DETAILED ACTION
	This is in response to the application filed on November 20, 2019.  A preliminary amendment was filed canceling Claim 1 and adding Claims 2 – 21.  Claims 2 – 21, of which Claims 2, 9, and 16 are in independent form, are presented for examination.
Notice of Pre-AIA  or AIA  Status
The present application is being examined under the pre-AIA  first to invent provisions. 
Information Disclosure Statement
The information disclosure statement (IDS) submitted on November 20, 2019 was filed before the mailing date of the current action.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
1.	Claims 2 – 4, 9 – 11, 14, and 16 – 18 are rejected on the ground of nonstatutory double patenting as being unpatentable over Claim 7 of U.S. Patent No. 7,310,669. Although the claims at issue are not identical, they are not patentably distinct from each other because:
Appl. 16/689231
Patent 7,310,669
Claim 2:   A method to manage an audit of a network, the method comprising:
   providing an auditor configured to perform a vulnerability assessment on one or more devices in the network that are subject to a common security policy;
   providing an extension auditor configured to provide a reflected audit of devices in the network that are outside a reach of the auditor;
   obtaining information about an audit being performed by the auditor, the extension auditor, or both the auditor and the extension auditor; and
   providing a report including results of the audit being performed.
Claim 3: The method of claim 2, wherein the devices in the network that are outside the reach of the auditor, are outside the reach because of a firewall.
Claim 4:  The method of claim 2, wherein the audit being performed by the auditor, 
Claim 14:  The non-transitory computer-readable medium of claim 9, wherein the operations further comprise:
   providing a report including results of the audit being performed.
Claim 7:  A system for managing an audit of a computing asset over a network comprising: 
   an audit extension device comprising:
      program code that is operative to perform actions, comprising:
         receiving through a security perimeter an audit request to be performed on the computing asset, wherein the computing asset is on a different side of the security perimeter as the audit extension device;
         reflecting the audit based on the request towards the computing asset;  and 
         sending a result of the audit through the security perimeter; and 
   an audit device comprising:
      program code that is operative to 
perform actions, comprising:
sending the request for the audit through the security perimeter to the audit extension device;
         receiving the result of the audit from the audit extension device through the security perimeter; and
         based at least in part on a security policy, performing a remediation action wherein the security perimeter is implemented through a single network device. 
Claim 9 is directed to a non-transitory computer-readable medium to perform the method of Claim 2.

Claims 10 and 11 are directed to a non-transitory computer-readable medium to perform the method of Claims 3 and 4, respectively.

Claim 16 is directed to a system that performs the method of Claim 2.

Claims 17 and 18 are directed to a system that performs the method of Claims 3 and 4, respectively.


Claims 2 – 5, 9 – 12, 14, and 16 – 19 are rejected on the ground of nonstatutory double patenting as being unpatentable over Claims 1 and 5 of U.S. Patent No. 8,554,903. Although the claims at issue are not identical, they are not patentably distinct from each other because:
Appl. 16/689231
Patent 8,554,903
Claim 2:   A method to manage an audit of a network, the method comprising:
   providing an auditor configured to perform a vulnerability assessment on one or more devices in the network that are subject to a common security policy;
   providing an extension auditor configured to provide a reflected audit of devices in the network that are outside a reach of the auditor;
   obtaining information about an audit being performed by the auditor, the extension auditor, or both the auditor and the extension auditor; and
   providing a report including results of the audit being performed.
Claim 3: The method of claim 2, wherein the devices in the network that are 
Claim 4:  The method of claim 2, wherein the audit being performed by the auditor, the extension auditor, or both the auditor and the extension auditor includes an audit of one or more end-points in the network.
Claim 14:  The non-transitory computer-readable medium of claim 9, wherein the operations further comprise:
   providing a report including results of the audit being performed.
Claim 1:  A system for managing an audit of a computing asset over a network comprising: 
   an audit extension device comprising:
      program code that is operative to cause the audit extension device to perform actions, comprising:
         receiving through a security perimeter an audit request to be performed on the computing asset, which audit request comprises, at least in part, a request for information to be provided by the computing asset;
         reflecting the audit based on the request towards the computing asset;  and
sending a result of the audit through the security perimeter; and
   an audit device comprising:
      program code that is operative to cause the audit device to perform actions, comprising: 
         sending the audit request through the security perimeter to the audit extension device;
         receiving the result of the audit from the audit extension device through the security perimeter; and 
         based at least in part on a security policy, performing a remediation action. 
Claim 5:  The method of claim 2, wherein the audit being performed by the auditor includes determining whether revisions to the common security policy are needed.
Claim 5:  The system of claim 1, wherein performing a remediation action further 
comprises at least one of providing a recommendation on a configuration, control, security policy, or a procedure associated with the computing asset.
Claim 9 is directed to a non-transitory computer-readable medium to perform the method of Claim 2.

Claims 10 and 11 are directed to a non-transitory computer-readable medium to perform the method of Claims 3 and 4, respectively.

Claim 12 is directed to a non-transitory computer-readable medium to perform the method of Claim 5.

Claim 16 is directed to a system that performs the method of Claim 2.

Claims 17 and 18 are directed to a system that performs the method of Claims 3 and 4, respectively.

Claim 19 is directed to a system that performs the method of Claim 5.



3.	Claims 2 – 5, 7 – 12, 14 – 19, and 21 are rejected on the ground of nonstatutory double patenting as being unpatentable over Claims 1 and 2 of U.S. Patent No. 10,154,057. Although the claims at issue are not identical, they are not patentably distinct from each other because:
Appl. 16/689231
Patent 10,154,057
Claim 2:   A method to manage an audit of a network, the method comprising:
   providing an auditor configured to perform a vulnerability assessment on one or more devices in the network that are subject to a common security policy;
   providing an extension auditor configured to provide a reflected audit of devices in the network that are outside a reach of the auditor;
   obtaining information about an audit being performed by the auditor, the extension auditor, or both the auditor and the extension auditor; and
   providing a report including results of the audit being performed.
Claim 3: The method of claim 2, wherein the devices in the network that are outside the reach of the auditor, are outside the reach because of a firewall.
Claim 4:  The method of claim 2, wherein the audit being performed by the auditor, the extension auditor, or both the auditor 
Claim 5:  The method of claim 2, wherein the audit being performed by the auditor includes determining whether revisions to the common security policy are needed.
Claim 7:  The method of claim 2, further comprising:
initiating, by the auditor, communication between the extension auditor and the auditor by sending a request for an audit to be performed on a device in the network through a security perimeter, the request for the audit including a request for information to be provided by the device, wherein the device is separate from the auditor;
determining, by the auditor, whether an audit result indicates that the device complies with the common security policy;

relinquishing, by the auditor, operations to the extension auditor, in response to the device failing to satisfy the common security policy.
Claim 14:  The non-transitory computer-readable medium of claim 9, wherein the operations further comprise:
   providing a report including results of the audit being performed.
Claim 1:  A method to manage an audit by an audit device, comprising: 
   initiating, by the audit device, communication between an audit extension device and the audit device for the audit by sending a request for the audit to be performed on a computing asset through a security perimeter to the audit extension device, the request for the audit including a request for information to be provided by the computing asset, wherein the computing asset is separate from the audit device;
   receiving, by the audit device, an audit result of the audit from the audit extension device through the security perimeter;
   determining, by the audit device, whether the audit result indicates that the computing asset satisfies a security policy;
instructing, by the audit device, the audit extension device to quarantine the computing asset in a quarantined network in response to the computing asset failing to satisfy the security policy;  and 
   relinquishing, by the audit device, operations to the audit extension device, in response to the computing asset failing to satisfy the security policy. 
Claim 8:  The method of claim 7, further comprising:
removing the device, by the extension auditor, from the quarantined network in response to the audit result indicating that the device satisfies the common security policy.
Claim 2:  The method of claim 1, further comprising removing the computing asset, by the audit extension device, from the quarantined network in response to the audit result indicating that the computing asset satisfies the security policy.
Claim 9 is directed to a non-transitory computer-readable medium to perform the method of Claim 2.

Claims 10 and 11 are directed to a non-transitory computer-readable medium to perform the method of Claims 3 and 4, respectively.

Claim 12 is directed to a non-transitory computer-readable medium to perform the method of Claim 5.

Claim 15 is directed to a non-transitory computer-readable medium to perform the method of Claim 8.

Claim 16 is directed to a system that performs the method of Claim 2.

Claims 17 and 18 are directed to a system that performs the method of Claims 3 and 4, respectively.

Claim 19 is directed to a system that performs the method of Claim 5.

Claim 21 is directed to a system that performs the method of Claim 8.



Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 2 – 6 and 9 – 15 are rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception without significantly more.
4.	Regarding Claims 2 and 9, the claim(s) recite(s) “providing an auditor configured to perform a vulnerability assessment on one or more devices in the network that are subject to a common security policy; providing an extension auditor configured to provide a reflected audit of devices in the network that are outside a reach of the auditor; obtaining information about an audit being performed by the auditor, the extension auditor, or both…; and providing a report including results of the audit being performed “. This judicial exception is not integrated into a practical application because the claimed steps are nothing more than managing the behavior or people.  For example, the first two limitations can merely recite a person installing software products or placing devices (i.e., providing) in specific locations; the devices are already configured.  The obtaining information and providing a report limitations can merely recite a person reading outputs visually from one of the devices and verbally communicating that to another person.  Therefore, the claims fail Revised Step 2A, Prong One, of the 2019 Revised 101 Patent Eligibility Guidelines.
Additionally, the claim(s) does/do not include additional elements that are sufficient to amount to significantly more than the judicial exception because the configured devices or the audit itself do not provide additional elements or combination of elements that impose a meaningful limit on the judicial exception because they 
5.	Regarding Claims 3 – 6 and 10 – 15, the claim(s) does/do not include additional elements that are sufficient to amount to significantly more than the judicial exception because the audit, various devices, and where the devices are placed regarding a network do not provide additional elements or combination of elements that impose a meaningful limit on the judicial exception because they generally link the use of the judicial exception to a particular technological environment or field of use. See MPEP 2106.05(h).  
Claims 16 – 21 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  
6.	Regarding Claims 16 – 21, the claim(s) does/do not fall within at least one of the four categories of patent eligible subject matter because the claimed system comprises an auditor and extension auditor that can, according to the specification, comprise purely software [See PGPub. 2020/0236127; Para. 0018; “present invention may take the form of…an entirely software embodiment”].  Therefore, the claims are non-statutory as being software per se.
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of pre-AIA  35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –



Claims 2 – 6 and 9 – 20 are rejected under pre-AIA  35 U.S.C. 102(a) as being anticipated by PGPub. 2003/0051163 (hereinafter “Bidaud”).
7.	Regarding Claims 2, 9, and 16, Bidaud discloses of a non-transitory computer-readable medium (Claim 9) storing executable instructions that, when executed, cause one or more processors (Claim 16; system) to perform operations (Claim 2; method), [Figs, 1, 5, 8, and 10; Abstract] comprising:
providing an auditor configured to perform a vulnerability assessment on one or more devices in the network that are subject to a common security policy [Figs. 1, 5, 8, 10, and 12; Para. 0046-55, 0081; console (auditor) initiates testing of the integrity of each of the firewalls and general security of the network system (common security policy) to be performed on various remote networks to the remote agents within these networks];
providing an extension auditor configured to provide a reflected audit of devices in the network that are outside a reach of the auditor [Figs. 1, 5, 8, and 10; Para. 0046-53, 0081; console (audit device) initiates testing of the integrity of each of the firewalls and general security of the network system to be performed on various remote networks to the remote agents (extension auditor) within these networks (outside the reach of the auditor)]; and
obtaining information about an audit being performed by the auditor, the extension auditor, or both the auditor and the extension auditor [Fig. 10; Para. 0053, 0081].
Claims 3, 10, and 17, Bidaud discloses all the limitations of Claims 2, 9, and 16 above.  Bidaud further discloses that the devices in the network that are outside the reach of the auditor, are outside the reach because of a firewall [Figs. 1, 3, and 4].
9.	Regarding Claims 4, 11, and 18, Bidaud discloses all the limitations of Claims 2, 9, and 16 above.  Bidaud further discloses that the audit being performed by the auditor, the extension auditor, or both the auditor and the extension auditor includes an audit of one or more end-points in the network [Fig. 12; Para. 0055; probing the firewalls].
10.	Regarding Claims 5, 12, and 19, Bidaud discloses all the limitations of Claims 2, 9, and 16 above.  Bidaud further discloses that the audit being performed by the auditor includes determining whether revisions to the common security policy are needed [Figs. 17-20; Para. 0076-81; configurations for the agents are synchronized to perform the tests].
11.	Regarding Claims 6, 13, and 20, Bidaud discloses all the limitations of Claims 2, 9, and 16 above.  Bidaud further discloses that the one or more end-point is a wireless end point [Fig. 2; Para. 0043].
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
PGPub. 2003/0009696 – system and method for external network security testing;
PGPub. 2003/0217039 – system and method for automated testing of a target network from an external server;

Contacts
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Tae K. Kim, whose telephone number is (571) 270-1979.  The examiner can normally be reached on Monday - Friday (10:00 AM - 6:30 PM EST).
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Saleh Najjar, can be reached on (571) 272-4006.  The fax phone number for submitting all Official communications is (703) 872-9306.  The fax phone number for submitting informal communications such as drafts, proposed amendments, etc., may be faxed directly to the examiner at (571) 270-2979.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov.  Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at (866) 217-9197 (toll-free).

/TAE K KIM/Tae K. Kim
Primary Examiner, Art Unit 2492