DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendments
The amendments filed 01/25/2021 have been entered. Claims 1-18 remain pending in the application.  
Applicant’s arguments, filed 01/25/2021, with respect to the Claim objections have been fully considered and are persuasive.  Therefore the previous Claim objections have withdrawn. However, upon further consideration new ground(s) of objection have been raised (See Claim Objections Below). 
Applicant’s arguments, filed 01/25/2021, with respect to rejections under 35 U.S.C. 112(a) have been fully considered and are persuasive.  Therefore the previous rejections have withdrawn. 
Applicant’s arguments, filed 01/25/2021, with respect to rejections under 35 U.S.C. 112(b) have been fully considered and are persuasive.  Therefore the previous rejections have withdrawn. However, upon further consideration new ground(s) of rejection have been raised (See Claim Rejections-112 below).

Response to Arguments
Applicant's arguments filed 01/25/2021 with respect to rejection under 35 U.S.C 103 have been fully considered but they are not persuasive. 

Further, the applicant argues that Zhong does not teach the amended claim language. However, this is a piecemeal analysis of the prima facie case of obviousness and the applicant has disregarded the combination of the applied art (at least Zhong in view of NIST) and has failed to address any of the reasons why such a combination renders the instant invention obvious.
In response to applicant's arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references.  See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).
 For at least the reasons above, the applicant’s arguments regarding the rejection under 35 U.S.C. 103 are not persuasive and thus the rejection is maintained. For further details the examiner refers to the rejection below. 

Claim Objections
Claim 12 is objected to because of the following informalities:  
Claim 12 recites “wherein first and second degrees of performance include…” While it is clearly understood that “first and second degrees” refer to the previously claimed first and second degrees of performance as recited in at least Claim 8, the word specific degrees of performance are being called. Thus, Claim 12 should instead recite “…wherein the first and second degrees of performance include…”

Claim Rejections - 35 USC § 112

The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1-18 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claims 1, 8, and 13 have been amended to recite, at least in part, 
“creating an information technologies (IT) functional model based on security requirements and security implementations of the business-based meta model and the contract model to generate policies for deployment…” 

Using Claim 1 as a representative claim, the next limitation of Claim 1 recites 
“generate a set of policies for deployment by applying the set of compliance constraints to the IT functional model.” 

However, it is unclear what the difference is, if any, between these set(s) of policies for deployment. The examiner requests clarification.
	For purposes of examination, the set(s) of policies for deployment will be interpreted as encompassing the same set of policies (i.e. no functional difference). 
	
Claims 7, 12, and 18 recite: 
wherein the first and second degrees of performance include a measure for security compliance to a first compliance regulation rule, the measure included in the pre-defined threshold

It is unclear what functionality is encompassed by “the measure included in the pre-defined threshold.” 
	That is, as claimed in the respective independent claims the first and second degrees of performance are already established as some comparison between at least some number and the “pre-defined threshold.” Therefore, when claims 7,12, and 18 recite that there is some second measure and this second measure is “included in the pre-defined threshold”, it is unclear whether or not this measure defines some second threshold (which, in the context of this claim, the disclosure does not provide support for) or is referring to what the pre-defined threshold is. In either case, the phrase “the measure included in the pre-defined threshold” renders the claim(s) indefinite.  

Claim Rejections - 35 USC § 103
For clarity of record and ease of reading, the examiner notes the following: 
Any text that is bolded
The “teaching” or reference citation, along with any necessary examiner notes are contained within the parentheses “()” following the bolded claim language. 
Any text that is underlined is emphasized language from reference(s) used and/or particular important examiner notes. While NOT fully reflective of the rejection as a whole, these underlined passages are indicative or otherwise reflective of key evidence.   

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-18 are rejected under 35 U.S.C. 103 as being unpatentable over Zhong et al. (Ontology-based semantic modeling of regulation constraint for automated construction quality compliance checking, NPL 2012) in view of NIST Special Publication 800-53 Revision 4 (NPL 2013, hereinafter “NIST”).

With respect to Claim 1, Zhong teaches a computer implemented method comprising: establishing a first ontology data structure having a hierarchical description including a business-based meta model (Pg. 60 Section 3. Col. 2 “In this section, a model for construction quality inspection and evaluation i.e. CQIEOntology is proposed as shown in Fig. 1. Based on CQIEOntology, together with the support of the construction process ontology, the regulation constraints can be modeled in OWL axioms and SWRL rules for construction quality inspection and 
Zhong also teaches establishing a second ontology data structure having a hierarchical description including a first external compliance dataset and contract model (Pg. 60 Section 3. Col. 2 “In this section, a model for construction quality inspection and evaluation i.e. CQIEOntology is proposed as shown in Fig. 1. Based on CQIEOntology, together with the support of the construction process ontology, the regulation constraints can be modeled in OWL axioms and SWRL rules for construction quality inspection and evaluation.” Pg.61 Col. 1 “In CQIEOntology, the regulation-Constraint constitutes the main inspection knowledge, since the focus is the regulation-based quality inspection. Each constraint comes from the corresponding provision text in regulations. The relation “hasRegulation” associates the constraint with the provision text from which constraint is extracted.” The examiner notes that the referenced “provision text” teaches the claimed first external compliance dataset. Under the broadest reasonable interpretation (BRI), this dataset is some collection of laws, rules, regulations, etc. that guide a particular inspection or regulation. Pg. 61 “ As shown in Fig. 1…each main concept indicates one facet of the inspection objects, and can be modeled as the construction process ontology.” The examiner notes that a person of ordinary skill in the art would realize that the CQIEOntology of Zhong teaches the business-based meta model because this particular model is an ontology of the processes that define business goals, objectives, etc. The examiner further notes Zhong he noted “process model” teaches the claimed contract model. The examiner notes that, as stated in the claim, this contract model, at least in part, establishes “a second ontology.” Zhong recites on Pg. 60 Col. 2 “In this section a meta model for construction quality inspection and evaluation i.e. CQIEOntology is proposed….based on CQIEOntology, together with support of the construction process ontology, the regulation constraints can be modeled in OWL axioms and SWRL rules…” As can be understood by a person of ordinary skill in the art, the claimed “first ontology data structure” (see preceding limitation) is equivalent to the disclosed CQIEOntology (e.g. meta-model) and the possible construction process ontology(s) are equivalent to the claimed “second ontology data structure” since the second ontology structure is a “specific” ontology based on a specific job. Further still, Pg. 61 Col. 1 “Basing on the meta model, the specific domain model for the construction quality inspection can be obtained via specializing and instantiating the generic concepts and relations in the meta model.”). 
Zhong further teaches deriving a set of inference rules by converting regulation-constraint knowledge described in web ontology language (OWL) axioms and semantic web rule language (SWRL) rules into new facts and identifying a first set of matching facts in working memories in accordance with the business-based meta model (Zhong Pg. 66 Col. 1 which recites “In this research, actual reasoning process is conducted through the JESS rule engine. The JESS rule engine converts a combination of OWL+SWRL rules into jess facts (i.e. new facts). The inferences are carried out in JESS inference engine by matching facts in working memories in accordance with the rules in the rule base. Also, if the inference engine construct [emphasis in original] in JESS is used to declare a fact. The declared facts will be saved in the JESS fact base.” Further, see Figure 6. Note especially the “facts/knowledge base” and how facts + rules are sent to the JESS rule engine. ). 
Zhong further teaches determining a set of compliance constraints based on the set of inference rules from the first ontology data structure and the first external compliance dataset of the second ontology data structure (Pg. 60 Section 3. Col. 2 “In this section, a model for construction quality inspection and evaluation i.e. CQIEOntology is proposed as shown in Fig. 1. Based on CQIEOntology, together with the support of the construction process ontology, the regulation constraints can be modeled in OWL axioms and SWRL rules for construction quality inspection and evaluation.” Pg.61 Col. 1 “In CQIEOntology, the regulation-Constraint constitutes the main inspection knowledge, since the focus is the regulation-based quality inspection. Each constraint comes from the corresponding provision text in regulations. The relation “hasRegulation” associates the constraint with the provision text from which constraint is extracted.” The examiner notes that the referenced “provision text” reads on the claimed first external compliance dataset. Under the broadest reasonable interpretation (BRI), this dataset is some collection of laws, rules, regulations, etc. that guide a particular inspection or regulation. The examiner notes that the rule “hasRegulation” teaches the claimed inference rules. Further Pg. 66 Section 5 “In this research, actual reasoning process is conducted through the JESS rule engine. The JESS rule engine converts a 
Zhong further teaches creating [a]…functional model based on…requirements and…implementations of the business based meta model and the contract model to generate policies for deployment (Zhong teaches the claim language. For example Pg. 68 Col. 2 recites “From this scenario, we can see that these rules enable the regulatory provisions to be integrated with the construction process, and the regulatory compliance checking is regarded as a paralleling activity to construction process rather than as an afterthought.” The examiner notes that, under the broadest reasonable interpretation, the functionality of “integrated” reads on the functionality of “creating.” In addition to or in the alternative, Note Figure 3 which shows a specific task having specific requirements as an instance of the ontology. The examiner notes that an instance having specific requirements teaches the claimed functional model to generate policies for deployment.). 
Zhong further teaches generating a set of policies for deployment by applying the set of compliance constraints to the…functional model (Pg. 60 Section 3. Col. 2 “In this section, a model for construction quality inspection and evaluation i.e. CQIEOntology is proposed as shown in Fig. 1. Based on CQIEOntology, together with the support of the construction process ontology, the regulation constraints can be modeled in OWL axioms and SWRL rules for construction quality Inspection-Object concepts…are also the concepts of the construction process model. In order to reuse the existing research results, the structure and definition of these concepts remain the same as the original concepts defined in the construction process model. Through the Inspection-Object concept, the CQIEOntology for compliance checking can interact with the construction process model.” The examiner notes that the interaction of the process model with the modeled rules and constraints teaches generating a set of policies for deployment by applying the set of compliance constraints to the functional model. Further Pg. 62 Section 4 “Basing on the CQIEOntology meta model. Along with above-mentioned ontology, the real construction information can be represented as the ontology instances in OWL, and the regulation constraints can be modeled into the OWL axioms and SWRL rules.” Still further, Pg. 68 Col. 2 “From this scenario, we can see that these rules enable the regulatory provisions to be integrated with the construction process, and the regulatory compliance checking is regarded as a paralleling activity to construction process rather than as an afterthought.” The examiner further notes Figure 3. The examiner especially notes the relation of “regulation constraint” (see Ontology) to the “inspection object” (e.g. UDW_construction-Tasks_1). A person of ordinary skill in the art would readily infer that based on the constraints (e.g. provision 7.6.7 and/or 7.6.12) the process (e.g. policy) by which UDW_construction-task_1 is completed is generated. Further See Figure 5.).  
deploying the…functional model to apply the generated policies (The examiner notes, initially, the extreme breadth of this limitation. That is, under the broadest reasonable interpretation, the functionality encompassed by “deploying” is interpreted as any use of the model/ontology. In Zhong, the ontology is used for construction quality compliance and specifically discloses the use of “the quality specification “code for Acceptance of Construction Quality of Building Foundation (GB50202-2002)”. Further, on Pg. 68, retrieved and/or received data is compared to the constraint (see “quality inspection data”.). The use of Zhong’s ontology for determining if actual quality inspection data is within a constraint teaches the claimed functionality of “deploying.”). 
determining a first degree of performance of the…functional model by collecting evidence during deployment (Pg. 68 Col. 2 The permissible deviation for the underground-diaphragm-wall trench’s verticality degree should be less than 1/300 (acceptance criteria), if the underground diaphragm wall acts as permanent structure (from provision 7.6.12 in GB 50202-2002). Once the actual deviation (quality inspection data) is got, Rule 5-1/2 is fired to compare the actual deviation…the permissible deviation, thus the evaluation result is determined, and the quality evaluation value isAccepted is assigned to the property hasInsepectionItemQualityEvaluationResult. At the same time, the quality inspection items with the result “isAccepted.” The “got” “quality inspection data” teaches the claimed “collecting evidence” and the disclosed “actual deviation” teaches “determining a first degree of performance.”).
Zhong further still teaches responsive to the first degree of performance being above or below a pre-defined threshold, determining to modify the business-based meta model to create a revised business-based meta model (Pg. 68 Col. 2 The permissible deviation for the underground-diaphragm-wall trench’s verticality degree should be less than 1/300 (acceptance criteria), if the underground diaphragm wall acts as permanent structure (from provision 7.6.12 in GB 50202-2002). Once the actual deviation (quality inspection data) is got, Rule 5-1/2 is fired to compare the actual deviation…the permissible deviation, thus the evaluation result is determined, and the quality evaluation value isAccepted is assigned to the property hasInsepectionItemQualityEvaluationResult. At the same time, the quality inspection items with the result “isAccepted.” Further See Pg. 66 Rule 5-1 and/or Rule 5-2. A person of ordinary skill in the art would readily infer that the system checks the available data against the “rules and regulations” and the “allowed deviation” (e.g. see Rules 5-1, 5-2 “less than” and/or “greater than”). Based on the result (e.g. hasInspectionItemQualityEvaulationResult) the meta-model will be revised (e.g. is accepted or defected). Determining that certain data is outside and/or inside the allowable deviation and classifying or otherwise attaching the “accepted-entity” and/or “defected-entity” to the data teaches the functionality of modification which the claim requires. Further note Zhong Pg. 68 (below the rule definitions) “After executing Rule 5-1/2, the inspection items, whose ActualDeviation [emphasis in original] is less than PermissibleDeviation, will be classified into the Accepted-Entity, which means that the inspection quality satisfies the requirements. Otherwise, the quality inspection items will be classified as Defected-Entity, which means that further measures (investigations or rework) need to be taken.” The examiner notes that if a quality inspection item is 
Zhong further teaches identifying a second set of matching facts in the working memories in accordance with the revised business-based meta model (The examiner notes that under the broadest reasonable interpretation, this limitation is interpreted as merely receiving new and/or updated information. Zhong Pg. 66 Col. 1 which recites “In this research, actual reasoning process is conducted through the JESS rule engine. The JESS rule engine converts a combination of OWL+SWRL rules into jess facts (i.e. new facts). The inferences are carried out in JESS inference engine by matching facts in working memories in accordance with the rules in the rule base. Also, if the inference engine infers knowledge using forward chaining, the new knowledge can be used for further inference or querying stored or inferred knowledge.” Further Pg. 67 Col. 1-2 describe how “facts” are defined in JESS. Specifically Col. 2 recites “Here the assert construct [emphasis in original] in JESS is used to declare a fact. The declared facts will be saved in the JESS fact base.” Further, see Figure 6. Note especially the “facts/knowledge base” and how facts + rules are sent to the JESS rule engine. The examiner notes that a person of ordinary skill in the art would readily infer that the claimed “second set of matching facts” is the creation of any number of “JESS facts” as disclosed in Zhong (e.g. See “a combination of OWL+SWRL rules into jess facts (i.e. new facts).). 
Zhong further teaches creating a revised IT functional model from the revised business-based meta model and the contract model (The examiner initially notes for the record that the term “revised IT functional model” does not appear explicitly within the as-filed specification. However, this limitation is considered to have implicit but limited support. The as-filed specification has only one (1) instance of the word “revise(d)” and appears in paragraph [0079]. In part, this paragraph recites “when a contract modification is made, a revised version of the contract is made having known, accepted IT parameters…[0080] When communication of step 614 is received, an IT functional model is dynamically derived with the help of an enterprise ontology and various artifact generated from contract analytics. That is an IT instance is create from project-specific policies….” Based on this support, the above limitation is interpreted as encompassing the same subject matter and/or scope as the “creating an IT functional model…” limitation above and is further interpreted as an iterative process. That is, based on new incoming data (i.e. “revised version of the contract”) an updated model is created based on this new data. 
With this interpretation in mind, Zhong teaches the claim language. Pg. 68 Col. 2 The permissible deviation for the underground-diaphragm-wall trench’s verticality degree should be less than 1/300 (acceptance criteria), if the underground diaphragm wall acts as permanent structure (from provision 7.6.12 in GB 50202-2002). Once the actual deviation (quality inspection data) is got, Rule 5-1/2 is fired to compare the actual deviation…the permissible deviation, thus the evaluation result is determined, and the quality evaluation value isAccepted is assigned to the property hasInsepectionItemQualityEvaluationResult. At the same time, the quality inspection items with the result “isAccepted.” Further See Pg. 66 Rule 5-1 and/or Rule 5-2. A person of ordinary skill in the art would readily infer that the system checks the available data against the “rules and regulations” and the “allowed deviation” (e.g. see Rules 5-1,  Based on the result (e.g. hasInspectionItemQualityEvaulationResult) the meta-model will be revised (e.g. is accepted or defected). Determining that certain data is outside and/or inside the allowable deviation and classifying or otherwise attaching the “accepted-entity” and/or “defected-entity” to the data reads on the functionality of modification which the claim requires. Further note Zhong Pg. 68 (below the rule definitions) “After executing Rule 5-1/2, the inspection items, whose ActualDeviation [emphasis in original] is less than PermissibleDeviation, will be classified into the Accepted-Entity, which means that the inspection quality satisfies the requirements. Otherwise, the quality inspection items will be classified as Defected-Entity, which means that further measures (investigations or rework) need to be taken.” The examiner notes that if a quality inspection item is classified as Defected-Entity and a rework needs to be taken, this further teaches the claimed “determine to modify the business-based meta model.” In addition Pg. 62 section 4 “Based on the CQIEOntology meta model, along with above-mentioned ontology, the real construction information can be represented as the ontology instances in OWL…” Clearly, from the support in the instant as-filed specification, real construction information represented in an instance of an ontology teaches “revised functional model.”).
Zhong further teaches determining a second degree of performance of the revised…functional model meets the pre-defined threshold (The examiner initially notes that the identifying of a second set of facts (preceding limitation) and the instant limitation are merely describing an iterative process. Note at least Zhong Figure 6 which shows that as new facts and rules are sent to the JESS rule engine, new knowledge is 
Zhong further teaches operating according to a set of revised policies of the revised…functional model until a revised external compliance dataset is received (The examiner notes that this limitation is considered a conditional limitation and therefore, while being examined on the merits, does not have patentable weight. Furthermore, the only functional requirement of this limitation is the continued operation of a functional model. Zhong teaches the claim language. See Figure 6. Note the sending and receiving of information based on new facts and new knowledge reads on the functionality of “operating.”). 
	Zhong does not explicitly disclose security requirements and security implementations. 
	Zhong does not explicitly disclose IT functional model.
	NIST, however, does disclose security requirements and security implementations (See for example Pg. 7 Figure 2 See “security controls.” Further note the steps on Pg. 8 (e.g. “categorize, select, implement, assess”, etc.) In addition, Pg. 12 “Implementation tip” discloses how “security controls” should be implemented with regards to a specific business.). 
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the ontology system as taught by Zhong modified with the IT security requirements as taught by NIST because this would lead to a predictable result (i.e. an ontology for IT security compliance) (See MPEP 2143 (I) (A)). 
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to replace the construction-based functional model as taught by Zhong with the information technologies data as taught by NIST because this would lead to a predictable result. That is, if the data used to construct the ontology in Zhong (i.e. construction regulations, requirements, constraints, processes, etc) was replaced by the IT data in NIST (i.e. enterprise level IT security regulations, requirements, constraints, processes, etc.) the result, predictably, would be an IT functional model as is required. 

	MPEP 2143 (I) (A) describes the requirements and findings that the examiner must make in order to make an obviousness determination. 
(1) “a finding that the prior art included each element claimed, although not necessarily in a single prior art reference, with the only difference between the claimed invention and the prior art being the lack of actual combination of the elements in a single prior art reference. 

(2) “a finding that one of ordinary skill in the art could have combined the elements as claimed by known methods, and that in combination, each element merely performs the same function as it does separately.
Here, the known methods of creating an ontology for regulatory compliance are taught by Zhong. 
Separately, NIST discloses the security requirements for an enterprise level IT network. 
When combined, both references would perform the same function as they do separately. That is, Zhong would create an ontology for regulatory compliance but, because in combination with NIST, the “regulatory compliance”, instead of construction would be enterprise level IT security. 
Thus, when in combination, the result would be predictable. 
(3)  a finding that one of ordinary skill in the art would have recognized that the results of the combination were predictable.” 
	Similarly to requirement (2) above, the system of Zhong allows an ontology and instances of the ontology to be built for construction regulation compliance. On the other hand, NIST describes the requirements for an IT network on an enterprise level. 
A person of ordinary skill in the art would readily infer that if the security requirements as disclosed in NIST were used as the inputs and data to the system of Zhong the result, of that combination, would be an ontology for security requirements as the claim language requires. Therefore, the results of combination are predictable. 


1. a finding that the prior art contained a device with differed from the claimed device by the substitution of some components with other components. 
In the instant application, Zhong (prior art) discloses a system which differs from the claimed invention merely by the regulatory requirements used. Zhong uses construction requirements (e.g. data) rather than enterprise level IT security requirements as claimed. 

2. a finding that substituted components and their functions were known in the art. 
	As disclosed by NIST, the substituted component(s) (e.g. IT security requirement(s) data, are known and disclosed by NIST. 

3. a finding that one of ordinary skill in the art could have substituted one known element for another, and the results of the substitution would have been predictable. 
	A person of ordinary skill in the art would readily infer that the simple substitution merely amounts to different data inputs. The base functionality on how the ontology is 
	Again, this simple substitution would lead to a predictable result; an ontology for IT security compliance (i.e. the instant invention). 
	 Based on the evidence and findings above, a prima facie case of obviousness exists and has been established. 

With respect to Claim 2, The combination of Zhong and NIST teach wherein the business-based meta model includes a business operational meta model, an organizational hierarchy metal model, and a business policy and controls meta model (The examiner notes that under the broadest reasonable interpretation, the instant invention appears to be drawn to a ontology analysis structured like that of Zhong as described above with reference to Claim 1 for the purpose of an enterprise company designing a security compliance system that complies with NIST. The NIST SP-800-53 Broadly teaches the rules and regulations for “Security and Privacy Controls for Federal Information Systems and Organizations.” Under this broadest reasonable interpretation of the Claims, NIST teaches the claim language of Claim 2. In particular, Pg. 8 Figure 2 Note the Starting point and the different types of data that are used. Also Pg.8 Top of page “Tier 2 includes: (i) defining the mission/business processes needed to support the organization missions/business functions; (ii) determining the security categories of the information systems needed to execute the mission/business processes; (iii) incorporating information security requirements into the 
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the ontology structure and processes as taught by Zhong with the rules and regulations as taught by NIST because this would allow for automated security compliance based on business goals as well as security compliance regulations (NIST Pg. 17 “Implementation Tip” fourth bullet point “Organization are encouraged to employ automated management systems to maintain records of the specific common control employed in each organizational information system to enhance the ability of common controls providers to rapidly communicate with system owners.”).
It further would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the process meta-model of construction processes as taught by Zhong with the business policies and regulations as taught by NIST because this would increase the strength of security functionality (NIST Pg. 22 “The strength of security functional plays an important part in being able to achieve the needed security capability and subsequently satisfying the security requirements of organizations. Information system developers can increase the strength of security functionality by employing as part of the hardware/software/firmware development process (i) well-defined security policies and policy models…”). 

With respect to Claim 3, the combination of Zhong and NIST teach wherein the business-based meta model further includes a security architecture meta model, a security risk meta model, and a security audit meta model (NIST Pg. 8 Figure 2 Note the Starting point and the different types of data that are used. Also Pg.8 Top of page “Tier 2 includes: (i) defining the mission/business processes needed to support the organization missions/business functions; (ii) determining the security categories of the information systems needed to execute the mission/business processes; (iii) incorporating information security requirements into the mission/business processes; and (iv) establishing an enterprise architecture (including an embedded information security architecture) to facilitate the allocation of security controls…” Also note Table 1 on Pg. 9; any or all of the “Security Control Identifiers and Family Names” read on the different types of meta models claimed. NIST Pg. 22 as referenced above “… (i) well-defined security policies and policy models…”). 

 With respect to Claim 4, the combination of Zhao and NIST teach wherein the first external compliance dataset includes a first compliance regulation rule, a first analysis task, a first evaluation task, and a first business role (NIST Pg. 10-11 describe how a security control is to be carried by organization or by information systems (Pg. 10 Bottom of Page). Pg. 11 “For example, organizations can specific additional information needed for audit records to support audit event processing. See the AU-3(1) example above.” Looking at AU-3 a person of ordinary skill in the art would realize that this reads on the claim language. In particular, the NIST reference itself reads on the “first external compliance dataset”. Next, AU-3  reads on “a first 
The combination of Zhao and NIST further teach the first analysis task being an action to comply with the first compliance regulation rule (Zhao Pg. 65 Section 4.2.2 “During construction stage, namely, during the execution of the construction process, it is necessary to assure the corresponding inspection actions and evaluation are done, and any quality defect should be detected in time to prevent rework and cost increase. Based on the ontology, we can divide the inspection task constraints into a set of SWRL rules.” The examiner notes that the tasks taken by the inspector as a result of implementing Rule 2-1 through Rule 4-2 read on the claim language. The analysis task in this case is the action to inspect the wall for compliance with the regulation rule (7.67 GB  50202-2002) see first paragraph in section 4.2.2. Pg. 65 of Zhao). 
The combination of Zhao and NIST further teach the first evaluation task being an action to evaluate a degree of performance of the first analysis task (Zhao Pg. 
The combination of Zhao and NIST further teach the first business role performing the first analysis task and the first evaluation task (NIST Pg. 14 3rd Paragraph “The organization assigns responsibility for common controls to appropriate organizational offices…and coordinates the development, implementation, assessment, authorization, and monitoring of the controls…”). 
With respect to Claim 5, the combination of Zhao and NIST further teach receiving a second external compliance dataset from an external source including a second compliance regulation rule, a second analysis task, and a second evaluation task (NIST Pg. 18 “Security requirements for external service providers including the security controls for external information systems are expressed in contracts or other formal agreements. Organizations are responsible and accountable for the information security risk incurred by the use of information system services provided by external providers. Such risk addressed by incorporating the Risk Management Framework as part of the terms and conditions of the contracts with external providers. Relationships with external service providers are established in a variety of ways, for example, through joint ventures, business partnerships, outsourcing 
The combination of Zhao and NIST further teach updating the first external compliance dataset with the second external compliance dataset to generate a third external compliance dataset, the second ontology data structure including the third external compliance dataset that replaces the first external compliance dataset (As evidenced above (See NIST Pg. 14 and/or Pg. 18) the external policies from e.g. contracts are combined with the existing federal regulations and/or internal business policies. This integration of outside rules and regulations read on the claim language.). 
With respect to Claim 6, the combination of Zhao and NIST teach wherein the external source is a business model derived from a contract (See NIST Pg. 18 as referenced above.). 
With respect to Claim 7, the combination of Zhao and NIST teach wherein the first and second degrees of performance include a measure for security compliance to a first compliance regulation rule, the measure included in the pre-defined threshold (NIST Pg. 21 Security Capability  3rd paragraph “Traditionally, assessments have been conducted on a control-by-control basis producing results that are characterized as pass (i.e., control satisfied) or fail…Ultimately, authorization decisions…are made based on the degree to which the desired security capabilities have been effectively achieved and are meeting the security requirements defined by an 

With respect to Claim 8, Zhong teaches a computer program product comprising a computer readable storage medium having stored thereon: first program instructions programmed to establish a first ontology data structure having a hierarchical description including a business-based meta model (Pg. 60 Section 3. Col. 2 “In this section, a model for construction quality inspection and evaluation i.e. CQIEOntology is proposed as shown in Fig. 1. Based on CQIEOntology, together with the support of the construction process ontology, the regulation constraints can be modeled in OWL axioms and SWRL rules for construction quality inspection and evaluation.”). 
Zhong also teaches second program instructions programmed to establish a second ontology data structure having a hierarchical description including a first external compliance dataset and contract model (Pg. 60 Section 3. Col. 2 “In this section, a model for construction quality inspection and evaluation i.e. CQIEOntology is proposed as shown in Fig. 1. Based on CQIEOntology, together with the support of the construction process ontology, the regulation constraints can be modeled in OWL axioms and SWRL rules for construction quality inspection and evaluation.” Pg.61 Col. 1 “In CQIEOntology, the regulation-Constraint constitutes the main inspection knowledge, since the focus is the regulation-based quality inspection. Each constraint comes from the corresponding provision text in regulations. The relation “hasRegulation” associates modeled as the construction process ontology.” The examiner notes that a person of ordinary skill in the art would realize that the CQIEOntology of Zhong reads on the business-based meta model because this particular model is an ontology of the processes that define business goals, objectives, etc. The examiner further notes Zhong Fig.1 Note “process model”. The noted “process model” reads on the claimed contract model. The examiner notes that, as stated in the claim, this contract model, at least in part, establishes “a second ontology.” Zhong recites on Pg. 60 Col. 2 “In this section a meta model for construction quality inspection and evaluation i.e. CQIEOntology is proposed….based on CQIEOntology, together with support of the construction process ontology, the regulation constraints can be modeled in OWL axioms and SWRL rules…” As can be understood by a person of ordinary skill in the art, the claimed “first ontology data structure” (see preceding limitation) is equivalent to the disclosed CQIEOntology (e.g. meta-model) and the possible construction process ontology(s) are equivalent to the claimed “second ontology data structure” since the second ontology structure is a “specific” ontology based on a specific job. Further still, Pg. 61 Col. 1 “Basing on the meta model, the specific domain model for the construction quality inspection can be obtained via specializing and instantiating the generic concepts and relations in the meta model.”). 
 third program instructions programmed to derive a set of inference rules by converting regulation-constraint knowledge described in web ontology language (OWL) axioms and semantic web rule language (SWRL) rules into new facts and identifying a first set of matching facts in working memories in accordance with the business-based meta model (Zhong Pg. 66 Col. 1 which recites “In this research, actual reasoning process is conducted through the JESS rule engine. The JESS rule engine converts a combination of OWL+SWRL rules into jess facts (i.e. new facts). The inferences are carried out in JESS inference engine by matching facts in working memories in accordance with the rules in the rule base. Also, if the inference engine infers knowledge using forward chaining, the new knowledge can be used for further inference or querying stored or inferred knowledge.” Further Pg. 67 Col. 1-2 describe how “facts” are defined in JESS. Specifically Col. 2 recites “Here the assert construct [emphasis in original] in JESS is used to declare a fact. The declared facts will be saved in the JESS fact base.” Further, see Figure 6. Note especially the “facts/knowledge base” and how facts + rules are sent to the JESS rule engine. ). 
Zhong further teaches fourth program instructions programmed to determine a set of compliance constraints based on the set of inference rules from the first ontology data structure and the first external compliance dataset of the second ontology data structure (Pg. 60 Section 3. Col. 2 “In this section, a model for construction quality inspection and evaluation i.e. CQIEOntology is proposed as shown in Fig. 1. Based on CQIEOntology, together with the support of the construction process ontology, the regulation constraints can be modeled in OWL axioms and SWRL rules for construction quality inspection and evaluation.” Pg.61 Col. 1 “In CQIEOntology, the Each constraint comes from the corresponding provision text in regulations. The relation “hasRegulation” associates the constraint with the provision text from which constraint is extracted.” The examiner notes that the referenced “provision text” reads on the claimed first external compliance dataset. Under the broadest reasonable interpretation (BRI), this dataset is some collection of laws, rules, regulations, etc. that guide a particular inspection or regulation. The examiner notes that the rule “hasRegulation” reads on the claimed inference rules. Further Pg. 66 Section 5 “In this research, actual reasoning process is conducted through the JESS rule engine. The JESS rule engine converts a combination of OWL+SWRL into jess facts (i.e. new facts). The inferences are carried out in JESS inference engine by matching facts in working memories in accordance with the rules in the rule base.” Further, Pg. 65 Section 4.2.2 describes the inspection task constraint modeling and recites “…Based on the ontology, we can divide the inspection task constraints into a set of SWRL rules…”). 
Zhong further teaches fifth program instructions programmed to create [a]…functional model based on … requirements and … implementations of the business-based meta model and the contract model to generate policies for deployment (Zhong teaches the claim language. For example Pg. 68 Col. 2 recites “From this scenario, we can see that these rules enable the regulatory provisions to be integrated with the construction process, and the regulatory compliance checking is regarded as a paralleling activity to construction process rather than as an afterthought.” The examiner notes that, under the broadest reasonable interpretation, the functionality 
Zhong further teaches sixth program instructions programmed to generate a set of policies for deployment by applying the set of compliance constraints to the…functional model (Pg. 60 Section 3. Col. 2 “In this section, a model for construction quality inspection and evaluation i.e. CQIEOntology is proposed as shown in Fig. 1. Based on CQIEOntology, together with the support of the construction process ontology, the regulation constraints can be modeled in OWL axioms and SWRL rules for construction quality inspection and evaluation.” Pg. 61 “ As shown in Fig. 1…each main concept indicates one facet of the inspection objects, and can be modeled as the construction process ontology.” Pg. 61 Col. 2 “In CQIEOntology, the Inspection-Object concepts…are also the concepts of the construction process model. In order to reuse the existing research results, the structure and definition of these concepts remain the same as the original concepts defined in the construction process model. Through the Inspection-Object concept, the CQIEOntology for compliance checking can interact with the construction process model.” The examiner notes that the interaction of the process model with the modeled rules and constraints reads on the claim language. Further Pg. 62 Section 4 “Basing on the CQIEOntology meta model. Along with above-mentioned ontology, the real construction information can be represented as the ontology instances in OWL, and the regulation constraints can be modeled into the OWL axioms and SWRL rules.” Still further, Pg. 68 Col. 2 “From this scenario, we can see that these 
Zhong also teaches seventh program instructions programmed to deploy the…functional model to apply the generated policies (The examiner notes, initially, the extreme breadth of this limitation. That is, under the broadest reasonable interpretation, the functionality encompassed by “deploying” is interpreted as any use of the model/ontology. In Zhong, the ontology is used for construction quality compliance and specifically discloses the use of “the quality specification “code for Acceptance of Construction Quality of Building Foundation (GB50202-2002)”. Further, on Pg. 68, retrieved and/or received data is compared to the constraint (see “quality inspection data”.). The use of Zhong’s ontology for determining if actual quality inspection data is within a constraint reads on the claimed functionality of “deploying.”). 
Zhong also teaches eighth program instructions programmed to determine a first degree of performance of the…functional model by collecting evidence during deployment (Pg. 68 Col. 2 The permissible deviation for the underground-diaphragm-wall trench’s verticality degree should be less than 1/300 (acceptance criteria), if the underground diaphragm wall acts as permanent structure (from provision Once the actual deviation (quality inspection data) is got, Rule 5-1/2 is fired to compare the actual deviation…the permissible deviation, thus the evaluation result is determined, and the quality evaluation value isAccepted is assigned to the property hasInsepectionItemQualityEvaluationResult. At the same time, the quality inspection items with the result “isAccepted.” The “got” “quality inspection data” reads on the claimed “collecting evidence” and the disclosed “actual deviation” reads on “determining a first degree of performance.”).
Zhong further still teaches ninth program instructions programmed to responsive to the first degree of performance being above or below of a pre-defined threshold, determine to modify the business-based meta model to create a revised business-based meta model (Pg. 68 Col. 2 The permissible deviation for the underground-diaphragm-wall trench’s verticality degree should be less than 1/300 (acceptance criteria), if the underground diaphragm wall acts as permanent structure (from provision 7.6.12 in GB 50202-2002). Once the actual deviation (quality inspection data) is got, Rule 5-1/2 is fired to compare the actual deviation…the permissible deviation, thus the evaluation result is determined, and the quality evaluation value isAccepted is assigned to the property hasInsepectionItemQualityEvaluationResult. At the same time, the quality inspection items with the result “isAccepted.” Further See Pg. 66 Rule 5-1 and/or Rule 5-2. A person of ordinary skill in the art would readily infer that the system checks the available data against the “rules and regulations” and the “allowed deviation” (e.g. see Rules 5-1, 5-2 “less than” and/or “greater than”). Based on the result (e.g. hasInspectionItemQualityEvaulationResult) the meta-model will be revised (e.g. is accepted or defected). Determining that certain data is outside and/or ActualDeviation [emphasis in original] is less than PermissibleDeviation, will be classified into the Accepted-Entity, which means that the inspection quality satisfies the requirements. Otherwise, the quality inspection items will be classified as Defected-Entity, which means that further measures (investigations or rework) need to be taken.” The examiner notes that if a quality inspection item is classified as Defected-Entity and a rework needs to be taken, this further reads on the claimed “determine to modify the business-based meta model.”). 
Zhong further teaches tenth program instructions programmed to identify a second set of matching facts in the working memories in accordance with the revised business-based meta model (The examiner notes that under the broadest reasonable interpretation, this limitation is interpreted as merely receiving new and/or updated information. Zhong Pg. 66 Col. 1 which recites “In this research, actual reasoning process is conducted through the JESS rule engine. The JESS rule engine converts a combination of OWL+SWRL rules into jess facts (i.e. new facts). The inferences are carried out in JESS inference engine by matching facts in working memories in accordance with the rules in the rule base. Also, if the inference engine infers knowledge using forward chaining, the new knowledge can be used for further inference or querying stored or inferred knowledge.” Further Pg. 67 Col. 1-2 describe how “facts” are defined in JESS. Specifically Col. 2 recites “Here the assert construct 
Zhong further teaches eleventh program instructions programmed to create a revised…functional model from the revised business-based meta model and the contract model (The examiner initially notes for the record that the term “revised IT functional model” does not appear explicitly within the as-filed specification. However, this limitation is considered to have implicit but limited support. The as-filed specification has only one (1) instance of the word “revise(d)” and appears in paragraph [0079]. In part, this paragraph recites “when a contract modification is made, a revised version of the contract is made having known, accepted IT parameters…[0080] When communication of step 614 is received, an IT functional model is dynamically derived with the help of an enterprise ontology and various artifact generated from contract analytics. That is an IT instance is create from project-specific policies….” Based on this support, the above limitation is interpreted as encompassing the same subject matter and/or scope as the “creating an IT functional model…” limitation above and is further interpreted as an iterative process. That is, based on new incoming data (i.e. “revised version of the contract”) an updated model is created based on this new data. 
With this interpretation in mind, Zhong teaches the claim language. Pg. 68 Col. 2 The permissible deviation for the underground-diaphragm-wall trench’s verticality Rule 5-1/2 is fired to compare the actual deviation…the permissible deviation, thus the evaluation result is determined, and the quality evaluation value isAccepted is assigned to the property hasInsepectionItemQualityEvaluationResult. At the same time, the quality inspection items with the result “isAccepted.” Further See Pg. 66 Rule 5-1 and/or Rule 5-2. A person of ordinary skill in the art would readily infer that the system checks the available data against the “rules and regulations” and the “allowed deviation” (e.g. see Rules 5-1, 5-2 “less than” and/or “greater than”). Based on the result (e.g. hasInspectionItemQualityEvaulationResult) the meta-model will be revised (e.g. is accepted or defected). Determining that certain data is outside and/or inside the allowable deviation and classifying or otherwise attaching the “accepted-entity” and/or “defected-entity” to the data reads on the functionality of modification which the claim requires. Further note Zhong Pg. 68 (below the rule definitions) “After executing Rule 5-1/2, the inspection items, whose ActualDeviation [emphasis in original] is less than PermissibleDeviation, will be classified into the Accepted-Entity, which means that the inspection quality satisfies the requirements. Otherwise, the quality inspection items will be classified as Defected-Entity, which means that further measures (investigations or rework) need to be taken.” The examiner notes that if a quality inspection item is classified as Defected-Entity and a rework needs to be taken, this further teaches the claimed “determine to modify the business-based meta model.” In addition Pg. 62 section 4 “Based on the CQIEOntology meta model, along with above-mentioned can be represented as the ontology instances in OWL…” Clearly, from the support in the instant as-filed specification, real construction information represented in an instance of an ontology teaches “revised functional model.”)

Zhong further teaches twelfth program instructions programmed to determine a second degree of performance of the revised…functional model meets the pre-defined threshold (The examiner initially notes that the identifying of a second set of facts (preceding limitation) and the instant limitation are merely describing a iterative process. Note at least Zhong Figure 6 which shows that as new facts and rules are sent to the JESS rule engine, new knowledge is sent to the ontology. This is the description of a iterative process and thus Zhong reads on the claim language. Specifically regarding “meets” the pre-defined threshold Zhong teaches at Pg. 66 See Rule 5-1. Further “After executing Rule 5-1/2, the inspection items, whose ActualDeviation is less than PermissibleDeviation, will be classified into Accepted-Entity, which means that the inspection quality satisfies the requirements.” A person of ordinary skill in the art would readily infer that Zhongs disclosure of satisfying the requirements based on a comparison of data to the requirements reads on the claim language.). 
Zhong further teaches thirteenth program instructions programmed to operate according a set of revised policies of to the revised… functional model until a revised external compliance dataset is received (The examiner notes that this limitation is considered a conditional limitation and therefore, while being examined 
	Zhong does not explicitly disclose security requirements and security implementations. 
	Zhong does not explicitly disclose an IT functional model.
	NIST, however, does disclose security requirements and security implementations (See for example Pg. 7 Figure 2 See “security controls.” Further note the steps on Pg. 8 (e.g. “categorize, select, implement, assess”, etc.) In addition, Pg. 12 “Implementation tip” discloses how “security controls” should be implemented with regards to a specific business.). 
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the ontology system as taught by Zhong modified with the IT security requirements as taught by NIST because this would lead to a predictable result (i.e. an ontology for IT security compliance) (See MPEP 2143 (I) (A)). 
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to replace the construction-based functional model as taught by Zhong with the information technologies data as taught by NIST because this would lead to a predictable result. That is, if the data used to construct the ontology in Zhong (i.e. construction regulations, requirements, constraints, processes, 

The examiner notes: the same rationale and reasoning applied to Claim 1 also are applied to the combination of art as applied to Claim 8. Merely for sake of brevity, the rationale and reasoning is not presented here. For further details, see the rationale and reasoning as applied to Claim 1. 


With respect to Claim 9, The combination of Zhong and NIST teach wherein the business-based meta model includes a business operational meta model, an organizational hierarchy meta model, and a business policy and controls meta model (The examiner notes that under the broadest reasonable interpretation, the instant invention appears to be drawn to a ontology analysis structured like that of Zhong as described above with reference to Claim 1 for the purpose of an enterprise company designing a security compliance system that complies with NIST. The NIST SP-800-53 Broadly teaches the rules and regulations for “Security and Privacy Controls for Federal Information Systems and Organizations.” Under this broadest reasonable interpretation of the Claims, NIST teaches the claim language of Claim 2. In particular, Pg. 8 Figure 2 Note the Starting point and the different types of data that are used. Also Pg.8 Top of page “Tier 2 includes: (i) defining the mission/business processes needed to support the organization missions/business functions; (ii) determining the security 
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the ontology structure and processes as taught by Zhong with the rules and regulations as taught by NIST because this would allow for automated security compliance based on business goals as well as security compliance regulations (NIST Pg. 17 “Implementation Tip” fourth bullet point “Organization are encouraged to employ automated management systems to maintain records of the specific common control employed in each organizational information system to enhance the ability of common controls providers to rapidly communicate with system owners.”).
It further would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the process meta-model of construction processes as taught by Zhong with the business policies and regulations as taught by NIST because this would increase the strength of security functionality (NIST Pg. 22 “The strength of security functional plays an important part in being able to achieve the needed security capability and subsequently satisfying the security requirements of organizations. Information system developers can increase the strength 

 With respect to Claim 10, the combination of Zhao and NIST teach wherein the first external compliance dataset includes a first compliance regulation rule, a first analysis task, a first evaluation task, and a first business role (NIST Pg. 10-11 describe how a security control is to be carried by organization or by information systems (Pg. 10 Bottom of Page). Pg. 11 “For example, organizations can specific additional information needed for audit records to support audit event processing. See the AU-3(1) example above.” Looking at AU-3 a person of ordinary skill in the art would realize that this reads on the claim language. In particular, the NIST reference itself reads on the “first external compliance dataset”. Next, AU-3  reads on “a first compliance regulation rule” Reading AU-3 under supplemental guidance “Audit record content that may be necessary to satisfy the requirement of this control includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success of failure and event-specific results...” Further NIST Pg. 11 Top of page “Assignment and selection statements provide organizations wit the cabability  to tailor security controls and control enhancements based on: (i) security requirements to support organizational missions/business functions and operation needs… and (iii) security requirements originating in federal laws, Executive Orders, directives, policies, regulations, standards, or guidelines. )
the first analysis task being an action to comply with the first compliance regulation rule (Zhao Pg. 65 Section 4.2.2 “During construction stage, namely, during the execution of the construction process, it is necessary to assure the corresponding inspection actions and evaluation are done, and any quality defect should be detected in time to prevent rework and cost increase. Based on the ontology, we can divide the inspection task constraints into a set of SWRL rules.” The examiner notes that the tasks taken by the inspector as a result of implementing Rule 2-1 through Rule 4-2 read on the claim language. The analysis task in this case is the action to inspect the wall for compliance with the regulation rule (7.67 GB  50202-2002) see first paragraph in section 4.2.2. Pg. 65 of Zhao). 
The combination of Zhao and NIST further teach the first evaluation task being an action to evaluate a degree of performance of the first analysis task (Zhao Pg. 65 Specifically rule 4-1 “Construction-Task (?ct) ^ Inspection Task (?it) ^ hasInspectionTask (?ct, ?it) ^ Evaluation-Task (?et)…” Note “Evaluation Task” Further Pg. 66 Section 4.2.3 “Once the inspection task of one construction task is determined, the checking actions are performed to collect quality data. The quality data should be evaluated according to the acceptance criteria imposed by regulations so as to decide whether the inspection objects are compliant with the quality acceptance criteria constraints.”). 
The combination of Zhao and NIST further teach the first business role performing the first analysis task and the first evaluation task (NIST Pg. 14 3rd Paragraph “The organization assigns responsibility for common controls to appropriate 
With respect to Claim 11, the combination of Zhao and NIST further teach fourteenth program instructions programmed to receive a second external compliance dataset from an external source including a second compliance regulation rule, a second analysis task, and a second evaluation task (NIST Pg. 18 “Security requirements for external service providers including the security controls for external information systems are expressed in contracts or other formal agreements. Organizations are responsible and accountable for the information security risk incurred by the use of information system services provided by external providers. Such risk addressed by incorporating the Risk Management Framework as part of the terms and conditions of the contracts with external providers. Relationships with external service providers are established in a variety of ways, for example, through joint ventures, business partnerships, outsourcing arrangements (i.e., through contracts…)…” The examiner notes that these external data sources must include a second compliance regulation rule, a second analysis task, and a second evaluation task since they too must comply with the Risk Management Framework.).
The combination of Zhao and NIST further teach fifteenth program instructions programmed to update the first external compliance dataset with the second external compliance dataset to generate a third external compliance dataset, the second ontology structure including the third compliance dataset that replaces the first external compliance dataset (As evidenced above (See NIST Pg. 14 and/or Pg. 18) the external policies from e.g. contracts are combined with the 

With respect to Claim 12, the combination of Zhao and NIST teach wherein first and second degrees of performance include a measure for security compliance to a first compliance regulation rule, the measure included in the pre-defined threshold (NIST Pg. 21 Security Capability  3rd paragraph “Traditionally, assessments have been conducted on a control-by-control basis producing results that are characterized as pass (i.e., control satisfied) or fail…Ultimately, authorization decisions…are made based on the degree to which the desired security capabilities have been effectively achieved and are meeting the security requirements defined by an organization…” Pg. 25 “After the security requirements and security capabilities are determined at Tiers 1 and 2 (including the necessary assurance requirements to provide measures of confidence in the desired capabilities)…”). 

With respect to Claim 13, Zhong teaches a computer system comprising: a set of processors; and a computer readable storage medium; hwerein the set of processors is structured, located, connected and/or programmed to run program instructions stored on the computer readable storage medium; and the program instructions include: first program instructions programmed to establish a first ontology data structure having a hierarchical description including a business-based meta model (Pg. 60 Section 3. Col. 2 “In this section, a model for construction quality inspection and evaluation i.e. CQIEOntology is proposed as shown in Fig. 1. 
Zhong also teaches second program instructions programmed to establish a second ontology data structure having a hierarchical description including a first external compliance dataset and contract model (Pg. 60 Section 3. Col. 2 “In this section, a model for construction quality inspection and evaluation i.e. CQIEOntology is proposed as shown in Fig. 1. Based on CQIEOntology, together with the support of the construction process ontology, the regulation constraints can be modeled in OWL axioms and SWRL rules for construction quality inspection and evaluation.” Pg.61 Col. 1 “In CQIEOntology, the regulation-Constraint constitutes the main inspection knowledge, since the focus is the regulation-based quality inspection. Each constraint comes from the corresponding provision text in regulations. The relation “hasRegulation” associates the constraint with the provision text from which constraint is extracted.” The examiner notes that the referenced “provision text” reads on the claimed first external compliance dataset. Under the broadest reasonable interpretation (BRI), this dataset is some collection of laws, rules, regulations, etc. that guide a particular inspection or regulation. Pg. 61 “ As shown in Fig. 1…each main concept indicates one facet of the inspection objects, and can be modeled as the construction process ontology.” The examiner notes that a person of ordinary skill in the art would realize that the CQIEOntology of Zhong reads on the business-based meta model because this particular model is an ontology of the processes that define business goals, objectives, etc. The examiner further notes Zhong Fig.1 Note “process model”. The noted “process model” reads on 
Zhong further teaches third program instructions programmed to derive a set of inference rules by converting regulation-constraint knowledge described in web ontology language (OWL) axioms and semantic web rule language (SWRL) rules into new facts and identifying a first set of matching facts in working memories in accordance with the business-based meta model (Zhong Pg. 66 Col. 1 which recites “In this research, actual reasoning process is conducted through the JESS rule engine. The JESS rule engine converts a combination of OWL+SWRL rules into jess facts (i.e. new facts). The inferences are carried out in JESS inference engine by matching facts in working memories in accordance with the rules in the rule base. Also, if the inference engine infers knowledge using forward chaining, the new knowledge can construct [emphasis in original] in JESS is used to declare a fact. The declared facts will be saved in the JESS fact base.” Further, see Figure 6. Note especially the “facts/knowledge base” and how facts + rules are sent to the JESS rule engine. ). 
Zhong further teaches fourth program instructions programmed to determine a set of compliance constraints based on the set of inference rules from the first ontology data structure and the first external compliance dataset of the second ontology data structure (Pg. 60 Section 3. Col. 2 “In this section, a model for construction quality inspection and evaluation i.e. CQIEOntology is proposed as shown in Fig. 1. Based on CQIEOntology, together with the support of the construction process ontology, the regulation constraints can be modeled in OWL axioms and SWRL rules for construction quality inspection and evaluation.” Pg.61 Col. 1 “In CQIEOntology, the regulation-Constraint constitutes the main inspection knowledge, since the focus is the regulation-based quality inspection. Each constraint comes from the corresponding provision text in regulations. The relation “hasRegulation” associates the constraint with the provision text from which constraint is extracted.” The examiner notes that the referenced “provision text” reads on the claimed first external compliance dataset. Under the broadest reasonable interpretation (BRI), this dataset is some collection of laws, rules, regulations, etc. that guide a particular inspection or regulation. The examiner notes that the rule “hasRegulation” reads on the claimed inference rules. Further Pg. 66 Section 5 “In this research, actual reasoning process is conducted through the JESS rule engine. The JESS rule engine converts a combination 
Zhong further teaches fifth program instructions programmed to create [a]…functional model based on … requirements and … implementations of the business-based meta model and the contract model to generate policies for deployment (Zhong teaches the claim language. For example Pg. 68 Col. 2 recites “From this scenario, we can see that these rules enable the regulatory provisions to be integrated with the construction process, and the regulatory compliance checking is regarded as a paralleling activity to construction process rather than as an afterthought.” The examiner notes that, under the broadest reasonable interpretation, the functionality of “integrated” reads on the functionality of “binding.” In addition to or in the alternative, Note Figure 3 which shows a specific task having specific requirements as an instance of the ontology. The examiner notes that an instance having specific requirements reads on the claimed functional model.). 
Zhong further teaches sixth program instructions programmed to generate a set of policies for deployment by applying the set of compliance constraints to the…functional model (Pg. 60 Section 3. Col. 2 “In this section, a model for construction quality inspection and evaluation i.e. CQIEOntology is proposed as shown in Fig. 1. Based on CQIEOntology, together with the support of the construction process ontology, the regulation constraints can be modeled in OWL axioms and SWRL rules for Inspection-Object concepts…are also the concepts of the construction process model. In order to reuse the existing research results, the structure and definition of these concepts remain the same as the original concepts defined in the construction process model. Through the Inspection-Object concept, the CQIEOntology for compliance checking can interact with the construction process model.” The examiner notes that the interaction of the process model with the modeled rules and constraints reads on the claim language. Further Pg. 62 Section 4 “Basing on the CQIEOntology meta model. Along with above-mentioned ontology, the real construction information can be represented as the ontology instances in OWL, and the regulation constraints can be modeled into the OWL axioms and SWRL rules.” Still further, Pg. 68 Col. 2 “From this scenario, we can see that these rules enable the regulatory provisions to be integrated with the construction process, and the regulatory compliance checking is regarded as a paralleling activity to construction process rather than as an afterthought.” The examiner further notes Figure 3. The examiner especially notes the relation of “regulation constraint” (see Ontology) to the “inspection object” (e.g. UDW_construction-Tasks_1). A person of ordinary skill in the art would readily infer that based on the constraints (e.g. provision 7.6.7 and/or 7.6.12) the process (e.g. policy) by which UDW_construction-task_1 is completed is generated. Further See Figure 5.).  
Zhong also teaches seventh program instructions programmed to deploy the…functional model to apply the generated policies (The examiner notes, initially, 
Zhong also teaches eighth program instructions programmed to determine a first degree of performance of the…functional model by collecting evidence during deployment (Pg. 68 Col. 2 The permissible deviation for the underground-diaphragm-wall trench’s verticality degree should be less than 1/300 (acceptance criteria), if the underground diaphragm wall acts as permanent structure (from provision 7.6.12 in GB 50202-2002). Once the actual deviation (quality inspection data) is got, Rule 5-1/2 is fired to compare the actual deviation…the permissible deviation, thus the evaluation result is determined, and the quality evaluation value isAccepted is assigned to the property hasInsepectionItemQualityEvaluationResult. At the same time, the quality inspection items with the result “isAccepted.” The “got” “quality inspection data” reads on the claimed “collecting evidence” and the disclosed “actual deviation” reads on “determining a first degree of performance.”).
Zhong further still teaches ninth program instructions programmed to responsive to the first degree of performance being above or below a pre-defined threshold, determine to modify the business-based meta model to create a revised business-based meta model (Pg. 68 Col. 2 The permissible deviation for the underground-diaphragm-wall trench’s verticality degree should be less than 1/300 (acceptance criteria), if the underground diaphragm wall acts as permanent structure (from provision 7.6.12 in GB 50202-2002). Once the actual deviation (quality inspection data) is got, Rule 5-1/2 is fired to compare the actual deviation…the permissible deviation, thus the evaluation result is determined, and the quality evaluation value isAccepted is assigned to the property hasInsepectionItemQualityEvaluationResult. At the same time, the quality inspection items with the result “isAccepted.” Further See Pg. 66 Rule 5-1 and/or Rule 5-2. A person of ordinary skill in the art would readily infer that the system checks the available data against the “rules and regulations” and the “allowed deviation” (e.g. see Rules 5-1, 5-2 “less than” and/or “greater than”). Based on the result (e.g. hasInspectionItemQualityEvaulationResult) the meta-model will be revised (e.g. is accepted or defected). Determining that certain data is outside and/or inside the allowable deviation and classifying or otherwise attaching the “accepted-entity” and/or “defected-entity” to the data reads on the functionality of modification which the claim requires. Further note Zhong Pg. 68 (below the rule defintions) “After executing Rule 5-1/2, the inspection items, whose ActualDeviation [emphasis in original] is less than PermissibleDeviation, will be classified into the Accepted-Entity, which means that the inspection quality satisfies the requirements. Otherwise, the quality inspection items will be classified as Defected-Entity, which means that further measures (investigations or rework) need to be taken.” The examiner notes that if a quality inspection item is classified as Defected-Entity and a rework needs to be taken, 
Zhong further teaches tenth program instructions programmed to identify a second set of matching facts in the working memories in accordance with the revised business-based meta model (The examiner notes that under the broadest reasonable interpretation, this limitation is interpreted as merely receiving new and/or updated information. Zhong Pg. 66 Col. 1 which recites “In this research, actual reasoning process is conducted through the JESS rule engine. The JESS rule engine converts a combination of OWL+SWRL rules into jess facts (i.e. new facts). The inferences are carried out in JESS inference engine by matching facts in working memories in accordance with the rules in the rule base. Also, if the inference engine infers knowledge using forward chaining, the new knowledge can be used for further inference or querying stored or inferred knowledge.” Further Pg. 67 Col. 1-2 describe how “facts” are defined in JESS. Specifically Col. 2 recites “Here the assert construct [emphasis in original] in JESS is used to declare a fact. The declared facts will be saved in the JESS fact base.” Further, see Figure 6. Note especially the “facts/knowledge base” and how facts + rules are sent to the JESS rule engine. The examiner notes that a person of ordinary skill in the art would readily infer that the claimed “second set of matching facts” is the creation of any number of “JESS facts” as disclosed in Zhong (e.g. See “a combination of OWL+SWRL rules into jess facts (i.e. new facts).). 
Zhong further teaches eleventh program instructions programmed to create a revised…functional model from the revised business-based meta model and the contract model (The examiner initially notes for the record that the term “revised IT explicitly within the as-filed specification. However, this limitation is considered to have implicit but limited support. The as-filed specification has only one (1) instance of the word “revise(d)” and appears in paragraph [0079]. In part, this paragraph recites “when a contract modification is made, a revised version of the contract is made having known, accepted IT parameters…[0080] When communication of step 614 is received, an IT functional model is dynamically derived with the help of an enterprise ontology and various artifact generated from contract analytics. That is an IT instance is create from project-specific policies….” Based on this support, the above limitation is interpreted as encompassing the same subject matter and/or scope as the “creating an IT functional model…” limitation above and is further interpreted as an iterative process. That is, based on new incoming data (i.e. “revised version of the contract”) an updated model is created based on this new data. 
With this interpretation in mind, Zhong teaches the claim language. Pg. 68 Col. 2 The permissible deviation for the underground-diaphragm-wall trench’s verticality degree should be less than 1/300 (acceptance criteria), if the underground diaphragm wall acts as permanent structure (from provision 7.6.12 in GB 50202-2002). Once the actual deviation (quality inspection data) is got, Rule 5-1/2 is fired to compare the actual deviation…the permissible deviation, thus the evaluation result is determined, and the quality evaluation value isAccepted is assigned to the property hasInsepectionItemQualityEvaluationResult. At the same time, the quality inspection items with the result “isAccepted.” Further See Pg. 66 Rule 5-1 and/or Rule 5-2. A person of ordinary skill in the art would readily infer that the system checks the available data against the “rules and regulations” and the “allowed deviation” (e.g. see Rules 5-1,  Based on the result (e.g. hasInspectionItemQualityEvaulationResult) the meta-model will be revised (e.g. is accepted or defected). Determining that certain data is outside and/or inside the allowable deviation and classifying or otherwise attaching the “accepted-entity” and/or “defected-entity” to the data reads on the functionality of modification which the claim requires. Further note Zhong Pg. 68 (below the rule definitions) “After executing Rule 5-1/2, the inspection items, whose ActualDeviation [emphasis in original] is less than PermissibleDeviation, will be classified into the Accepted-Entity, which means that the inspection quality satisfies the requirements. Otherwise, the quality inspection items will be classified as Defected-Entity, which means that further measures (investigations or rework) need to be taken.” The examiner notes that if a quality inspection item is classified as Defected-Entity and a rework needs to be taken, this further teaches the claimed “determine to modify the business-based meta model.” In addition Pg. 62 section 4 “Based on the CQIEOntology meta model, along with above-mentioned ontology, the real construction information can be represented as the ontology instances in OWL…” Clearly, from the support in the instant as-filed specification, real construction information represented in an instance of an ontology teaches “revised functional model.”)

Zhong further teaches twelfth program instructions programmed to determine a second degree of performance of the revised…functional model meets the pre-defined threshold (The examiner initially notes that the identifying of a second set of facts (preceding limitation) and the instant limitation are merely describing 
Zhong further teaches thirteenth program instructions programmed to operate according a set of revised policies of to the revised… functional model until a revised external compliance dataset is received (The examiner notes that this limitation is considered a conditional limitation and therefore, while being examined on the merits, does not have patentable weight. Furthermore, the only functional requirement of this limitation is the continued operation of a functional model. Zhong teaches the claim language. See Figure 6. Note the sending and receiving of information based on new facts and new knowledge reads on the functionality of “operating.”). 
	Zhong does not explicitly disclose security requirements and security implementations. 
	Zhong does not explicitly disclose an IT functional model.
security requirements and security implementations (See for example Pg. 7 Figure 2 See “security controls.” Further note the steps on Pg. 8 (e.g. “categorize, select, implement, assess”, etc.) In addition, Pg. 12 “Implementation tip” discloses how “security controls” should be implemented with regards to a specific business.). 
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the ontology system as taught by Zhong modified with the IT security requirements as taught by NIST because this would lead to a predictable result (i.e. an ontology for IT security compliance) (See MPEP 2143 (I) (A)). 
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to replace the construction-based functional model as taught by Zhong with the information technologies data as taught by NIST because this would lead to a predictable result. That is, if the data used to construct the ontology in Zhong (i.e. construction regulations, requirements, constraints, processes, etc) was replaced by the IT data in NIST (i.e. enterprise level IT security regulations, requirements, constraints, processes, etc.) the result, predictably, would be an IT functional model as is required. 

The examiner notes: the same rationale and reasoning applied to Claim 1 also are applied to the combination of art as applied to Claim 8. Merely for sake of brevity, the rationale and reasoning is not presented here. For further details, see the rationale and reasoning as applied to Claim 1. 

With respect to Claim 14, the combination of Zhong and NIST teach wherein the business-based meta model includes a business operational meta model, an organizational hierarchy meta model, and a business policy and controls meta model (The examiner notes that under the broadest reasonable interpretation, the instant invention appears to be drawn to a ontology analysis structured like that of Zhong as described above with reference to Claim 1 for the purpose of an enterprise company designing a security compliance system that complies with NIST. The NIST SP-800-53 Broadly teaches the rules and regulations for “Security and Privacy Controls for Federal Information Systems and Organizations.” Under this broadest reasonable interpretation of the Claims, NIST teaches the claim language of Claim 2. In particular, Pg. 8 Figure 2 Note the Starting point and the different types of data that are used. Also Pg.8 Top of page “Tier 2 includes: (i) defining the mission/business processes needed to support the organization missions/business functions; (ii) determining the security categories of the information systems needed to execute the mission/business processes; (iii) incorporating information security requirements into the mission/business processes; and (iv) establishing an enterprise architecture (including an embedded information security architecture) to facilitate the allocation of security controls…” Also note Table 1 on Pg. 9; any or all of the “Security Control Identifiers and Family Names” read on the different types of meta models claimed. The examiner further notes that Claim 14 is marked as “previously presented” but contains a previously entered amendment which omitted the word “metal” (i.e. [[metal]]). The 
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the ontology structure and processes as taught by Zhong with the rules and regulations as taught by NIST because this would allow for automated security compliance based on business goals as well as security compliance regulations (NIST Pg. 17 “Implementation Tip” fourth bullet point “Organization are encouraged to employ automated management systems to maintain records of the specific common control employed in each organizational information system to enhance the ability of common controls providers to rapidly communicate with system owners.”).
It further would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the process meta-model of construction processes as taught by Zhong with the business policies and regulations as taught by NIST because this would increase the strength of security functionality (NIST Pg. 22 “The strength of security functional plays an important part in being able to achieve the needed security capability and subsequently satisfying the security requirements of organizations. Information system developers can increase the strength of security functionality by employing as part of the hardware/software/firmware development process (i) well-defined security policies and policy models…”). 

 With respect to Claim 15, the combination of Zhao and NIST teach wherein the first external compliance dataset includes a first compliance regulation rule, a first analysis task, a first evaluation task, and a first business role (NIST Pg. 10-11 describe how a security control is to be carried by organization or by information systems (Pg. 10 Bottom of Page). Pg. 11 “For example, organizations can specific additional information needed for audit records to support audit event processing. See the AU-3(1) example above.” Looking at AU-3 a person of ordinary skill in the art would realize that this reads on the claim language. In particular, the NIST reference itself reads on the “first external compliance dataset”. Next, AU-3  reads on “a first compliance regulation rule” Reading AU-3 under supplemental guidance “Audit record content that may be necessary to satisfy the requirement of this control includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success of failure and event-specific results...” Further NIST Pg. 11 Top of page “Assignment and selection statements provide organizations wit the cabability  to tailor security controls and control enhancements based on: (i) security requirements to support organizational missions/business functions and operation needs… and (iii) security requirements originating in federal laws, Executive Orders, directives, policies, regulations, standards, or guidelines. )
The combination of Zhao and NIST further teach the first analysis task being an action to comply with the first compliance regulation rule (Zhao Pg. 65 Section 4.2.2 “During construction stage, namely, during the execution of the construction process, it is necessary to assure the corresponding inspection actions and evaluation are done, and any quality defect should be detected in time to prevent rework and cost 
The combination of Zhao and NIST further teach the first evaluation task being an action to evaluate a degree of performance of the first analysis task (Zhao Pg. 65 Specifically rule 4-1 “Construction-Task (?ct) ^ Inspection Task (?it) ^ hasInspectionTask (?ct, ?it) ^ Evaluation-Task (?et)…” Note “Evaluation Task” Further Pg. 66 Section 4.2.3 “Once the inspection task of one construction task is determined, the checking actions are performed to collect quality data. The quality data should be evaluated according to the acceptance criteria imposed by regulations so as to decide whether the inspection objects are compliant with the quality acceptance criteria constraints.”). 
The combination of Zhao and NIST further teach the first business role performing the first analysis task and the first evaluation task (NIST Pg. 14 3rd Paragraph “The organization assigns responsibility for common controls to appropriate organizational offices…and coordinates the development, implementation, assessment, authorization, and monitoring of the controls…”). 
With respect to Claim 16, the combination of Zhao and NIST further teach fourteenth program instructions programmed to receive a second external compliance dataset from an external source including a second compliance regulation rule, a second analysis task, and a second evaluation task (NIST Pg. 18 
The combination of Zhao and NIST further teach fifteenth program instructions programmed to update the first external compliance dataset with the second external compliance dataset to generate a third external compliance dataset, the second ontology data structure including the third external compliance dataset that replaces the first external compliance dataset (As evidenced above (See NIST Pg. 14 and/or Pg. 18) the external policies from e.g. contracts are combined with the existing federal regulations and/or internal business policies. This integration of outside rules and regulations read on the claim language). 

With respect to Claim 17, the combination of Zhao and NIST teach wherein the external source is a business model derived from a contract (See NIST Pg. 18 as referenced above.). 

With respect to Claim 18, the combination of Zhao and NIST teach wherein the first and second degrees of performance include a measure for security compliance to a first compliance regulation rule, the measure included in the pre-defined threshold (NIST Pg. 21 Security Capability  3rd paragraph “Traditionally, assessments have been conducted on a control-by-control basis producing results that are characterized as pass (i.e., control satisfied) or fail…Ultimately, authorization decisions…are made based on the degree to which the desired security capabilities have been effectively achieved and are meeting the security requirements defined by an organization…” Pg. 25 “After the security requirements and security capabilities are determined at Tiers 1 and 2 (including the necessary assurance requirements to provide measures of confidence in the desired capabilities)…”). 



Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to FEN TAMULONIS whose telephone number is (571)272-0934.  The examiner can normally be reached on 7:30AM-5:30PM MON-FRI EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ann Lo can be reached on (571)-272-9767.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 




/F.C.T./Examiner, Art Unit 2126                                                                                                                                                                                                                                                                                                                                                                                                          
/MICHAEL J HUNTLEY/Primary Examiner, Art Unit 2116