 1, wherein the cryptographic operation is one of an encryption or a decryption operation using at least one cryptographic key [Lim, para. 0092, an add-on provides encryption service to an information management system that uses declarative policies to protect access to documents and use of content in a document. Encryption of a specific document may be specified as an obligation in a declarative policy... all documents managed by an information management system are encrypted].  

Regarding claim 5. Lim does disclose, the method of claim 1, wherein the attributes include one or more of: attributes of the data; attributes of a user of the software application; attributes of the software application; temporal attributes; or a type of the requested file system operation [Lim, paragraph 0082, Fig. 12, access to a document includes opening a file, writing to a file, renaming a file, copying a file, deleting a file, or changing file attributes (e.g., owner or timestamp), opening an e-mail, sending an e-mail, deleting an e-mail, viewing a webpage, posting content to a website, downloading a file from a website, uploading a file to a website, and more.].  

Regarding claim 6. Lim does disclose, the method of claim 5, wherein the attributes of the data include one or more of: a file name; a file system path; or file system attributes of the data [Lim, para. 0103, the encryption service check the encryption required attribute on directory "/confidential/" and the encryption required attribute indicates the file should be encrypted. The encryption service performs encryption on data to be written to the file.  TABLE- # Policy 1 - Encrypt a file using obligation FOR document.name = "/confidential/*" ON SAVE BY user = Employees DO ALLOW AND ENCRYPT # Policy 2 - Encrypt a file by setting a directory attribute # (encryption required attribute on "/confidential/" is set) FOR document.name = "/confidential/*" ON SAVE BY user = Employees DO ALLOW].  

Regarding claim 7. Lim does disclose, the method of claim 5, wherein the attributes of the user include one or more of: a user identifier; or a group membership or a class of the user [Lim, para. 0197 and FIG. 12, (step 1212), the policy enforcer forwards the open document operation, along with other information related to the open document operation, to a policy engine. This related information can include identifying information (e.g., who the user is, what device is being used, what time the open operation occurs, what file is being opened, application identifying information) and other information.].  

Regarding claim 8. Lim does disclose, the method of claim 5, wherein the attributes of the software application include one or more of: an identifier of the software application; an identifier of one or more processes executed by or for the software [Lim, para. 0153, FIG. 7, the control data section holds a key identifier 704, a content encryption key Kc, and other data. The other data may include a magic number, file format signature, version number, key ring name, key identifier, unencrypted file size, padding information, author name, timestamp.].  

Regarding claim 9. Lim does disclose, the method of claim 5, wherein the temporal attributes include a time associated with the requested file system operation [Lim, para. 0082, access to a document includes opening a file, writing to a file, renaming a file, copying a file, deleting a file, or changing file attributes (e.g., owner or timestamp), opening an e-mail, sending an e-mail, deleting an e-mail, viewing a webpage, posting content to a website, downloading a file from a website, uploading a file to a website, and more.].  

Regarding claim 10. Lim does disclose, the method of claim 5, wherein the type of the requested file system operation includes one of: a read operation; a write operation; or an execute operation [Lim, para. 0073, 0184, the policies allow policy enforcers (which may be called agents in specific embodiments) to make decisions on whether to allow or deny access to a particular information, execute a particular application function, or operate on a particular application data object or fragment.  (Para. 0184), access to a document includes the following file operations: opening a file, creating a file, reading a file, writing a file, renaming a file, moving a file, copying a file, or the like].  

Regarding claim 11.  Lim does disclose, the method of claim 1, wherein the security policy definition includes a definition of one or more criteria for permitting the file system operation based on attributes associated with the file system operation [Lim, para. 0064, 0105, one or more policies may be written to limit access of a document or documents from particular users and enforced by the system. A policy enforcer running on a computing device may be responsible for enforcing policies that control access to a document and use of content in a document.  (Paragraph 0105), an encryption required attribute on a directory indicates to the encryption service whether a file created in the directory or a file copied to the directory should be encrypted.].  

Regarding claim 12. Lim does disclose, the method of claim 11, wherein the one or more criteria of the security policy definition include one or more of: attributes of data; attributes of a user of a software application; attributes of a software application; temporal attributes; or a type of a file system operation [Lim para. 0105, 0209, an encryption required attribute on a directory indicates to the encryption service whether a file created in the directory or a file copied to the directory should be encrypted. An encryption required attribute may be implemented in a variety of ways, such as an extended file system attribute on a file system, a lookup table entry, or other.  (Para. 209) classification data includes attributes associated with a document, or attributes derived from content of the document.  For example, attributes associated with a document may include file owner or path. Attributes derived from a document may include content analysis such as whether the document contains private information, or the type of the content (e.g., source code, chart data, financial data). These documents may be encrypted by using an encryption obligation.].  

Regarding claim 13. Lim does disclose, the method of claim 11, wherein comparing the attributes and the security policy definition includes determining satisfaction of the one or more criteria of the security policy definition [Lim para. 0074, FIG. 4, the policy engine evaluates at least one declarative policy relevant to the operation to determine if the operation should be allowed. If the operation is allowed, the operation continues to completion 428. If the operation is denied 428, the interceptor blocks the operation.].  

Regarding claim 14. Lim does teach, a data storage device providing secure data storage for a software application executed by an operating system in a computer system comprising [Lim, para. 0060, Fig. 2, computer system 201 includes monitor 203, keyboard 209, and mass storage devices 217.  Computer system 201 further includes subsystems such as central processor 302, system memory 304]:
a file system operation interceptor executing on the computer system that detects requests for file system operations in respect of data for the software application [Lim, para. 0072, FIG. 4, shows a simple block diagram of a policy enforcer for implementing one or more policies according to a specific implementation of the invention. A policy enforcer 404 is installed on a workstation 408 to protect documents on the workstation (e.g., a computer system) and documents accessible from the workstation. As shown in the figure, the policy enforcer includes an interceptor 412, a policy engine 416, and an obligation handler 420.]; 
a file system operation analyzer that is responsive to the file system operation interceptor and that analyzes an intercepted file system operation request to identify attributes associated with the file system operation [Lim, para. 0102, FIG. 6, In an implementation, the decision to encrypt a file is based on an attribute associated with a directory. When encryption service intercepts an operation to create a file on a file system, the encryption service attempts to locate an encryption required attribute associated with the directory where the file will be created. If an encryption required attribute exists and it specifies a file created in the directory should be encrypted, the encryption service will encrypt all data written to the file. If the encryption required attribute is absent or it specifies a file created in the directory should not be encrypted, no encryption will be performed on the file by the encryption service.];
Lim, para. 0023, 0082, and FIG. 4, intercepting the accessing an encrypted document operation at the encryption service; identifying the application program attempting the accessing an encrypted document operation; determining if the application program can be trusted to protect unencrypted content of the encrypted document; if the application program is determined to be trusted, decrypting the encrypted document to produce unencrypted content and providing the unencrypted content to the application program; and if the application program is determined not to be trusted, providing encrypted content of the encrypted document to the application program.  (Paragraph 0082) access to a document includes opening a file, writing to a file, renaming a file, copying a file, deleting a file, or changing file attributes (e.g., owner or timestamp), opening an e-mail, sending an e-mail, deleting an e-mail, viewing a webpage, posting content to a website, downloading a file from a website, uploading a file to a website, and more.]; 5Application No. 16/073,396 
a comparator that compares the attributes with a predefined security policydefining circumstances in which application data can be cryptographically processed [Lim, para. 0092-0093, 0102, an add-on provides encryption service to an information management system that uses declarative policies to protect access to documents and use of content in a document. Encryption of a specific document may be specified as an obligation in a declarative policy… In an implementation, only documents that require extra protection are encrypted. In another implementation, documents selected by a user are encrypted. In another implementation, all documents managed by an information management system are encrypted.  (Para. 0093), a declarative policy instructs a policy enforcer to encrypt a document if the document is classified "top secret" and the document is saved by an employee.  (Para. 0102) In an implementation, the decision to encrypt a file is based on an attribute associated with a directory. When encryption service intercepts an operation to create a file on a file system, the encryption service attempts to locate an encryption required attribute associated with the directory where the file will be created. If an encryption required attribute exists and it specifies a file created in the directory should be encrypted, the encryption service will encrypt all data written to the file. If the encryption required attribute is absent or it specifies a file created in the directory should not be encrypted, no encryption will be performed on the file by the encryption service.]; and
a cryptographic unit that performs at least one or data encryption or data decryption using one or more cryptographic functions [Lim, para. 0097, 0100, FIG. 6, the encryption handler implements encryption service performs by encryption service add-on. When a policy obligation specifies the encryption of a file, the obligation handler invokes an encryption function 606 in the encryption service add-on to encrypt a document… The encryption function is invoked for each file via the encryption service, independent of whether a policy obligation specifies the encryption of a file. (Para. 0100) The obligation handlers are responsible for carrying out tasks before or after policy evaluation. It is often implemented as plug-ins or add-ons to a policy enforcer. For example, a logging obligation handler may log an intercepted operation into an activity database before the policy engine evaluates the policies. In another example, a logging obligation handler logs only operations that are denied by a policy engine whereby logging occurs only after the policy engine evaluates policies on an operation. In another example, an encryption obligation handler encrypts a document when directed by a policy. In yet another example, a notification obligation handler sends an e-mail message to an administrator notifying the administrator of a failed attempt to access a document classified as "top secret."];
wherein the cryptographic unit is operable in response to the comparator to perform an encryption operation or a decryption operation on the data and effect performance of the requested file system operation by the operating system [Lim, para. 0097, Fig. 6, the encryption handler implements encryption service performs by encryption service add-on. When a policy obligation specifies the encryption of a file, the obligation handler invokes an encryption function 606 in the encryption service add-on to encrypt a document… The encryption function is invoked for each file via the encryption service, independent of whether a policy obligation specifies the encryption of a file.].  
	
Regarding claim 15. Lime does disclose, an non-transitory computer-readable storage element storing a computer program comprising computer program code to, when loaded into a computer system and executed thereon [Lim paragraph 0058, a computer-implemented or computer-executable version of the invention may be embodied using, stored on, or associated with computer-readable medium.  A computer-readable medium may include any medium that participates in providing instructions to one or more processors for execution.]: Claim limitations of non-transitory computer-readable storage element are same or similar to limitations of computer implemented method claim 1, and are similarly rejected.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 3 and 4 are rejected under 35 U.S.C. 103 as being unpatentable over Lim et al. (US PGPUB # 2012/0036370) [This prior art is provided/cited in the IDS] in view of Tkacik et al. (US Patent No. 8,572,410) [This prior art is provided/cited in the IDS].

Regarding claim 3. Lim does disclose, the method of claim 2 above.  Lim does not disclose, wherein the at least one cryptographic key is selected based on an association between the at least one cryptographic key and the software application.
[Tkacik, Col. 4, line 62-65, and FIG. 1,  the interface portal 126 can be one or more registers within a specific bus address range that enables software to perform a specific task involving communication with the cryptographic engine 102.  (Col. 9, line 31-33 and line 36-38), In an illustrative embodiment, the key derivation function 408 receives the master secret 416, a key modifier 418, security state information 420, and an operating system tag 422…The key modifier 418 can be a 128-bit user tag that is supplied by a user and can be an application tag, identifying a specific software application].  
Lim and Tkacik are in the same field of endeavor as they both pertaining to information and document management, and more specifically, to protecting documents at rest and in motion using declarative policies and encryption.
Therefore, it would have been obvious to one ordinary skill in art before the effective date of the claimed invention of Lim that relates to information and document management, and more specifically, to protecting documents at rest and in motion using declarative policies and encryption (Lim, please see abstract and paragraph 0003) with the teachings of Tkacik (Tkacik, Col. 4, line 62-65, and FIG. 1 and Col. 9, line 31-33 and line 36-38) to enable Lim to implement as the part of the secure information of a file , a document or software application to be encrypted and use the rules to include an encryption key with a software application used in operating system and to secure the appropriate software runs on the a device.

Regarding claim 4. Lim does disclose, the method of claim 2 above. Lim does not disclose, wherein the association between the at least one cryptographic key and the software application is defined by the security policy definition. 
However, Tkacik does disclose, wherein the association between the at least one cryptographic key and the software application is defined by the security policy definition [Tkacik, Col. 10, line 25-43, FIG. 4,  A user may desire software to be encrypted, thereby disallowing use by other users, and may thus place the software into a blob. The software may not be encrypted on the disk with a disk encryption key but rather simply placed into a blob 406. The blob 406 can be tagged, for example with a value of 21, to identify the blob containing the encrypted software. When the blob is unpacked, the user can specify that a blob of encrypted code exists and is tagged with the value 21. If another user has replaced the blob containing the encrypted software with another blob, such as a HDCP blob that was encrypted using a user tag other than 21, then the tag will be incorrect and decryption will not be available. The user tag thus enables a user to create user-defined separation between blobs. The user tag is enforced by the user. In contrast, the operating system tag is hardware-enforced. The user is allowed to change the user tag but not to change the operating system tag. The master secret 416 remains the same even though the security state 420 changes.].
Therefore, it would have been obvious to one ordinary skill in art before the effective date of the claimed invention of Lim that relates to information and document management, and more specifically, to protecting documents at rest and in motion using declarative policies and encryption (Lim, please see abstract and paragraph 0003) with  Col. 10, line 25-43, FIG. 4) to enable Lim to implement as the part of the secure information of a file , a document or software application to be encrypted and use the rules to include an encryption key with a software application used in operating system and to secure the appropriate software runs on the a device.

Conclusion
The prior art made of record and not relied upon is considered pertinent to application’s disclosure:
US PGPUB No. (2013/0151848) to Baumann discloses, Implementations for providing a persistent secure execution environment with a hosted computer are described. A host operating system of a computing system provides an encrypted checkpoint to a persistence module that executes in a secure execution environment of a hardware-protected memory area initialized by a security-enabled processor.
US PGPUB No. (2010/0146582) to Jaber discloses, a method of enforcing an encryption policy in an information handling system for receiving a request for access to data, automatically identifying from a plurality of encryption policies a particular encryption policy associated with the requested data, selecting an available encryption implementation module capable of enforcing the identified encryption policy, and initiating an encryption or decryption of the requested data using the selected encryption implementation module.
US PGPUB No. (2011/0296164) to Boebert discloses, a system and method for providing secure network services. A secure computer including a 
US Patent No. (8,613,103) to Holtzman disclose, a data object storing data in the memory device is associated with at least one software application. Accessing the object will invoke the at least one software application which processes the data in the object. Individual ones of a plurality of first sets of protocols are selectable for enabling data to be provided and stored in a data object.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MOHAMMAD S SHAMS whose telephone number is (571)272-3406.  The examiner can normally be reached on Monday-Friday 8:00 AM-5:30 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571) 272-3811.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.







/MOHAMMAD S SHAMS/Examiner, Art Unit 2434  

/SAMSON B LEMMA/Primary Examiner, Art Unit 2498