DETAILED ACTION
	Claims 1-20 are presented on 01/25/2019 for examination on merits.  Claims 1, 15, and 18 are independent base claims.  

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Examiner's Instructions for filing Response to this Office Action
When the Applicant submits amendments regarding to the claims in response the Office Action, the Examiner would prefer that Applicant submit two sets of claims: 
Set #1 that includes indicators for the status of claim and all marked amendments to the claims; and 
Set #2 comprising a clean version of the claims with all the markups removed for entry, as an appendix to the Set #1.

Information Disclosure Statement
The information disclosure statement(s) (IDS) submitted as for examination on merits are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement(s) is/are being considered by the examiner. See the annotated 1449 documents.

Claim Objections
Claims 1, 9-12, 15-17, and 18-20 are objected to because of the following informalities:  
Claims 9-12, 16-17, and 19-20 each recite the limitation of “assigning a weighting” or “assigning the weighting” deficiently.  If the weight assigned for prioritizing remedial actions 

Claims 1, 15 and 18 each recite a descriptor “a given one” in the generating step of the respective claims without pointing out how the identified cryptographic technique(s) or the component(s) of the enterprise system is selected or given for profile generation by the component(s) of the enterprise system after the identifying of the cryptographic technique(s).  It appears the descriptor “a given one” is used in an informal way for description of one of the multiples.  If so, the Examiner suggests directly reciting the limitations “at least one of the identified cryptographic techniques” and “at least one of the one or more components of the enterprise system” in the claims, respectively.
Claims 4-6 inconsistently recite the limitation for ”one or more cryptographic techniques” or “cryptographic techniques" in the claims.  The Examiner suggests reciting “the cryptographic techniques."

Appropriate correction is required.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):

(B)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:

The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. 


Claims 1-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.

The rejection(s) under 35 U.S.C. 112(b) is/are determined by the following reasons:
Independent claims 1, 15, and 18 each recite the limitation "the given identified cryptographic technique" (in singular form) in the determining step and the identifying step without sufficient antecedent basis for this limitation in the claims.  It should be noted that the claims define generating one or more profiles characterizing usage of at least one of the identified cryptographic techniques, which means that a plurality of cryptographic techniques may be included.   
Claims 7-14, 16-17, and 19-20 also recite the limitation "the given identified cryptographic technique" (in singular form) in the determining step and the identifying step without sufficient antecedent basis for this limitation in the claims for the same reason as their base claims 1, 15, and 18, respectively.
Claims 4-6 inconsistently recite the limitation for ”one or more cryptographic techniques” or “cryptographic techniques" lacking sufficient antecedent basis for this limitation in the claims.
Claims 2-14, 16-17, and 19-20 are further rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, because they depend from the rejected base claims 1, 15, and 18, respectively.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:


The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.


In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Claims 1-3, 15, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Ahuja (US 20190207954 A1) in view of Fischer (US 20140006574 A1).

As per claim 1, Ahuja teaches a method comprising: 
monitoring an enterprise system to identify cryptographic techniques utilized by one or more components of the enterprise system (Ahuja, par. 0019-0021: monitoring a connection or traffic between devices and analyze characteristics of the connection … to determine a protocol identification and an extrapolated protocol state for the encryption protocol), the one or more components comprising at least one of physical and virtual computing resources (Ahuja, FIG. Ahuja; par. 0023 and 0025-0027); 
generating one or more profiles characterizing usage of at least a given one of the identified cryptographic techniques by at least a given one of the one or more components of the enterprise system (Ahuja, par. 0020: use information obtained from detectors in order to characterize the protocols used on data packets intercepted or received by the security system, which is essentially the usage of cryptographic techniques by the protocol. The ability to characterize the protocols allows the security system to perform certain security actions.  Here the statistical means including methods such as observing the histogram of bytes or byte sequences is mapped to the claimed usage); 
identifying one or more remedial actions for mitigating the effect of cryptographic obsolescence of the given identified cryptographic technique on the enterprise system (Ahuja, par. 0021-0022 identifying needed updates as a remedy to risks; par. 0031: takes remedial action; par. 0060-0061: sending a request to perform a security service (e.g., TCP/IP reassembly) for the packets to generate reassembled data); and 
initiating one or more of the identified remedial actions to modify a configuration of one or more components of the enterprise system (Ahuja, par. 0031: DLP microservices detect and report threats to a chassis controller microservice, which takes remedial action, including updating protocol state 934, which inherently modifies the configuration of one or more components of the network nodes or systems); 
wherein the method is performed by at least one processing device comprising a processor coupled to a memory (Ahuja, par. 0025-0027: a hardware processor 102 (such as a central processing unit (CPU) or one or more cores thereof and 0086: protocol extrapolation processor 820).
Ahuja does not explicitly disclose utilizing the generated one or more profiles or logs to determine an effect of cryptographic obsolescence of the given identified cryptographic technique.  This aspect of the claim is identified as a difference.
In a related art, Fischer teaches:
determining an effect of cryptographic obsolescence of the given identified cryptographic technique on the enterprise system utilizing the generated one or more profiles (Fischer, par. 0007 and 0014-0016: building automation or risk management devices … by updating of cryptographic keys or expired certificates, or attack signatures.  Fischer discloses that cryptographic keys, for example, may be assigned a validity. An outdated or expired key obviously posts risk to or risky effect on the encryption method used by Fischer’s system.  An update of the cryptographic keys is then provided after a corresponding validity has expired.  0034.  See also par. 0088-0090: A monitoring and update mechanism, which checks the expiration of stored certificates and triggers a certificate renewal in a defined period); 
Ahuja and Fischer are analogous art, because they are in a similar field of endeavor in improving risk detection techniques for the deployed cryptographic techniques.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to combine them and to use Fischer to modify Ahuja to detect and determine the effectiveness of cryptographic methods or elements.  The rationale for this combination is to use known technique to improve similar system concerning, for example, outdated encryption keys or expired certificate such that the combination would have produced predictable results with reasonable expectation of success. For this combination, the motivation would have been to improve the level of security with reduction of risks of cryptographic obsolescence of identified cryptographic techniques in use.

As per claim 2, the references as combined above teach the method of claim 1 wherein monitoring the enterprise system to identify the cryptographic techniques comprises identifying Ahuja, par. 0040: monitor network traffic and other data sent between an application 416 and one or more servers 404. That means, the monitoring step in Ahuja comprises identifying application 416.  Ahuja also discloses that application 416 is deployed in a networked environment, for example, data centers, which is evidently a component of the enterprise system).

As per claim 3, the references as combined above teach the method of claim 2 wherein monitoring the enterprise system to identify the cryptographic techniques further comprises: 
identifying cryptographic libraries stored on the components of the enterprise system (Ahuja, par. 0039: various data repositories in the one or more memories for storing data structures, which includes a security service; par. 0060); and 
identifying cryptographic shared library versions utilized by the identified applications and operating systems deployed on the components of the enterprise system (Ahuja, par. 0051 and 0060-0061: the data and state repository, which micro-services are called at every level of the security hierarchy).

As per claim 15, Ahuja teaches a computer program product comprising a non-transitory processor-readable storage medium having stored therein program code of one or more software programs (par. 0023 and 0032-0033: processor 102 and a non-transitory computer -readable medium, such as digital media, including another disc drive, a CD, a CDROM, a DVD, a USB flash drives), wherein the program code when executed by at least one processing device causes the at least one processing device: 
to monitor an enterprise system to identify cryptographic techniques utilized by one or more components of the enterprise system, the one or more components comprising at least one of physical and virtual computing resources (Ahuja, par. 0019-0021: monitoring a Ahuja; par. 0023 and 0025-0027); to 
generate one or more profiles characterizing usage of at least a given one of the identified cryptographic techniques by at least a given one of the one or more components of the enterprise system (Ahuja, par. 0020: use information obtained from detectors in order to characterize the protocols used on data packets intercepted or received by the security system, which is essentially the usage of cryptographic techniques by the protocol. The ability to characterize the protocols allows the security system to perform certain security actions.  Here the statistical means including methods such as observing the histogram of bytes or byte sequences is mapped to the claimed usage); to 
to identify one or more remedial actions for mitigating the effect of cryptographic obsolescence of the given identified cryptographic technique on the enterprise system (Ahuja, par. 0021-0022 identifying needed updates as a remedy to risks; par. 0031: takes remedial action; par. 0060-0061: sending a request to perform a security service (e.g., TCP/IP reassembly) for the packets to generate reassembled data); and 
to initiate one or more of the identified remedial actions to modify a configuration of one or more components of the enterprise system(Ahuja, par. 0031: DLP microservices detect and report threats to a chassis controller microservice, which takes remedial action, including updating protocol state 934, which inherently modifies the configuration of one or more components of the network nodes or systems).
However, Ahuja does not explicitly disclose utilizing the generated one or more profiles or logs to determine an effect of cryptographic obsolescence of the given identified cryptographic technique.  This aspect of the claim is identified as a difference.
In a related art, Fischer teaches:
Fischer, par. 0007 and 0014-0016: building automation or risk management devices … by updating of cryptographic keys or expired certificates, or attack signatures.  Fischer discloses that cryptographic keys, for example, may be assigned a validity. An outdated or expired key obviously posts risk to or risky effect on the encryption method used by Fischer’s system.  An update of the cryptographic keys is then provided after a corresponding validity has expired.  0034.  See also par. 0088-0090: A monitoring and update mechanism, which checks the expiration of stored certificates and triggers a certificate renewal in a defined period); 
Ahuja and Fischer are analogous art, because they are in a similar field of endeavor in improving risk detection techniques for the deployed cryptographic techniques.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to combine them and to use Fischer to modify Ahuja to detect and determine the effectiveness of cryptographic methods or elements.  The rationale for this combination is to use known technique to improve similar system concerning, for example, outdated encryption keys or expired certificate such that the combination would have produced predictable results with reasonable expectation of success. For this combination, the motivation would have been to improve the level of security with reduction of risks of cryptographic obsolescence of identified cryptographic techniques in use.

As per claim 18, Ahuja teaches an apparatus comprising: 
at least one processing device comprising a processor coupled to a memory (Ahuja, par. 0023 and 0032-0033: processor 102 and memory); 
the at least one processing device being configured: 
to monitor an enterprise system to identify cryptographic techniques utilized by one or more components of the enterprise system, the one or more components comprising at least Ahuja, par. 0019-0021: monitoring a connection or traffic between devices and analyze characteristics of the connection … to determine a protocol identification and an extrapolated protocol state for the encryption protocol.  FIG. 1 shows at least one of physical and virtual computing resources in the network node or device of Ahuja; par. 0023 and 0025-0027); 
to generate one or more profiles characterizing usage of at least a given one of the identified cryptographic techniques by at least a given one of the one or more components of the enterprise system (Ahuja, par. 0020: use information obtained from detectors in order to characterize the protocols used on data packets intercepted or received by the security system, which is essentially the usage of cryptographic techniques by the protocol. The ability to characterize the protocols allows the security system to perform certain security actions.  Here the statistical means including methods such as observing the histogram of bytes or byte sequences is mapped to the claimed usage); 
to identify one or more remedial actions for mitigating the effect of cryptographic obsolescence of the given identified cryptographic technique on the enterprise system (Ahuja, par. 0021-0022 identifying needed updates as a remedy to risks; par. 0031: takes remedial action; par. 0060-0061: sending a request to perform a security service (e.g., TCP/IP reassembly) for the packets to generate reassembled data); and
 to initiate one or more of the identified remedial actions to modify a configuration of one or more components of the enterprise system (Ahuja, par. 0031: DLP microservices detect and report threats to a chassis controller microservice, which takes remedial action, including updating protocol state 934, which inherently modifies the configuration of one or more components of the network nodes or systems).
However, Ahuja does not explicitly disclose utilizing the generated one or more profiles or logs to determine an effect of cryptographic obsolescence of the given identified cryptographic technique.  This aspect of the claim is identified as a difference.

to determine an effect of cryptographic obsolescence of the given identified cryptographic technique on the enterprise system utilizing the generated one or more profiles (Fischer, par. 0007 and 0014-0016: building automation or risk management devices … by updating of cryptographic keys or expired certificates, or attack signatures.  Fischer discloses that cryptographic keys, for example, may be assigned a validity. An outdated or expired key obviously posts risk to or risky effect on the encryption method used by Fischer’s system.  An update of the cryptographic keys is then provided after a corresponding validity has expired.  0034.  See also par. 0088-0090: A monitoring and update mechanism, which checks the expiration of stored certificates and triggers a certificate renewal in a defined period); 
Ahuja and Fischer are analogous art, because they are in a similar field of endeavor in improving risk detection techniques for the deployed cryptographic techniques.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to combine them and to use Fischer to modify Ahuja to detect and determine the effectiveness of cryptographic methods or elements.  The rationale for this combination is to use known technique to improve similar system concerning, for example, outdated encryption keys or expired certificate such that the combination would have produced predictable results with reasonable expectation of success. For this combination, the motivation would have been to improve the level of security with reduction of risks of cryptographic obsolescence of identified cryptographic techniques in use.

Claims 4-5 are rejected under 35 U.S.C. 103 as being unpatentable over Ahuja and Fischer, and further in view of Matsushima (US 20100332820 A1; hereinafter “Matsu”).

As per claim 4, the references of Ahuja and Fischer as combined above teach the method of claim 2, but do not explicitly disclose the steps for searching the stored data items to 
In a related art, Matsu teaches:
wherein monitoring the enterprise system to identify the cryptographic techniques further comprises: 
searching data items stored on the components of the enterprise system to identify one or more cryptographic keys and digitally signed data items (Matsu, par. 0117: the control unit searches the key lengths for a key length corresponding to the type of the second encryption algorithm; par. 0281-0283); and 
analyzing the identified cryptographic keys and digitally signed data items to identify usage of cryptographic techniques by the identified applications and operating systems deployed on the components of the enterprise system (Matsu, par. 0220-0224: Analyzing the received Migration Package ID, the encrypted parent key, the Encryption Parameters, the Conformance Certificate 212, and the Information Management Certificate 211. The Certificate Analyzing Unit 502 verifies the validity of the certificates).
Matsu is analogous art to the claimed invention in a similar field of endeavor in improving management of cryptographic techniques and security analysis.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to modify the Ahuja-Fischer system with Matsu to include steps for searching the stored data items to identify and analyze one or more cryptographic keys and digitally signed data items. For this combination, the motivation would have been to improve the level of security with Matsu’s security analysis techniques.

As per claim 5, the references as combined above teach the method of claim 1 but do not explicitly disclose the steps for analyzing log files to determine cryptographic techniques 
In a related art, Matsu teaches:
wherein monitoring the enterprise system to identify the cryptographic techniques comprises: 
analyzing log files to determine cryptographic techniques utilized for communication between one or more components of the enterprise system and one or more entities external to the enterprise system (Matsu, par. 0205-0220: [analyzing] and verifying the validity of the certificates and keys based on the Migration Package in the record stored in the Storage Area 507, which is obviously a form of log files); and 
monitoring network traffic to identify negotiation of one or more cryptographic techniques utilized for communication between one or more components of the enterprise system and one or entities external to the enterprise system (Matsu, par. 0144-1050: Attestation Identity Key Credential; The Information Management Certificate 211 is used for checking the method adopted for the management of the Secret Data 215).
Matsu is analogous art to the claimed invention in a similar field of endeavor in improving management of cryptographic techniques and security analysis.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to modify the Ahuja-Fischer system with Matsu to use log files to facilitate the review and analysis of cryptographic techniques for communication between components inside and outside the enterprise system. For this combination, the motivation would have been to improve the level of security with Matsu’s security analysis techniques.

Claims 6-8 are rejected under 35 U.S.C. 103 as being unpatentable over Ahuja and Fischer, and further in view of Wisniewski (US 20200053065 A1; hereinafter “Wis”).

As per claim 6, the references as combined above teach the method of claim 1 but do not explicitly disclose an interface from a cloud service provider and the identifying and accessing steps for the interfaces to one or more hosted applications accessed by one or more components of the enterprise system. This aspect of the claim is identified as a further difference.
In a related art, Wis teaches:
wherein monitoring the enterprise system to identify the cryptographic techniques comprises: 
identifying one or more third-party cloud service providers providing interfaces to one or more hosted applications accessed by one or more components of the enterprise system (Wis, par. 0024: The key management system in the data center 120 may interface with one or more cloud clients 105 via the cloud platform 115); and 
accessing the interfaces to identify cryptographic techniques used to protect the one or more hosted applications (Wis, par. 0025: In some cases, the cloud platform 115 may provide an interface for the cloud clients 105 to control secrets managed by the key management system).
Wis is analogous art to the claimed invention in a similar field of endeavor in improving security analysis.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to modify the Ahuja-Fischer system with Wis to identify one or more third-party cloud service providers providing interfaces to one or more hosted applications accessed by one or more components of the enterprise system. For this combination, the motivation would have been to improve the level of security with the aid of cloud based services.

As per claim 7, the references as combined above teach the method of claim 1 but do not explicitly disclose the step of utilizing the generated one or more profiles for determining the 
In a related art, Wis teaches:
wherein determining the effect of cryptographic obsolescence of the given identified cryptographic technique on the enterprise system utilizing the generated one or more profiles is performed responsive to detecting that the given identified cryptographic technique has undergone a change in status associated with vulnerability of the given identified cryptographic technique (Wis, par. 0055: determining a timer for periodically re-encrypting the set of encryption keys has expired, or a combination of these events; par. 0072: receiving a request from the tenant of the database to delete a key of the set of encryption keys, determining a timer for periodically re-encrypting the set of encryption keys has expired).
Wis is analogous art to the claimed invention in a similar field of endeavor in improving security analysis.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to modify the Ahuja-Fischer system with Wis to use generated profiles for determining the obsolescence of a given cryptographic technique. For this combination, the motivation would have been to improve the level of security by profiling the cryptographic techniques.

As per claim 8, the references as combined above teach the method of claim 1 but do not explicitly disclose a step for determining the effect of cryptographic obsolescence of the given identified cryptographic technique in response to receiving a user query of a hypothetical change in status associated with vulnerability of the given identified cryptographic technique This aspect of the claim is identified as a further difference.
In a related art, Wis teaches:

Wis is analogous art to the claimed invention in a similar field of endeavor in improving security analysis.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to modify the Ahuja-Fischer system with Wis to use generated profiles for determining the obsolescence of a given cryptographic technique. For this combination, the motivation would have been to improve the level of security by profiling the cryptographic techniques.

Claims 9, 10, 16, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Ahuja and Fischer, and further in view of Wasiq (US 10409995 B1).

As per claim 9, the references as combined above teach the method of claim 1 but do not explicitly disclose the step for assigning a weight for prioritizing remedial actions to mitigate the risk of cryptographic obsolescence of the given identified cryptographic technique in the process of determining the effect of cryptographic obsolescence of the given identified cryptographic technique on the enterprise system.  This aspect of the claim is identified as a further difference.

wherein determining the effect of cryptographic obsolescence of the given identified cryptographic technique on the enterprise system utilizing the generated one or more profiles comprises: 
assigning a weighting for prioritizing remedial actions to mitigate the risk of cryptographic obsolescence of the given identified cryptographic technique relative to remedial actions for mitigating the risk of cryptographic obsolescence of at least one other one of the identified cryptographic techniques (Wasiq: col. 1, lines 62-67 and FIG. 5: BLOCKS 508, 510, and 516: assign a weight to the change (e.g. encryption or decryption keys) based at least in part on the risk or size/amount of change. Wasiq discloses the security review is triggered with weight assigned to a change /update to cryptographic key material).
Wasiq is analogous art to the claimed invention in a similar field of endeavor in improving management of cryptographic key material.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to combine them and to use Wasiq with the Ahuja-Fischer system to use a weighting mechanism for prioritizing remedial actions.  The rationale for this combination is to use known technique to improve similar system concerning updating outdated encryption keys or expired certificates.  such that the combination would have produced predictable results with reasonable expectation of success. For this combination, the motivation would have been to improve the level of security with updated cryptographic techniques.

As per claim 10, the references of Ahuja and Fischer and Wasiq as combined above teach the method of claim 9 and Wasiq also teaches:
wherein assigning the weighting comprises: 
identifying a first set of components of the enterprise system affected by cryptographic obsolescence of the given identified cryptographic technique (Wasiq, [identifying] various factors sensitivity classification of data handled by the changed service – mapped to a first set of components of the enterprise system, code safety history of the development team that made the change, cyclomatic complexity of the source code of the service, and other factors.  Note Wasiq’s security review of risk is associated with a change /update to cryptographic key material); 
identifying a second set of components of the enterprise system affected by cryptographic obsolescence of the at least one other one of the identified cryptographic techniques (Wasiq, col. 2, lines 1-8: Identifying … code safety history of the development team, which is a second set of components); and 
assigning the weighting based at least in part on relative importance of the first set of components and the second set of components in the enterprise system (Wasiq may assign a weight to the change based at least in part on the risk or size/amount of change, including… factors of aforementioned the first and second sets of components; col. 1, lines 62-67 and col. 8, lines18-35).
Wasiq is used for this combination for the same reason as claim 9; and the motivation would have been to improve the level of security with improved prioritization of the security updates.

As per claim 16, it is directed to the computer program product of claim 15 comprising the same limitations as claim 9.  Similarly to claim 9, Wasiq teaches:
wherein determining the effect of cryptographic obsolescence of the given identified cryptographic technique on the enterprise system utilizing the generated one or more profiles comprises: assigning a weighting for prioritizing remedial actions to mitigate the risk of cryptographic obsolescence of the given identified cryptographic technique relative to remedial actions for mitigating the risk of cryptographic obsolescence of at least one other one of the identified cryptographic techniques (Wasiq: col. 1, lines 62-67 and FIG. 5: BLOCKS 508, 510, 

As per claim 19, it is directed to the apparatus of claim 18 comprising the same limitations as claim 9.  Similarly to claim 9, Wasiq teaches:
wherein determining the effect of cryptographic obsolescence of the given identified cryptographic technique on the enterprise system utilizing the generated one or more profiles comprises: assigning a weighting for prioritizing remedial actions to mitigate the risk of cryptographic obsolescence of the given identified cryptographic technique relative to remedial actions for mitigating the risk of cryptographic obsolescence of at least one other one of the identified cryptographic techniques (Wasiq: col. 1, lines 62-67 and FIG. 5: BLOCKS 508, 510, and 516: assign a weight to the change (e.g. encryption or decryption keys) based at least in part on the risk or size/amount of change. Wasiq discloses the security review is triggered with weight assigned to a change /update to cryptographic key material). Wasiq is used for this combination for the same reason as claim 9.

Claim 14 is rejected under 35 U.S.C. 103 as being unpatentable over Ahuja and Fischer, and further in view of Nelson (US 20140033305 A1).

As per claim 14, the references as combined above teach the method of claim 1 but do not explicitly disclose a step for modifying the configuration of one or more components of the enterprise system and switching a given identified cryptographic technique This aspect of the claim is identified as a further difference.
In a related art, Nelson teaches:

Nelson is analogous art to the claimed invention in a similar field of endeavor in improving security analysis.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to modify the Ahuja-Fischer system with Nelson to include other different cryptographic techniques for updates. For this combination, the motivation would have been to improve the level of security by timely switching to other/different cryptographic techniques.

Allowable Subject Matter
Claim 11-13, 17, and 20 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
The claims 11 and 17 each recite elements for a comparison of a first time at which the given identified cryptographic technique is projected to be cryptographically obsolete and a second time at which the at least one other one of the identified cryptographic techniques is projected to be cryptographically obsolete.  These elements, in combination with the other limitations in the independent claims 1 and 15, are not anticipated by, nor made obvious over the prior art of record.
assigning the weighting based at least in part on a comparison of the first amount of resources and the second amount of resources wherein the first amount of resources required identified for implementing the remedial actions for mitigating the risk associated with cryptographic obsolescence of the given identified cryptographic technique; and the second amount of resources required for implementing the remedial actions for mitigating the risk associated with cryptographic obsolescence of the at least one other one of the identified cryptographic techniques.  These elements, in combination with the other limitations in the independent claims 1 and 18, are not anticipated by, nor made obvious over the prior art of record.
Claim 13 is objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.  It is noted that claim 13 recites a limitation for “switching from utilizing a first key length for the given identified cryptographic technique to utilizing a second key length for the given identified cryptographic technique, the second key length being longer than the first key length” which is not anticipated by, nor made obvious over the prior art of record.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure as the prior art additionally discloses certain parts of the claim features (See “PTO-892 Notice of Reference Cited”).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DON ZHAO whose telephone number is (571)272.9953.  The examiner can normally be reached on Monday to Friday, 7:30 A.M to 5:00 P.M EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl G Colin can be reached on 571.272.3862.  The fax phone number for the organization where this application or proceeding is assigned is 571.273.8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866.217.9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800.786.9199 (IN USA OR CANADA) or 571.272.1000.


/Don G Zhao/Primary Examiner, Art Unit 2493                                                                                                                                                                                                        06/03/2021