Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

DETAILED ACTION
This non-final Office action responds to claims submitted February 8, 2019.
Claims 1-20 are pending and have been examined.

Claim Objections
Claim 9 is objected to because of the following informalities: The claim recites “the compliance mapping data database.”  The limitation contains a typographical error.  For the purpose of compact prosecution, examiner will interpret the limitation as reciting “the compliance mapping database.”  Appropriate correction is required.


Claim Rejections - 35 USC § 112(b)
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claims 9-13 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
With respect to claim 9: Claim 9 recites the limitation “the compliance mapping data database.”  There is insufficient antecedent basis for this limitation in the claim.
With respect to claims 10-13: Since the claims depend from claim 9, they are also rejected under §112(b) for the same rationale.

Claim Rejections - 35 USC § 101









35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.







Claims 1-8 are rejected under 35 U.S.C. §101 because the claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more.
With respect to claim 1: The claim recites a process (“a method comprising…”), which is a statutory category of invention.  However, the claim also recites an abstract idea.  The “matching a correlation between the product and the standards content” 1  Accordingly, the claim recites an abstract idea.
	The claim also does not include limitations that integrate the abstract idea into a practical application.  Limitations that may indicate whether the judicial exception has been integrated into a practical application include improvements to another technology or technical field, improvements to the functioning of the computer itself, or meaningful limitations beyond generally linking the use of an abstract idea to a particular technological environment.2  The “reading a standards content into a compliance standard input processor,” “loading a security requirement into a compliance mapping database,” “inputting a security requirement score for each of a set of security requirements for a product,” “receiving a request for a compliance report for the product based on the standards content,” and “outputting the compliance report for the product, the compliance report having the set of security requirements for the product and the security requirement score for the product” limitations recite data gathering and data output.  Merely adding insignificant extra-solution activity to an abstract idea do not integrate the exception into a practical application.3
	The embodiment limitations of “a compliance standard input processor … [and] a compliance mapping database” also fail to integrate the abstract idea into a practical application.  Applicants’ specification teaches 
Paragraph 0043: Turning to FIG. 3, an example, computing device with a hardware processor and accessible machine-readable instructions is 

Paragraph 0059: As such, the description of computing system 700 is merely exemplary and not intended to limit the type, kind, or configuration of components that constitute a computing system suitable for performing computing operations, including, but not limited to, hashing functions.  Additionally, one of ordinary skill in the art will recognize that computing system 700, an application specific computing system (not shown), or combination thereof, may be disposed in a standalone, desktop, server, or rack mountable form factor.

Paragraph 0060: One of ordinary skill in the art will recognize that computing system 700 may be a cloud-based server, a server, a workstation, a desktop, a laptop, a netbook, a tablet, a smartphone, a mobile device, and/or any other type of computing system in accordance with one or more example embodiments.

Neither the claim nor the specification discloses a particular machine.4  Applicants’ specification instead describes generic computers, generic computer components, or a programmed computer to perform generic computer functions.  The claims appear to invoke these computing elements as tools to execute the identified abstract idea.5  The claims also describe the technological environment in which to apply the abstract idea and do not impose meaningful limits on the claims.6  Therefore, examiner concludes the embodiment limitations fail to meaningfully integrate the abstract idea into a practical application.  The claim is directed to an abstract idea.
	The claim also does not include additional limitations that add significantly more to the abstract idea.  The “reading…,” “loading…,” “inputting…,” “receiving…,” and “outputting…” limitations describe the conventional computer functions of “receiving or transmitting data over a network” and “storing and retrieving information in memory.”7  8  Furthermore, as explained earlier in the discussion regarding an integration of the abstract idea into a practical application, the additional element of using a computer or processor to perform the steps recited in the claims amounts to no more than mere instructions to apply the exception using a generic computer component.  Mere instructions to apply a judicial exception using a generic computer component cannot provide an inventive concept.  
Finally, even when considered as an ordered combination, the claims do not contain an inventive concept or add anything significantly more to transform the abstract idea recited in the claims into a patent-eligible application.  Therefore, the claims are not patent-eligible.
With respect to claims 2-8: The dependent claims are ineligible under 35 U.S.C. §101 because the additional recited limitations further describe the identified abstract idea and/or does not recite limitations that integrate the abstract idea into practical application or that qualify as significantly more under the Office’s current guidance on subject matter eligibility.
	(a)	Claim 2: The claim does not integrate the identified abstract idea into a practical application.  The “further comprising adding an additional standards content to the compliance standard input processor” limitation recites data gathering, which is insignificant extra-solution activity.  Merely adding insignificant extra-solution activity to an abstract idea do not integrate the exception into a practical application.  The “further comprising adding…” limitation also does not add significantly more to the abstract idea 
	(b)	Claim 3: The “wherein the standards content comprises a compliance standard and a compliance standard whitepaper” limitation describes the abstract idea previously identified in claim 1.  Thus, the claim recites an abstract idea and is not patent-eligible.
	(c)	Claim 4: The claim does not integrate the identified abstract idea into a practical application.  The “further comprising inputting an implementation note for the security requirement, the implementation note providing a set of information used to determine the security requirement score for the product” limitation recites data gathering, which is insignificant extra-solution activity.  Merely adding insignificant extra-solution activity to an abstract idea do not integrate the exception into a practical application.  The “further comprising inputting…” limitation does not add significantly more to the abstract idea because it describes the conventional computer functions of “receiving or transmitting data over a network” and “storing and retrieving information in memory.”  Such functions do not qualify as significantly more than an abstract idea when recited in a merely generic manner.  Therefore, the claim is not patent-eligible.
	(d)	Claims 5-7: The claims do not integrate the identified abstract idea into a practical application.  The “wherein the compliance report further comprises…” limitations describe the “outputting the compliance report for the product…” limitation recited in claim 1.  The “outputting the compliance report for the product…” limitation 
	(e)	Claim 8: The “further comprising matching correlations between the product solution and the standards content” limitation further describes the abstract idea previously identified in claim 1.  Thus, the claim recites an abstract idea and is not patent-eligible.

Claim Rejections - 35 USC § 103




Claims 1, 2, 4, 5, 6, 9, 10, and 11 are rejected under 35 U.S.C. 103 as being unpatentable over Tewari (Pub. No. 2015/0347390) in view of Tracy (Pub. No. 2003/0050718).
With respect to claim 1: Tewari discloses a method (See at least Paragraph 0006: “In some embodiments, the present invention discloses methods, and systems to perform the methods, for simplifying a process of devising a compliance testing strategy for a product.  The methods can include automatically processing compliance standard documents to generate meta data.”), comprising:
reading a standards content into a compliance standard input processor (See at least Paragraph 0040: “The compliance meta data generation engine can accept the compliance standard documents as input….”  See also Paragraph 0064:
“Operation 600 receives a compliance standard document….  The document can be a government document, issued to establish standards and guidelines to various products.  The document can be a new or an updated document, meaning the compliance meta data generation engine can automatically run when there is a new or updated compliance document, to generate new compliance meta data [to] formulate a new compliance strategy for a product.”  See also Paragraph 0108: “A compliance standard document processor 950 can receive and process all the compliance standard documents 920.  The compliance standard document processor can populate a document graph 951, which includes information from the compliance standard documents 920, and which can be used as input for generating meta data.  Alternatively, each compliance standard document can be processed individually to generate meta data for each document.”);
	loading a security requirement into a compliance mapping database (See at least Paragraph 0040: “The compliance meta data generation engine can … generate compliance standards meta data that contain relevant information in the compliance standard documents, such as compliance requirements related to certain countries, to certain products, or to certain aspects of compliance requirements.”  See also Paragraph 0077: “In some embodiments, the compliance aspects can include safety standards, environmental standards, electromagnetic emission standards, and other standards.”  Examiner asserts “safety standards … and other standards” aspects are security requirements.);  
	receiving a request for a compliance report for the product based on the standards content (See at least Paragraph 0044: “In some embodiments, a product 210 can be evaluated by the compliance engine 240 using input from the meta data 230 to generate a compliance strategy 215, e.g., information related to compliance requirements and testing procedure to obtain the information for the product.  The product 210 can be represented by its characteristics, e.g., characteristics that need to be evaluated to satisfy compliance standards.”  See also Paragraph 0058: “FIG. 4 illustrates a flow chart for generating a compliance strategy from compliance meta data according to some embodiments.  Operation 400 provides information related to a product.  The information includes characteristics of the product that are subjected to governmental regulations….”  Examiner asserts steps to obtain product characteristics is a request for a compliance report.);
	matching a correlation between the product and the standards content (See at least Paragraph 0058: “Operation 410 consults a database, such as a document that contains compliance meta data.  The database can be small or large, depending on the scope of the desired compliance strategy.  For example, a large database can include compliance standards for multiple countries, covering a wide range of products.  A small database can include compliance standards for a single country and for a particular set of compliance aspect.”); and   
	outputting the compliance report for the product... (See at least Paragraph 0059: “Operation 420 obtains, from the database, information related to compliance 
	Tewari does not explicitly teach the remaining limitations.  However, Tracy discloses inputting a security requirement score for each of a set of security requirements for a product (See at least Paragraph 0152: “With the security requirements traceability matrix in place (a portion of which is illustratively shown in FIG. 13), the user proceeds to the testing step 104.  In at least some embodiments of the present invention, user interfaces will be provided, in accordance with the steps shown in FIG. 14, for the user to have the system 600 generate one or more test procedures, and/or add and and/or edit test plan information 1402, associate all the requirements to test procedures 1404, add and/or edit test procedures 1406, enter test results 1408, and/or publish test results 1410.  Any of the above steps can optionally be repeated as needed, as indicated in decision step 1412.”  See also Paragraph 0160: “As discussed above in the context of the SRTM, one or more test procedures within the test procedure database can be mapped to, linked with, and/or otherwise associated with each of the individual requirements within each respective requirements document (FIG. 12).”  See also Paragraph 0161: “[Various] embodiments of the present invention contemplate that the present invention automatically initiates the test, and obtains the results, without the need for any additional manual entry steps.”  See also Paragraph 0071 and 0148.);
the compliance report having the set of security requirements for the product and the security requirement score for the product (See at least Paragraph 0073: “Upon completion of testing 104, the risk assessment step (as indicated by block 106) then involves assessing for each test failure (should any exist) the vulnerability of the system, as well as the level of the threat as determined by the information gathered.  The risk assessment 106 provides as output an estimate of the risk level for each individual test failed.  Each of the failed tests are also collectively considered and used to evaluate the risk level of the system as a whole.  Then, documentation can be optionally printed 108 that includes information pertaining to the first four elements that would enable an accreditation decision to be made based on the inputs and outputs respectively provided and generated in the first four blocks (i.e., 100, 102, 104, 106).”  See also Paragraph 0183: “In the publishing step 108, the present invention collates the results of the certification process and optionally generates the documents needed for accreditation.  The present invention takes the information gathered during the steps corresponding to blocks 100, 102, 104 and 106, and reformats the information by, for example, organizing it into to appropriate documents, document subsections or subparagraphs, sections and/or appendices, etc.”  Examiner notes the identification of security requirements occurs at step 102 and the testing and risk assessment occur at steps 104 and 106.).
	It would have been obvious to one ordinary skill in the art prior to the effective filing date of the claimed invention to include technical features to obtain results from a test associated with a security requirement as well as to include the requirements and test results in a compliance report as described by Tracy in Tewari’s invention.  As KSR International Co. v. Teleflex Inc., 127 S. Ct. 1727, 1739 (2007).  Examiner also submits it would have been obvious to one of ordinary skill in the art to include such features in Tewari’s invention with the motivation of offering a “system that substantially automates the process of performing security risk assessments” as taught by Tracy over the Tewari reference.  Tracy Paragraph 0006.   
With respect to claim 2: The combination of Tewari and Tracy references discloses the method of claim 1, further comprising adding an additional standards content to the compliance standard input processor (See at least Tewari Paragraph 0065: “Operation 600 receives a compliance standard document….  The document can be a government document, issued to establish standards and guidelines to various products.  The document can be a new or an updated document, meaning the compliance meta data generation engine can automatically run when there is a new or updated compliance document, to generate new compliance meta data for formulate new compliance strategy for a product.”  See also Paragraph 0069: “Operation 640 repeats for other compliance standard documents.”).  
	Notwithstanding, the above citation to the Tewari reference, examiner submits the limitation merely describes the repetition of previously recited steps.  Thus, prior to the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to repeat previously recited steps since it has been held that the St Regis Paper Co. v. Bemis Co., 193 USPQ 8.
With respect to claim 4: The combination of Tewari and Tracy references discloses the method of claim 1, further comprising inputting an implementation note for the security requirement, the implementation note providing a set of information used to determine the security requirement score for the product (See at least Tracy Paragraph 0152: “With the security requirements traceability matrix in place (a portion of which is illustratively shown in FIG. 13), the user proceeds to the testing step 104.  In at least some embodiments of the present invention, user interfaces will be provided, in accordance with the steps shown in FIG. 14, for the user to have the system 600 generate one or more test procedures, and/or add and and/or edit test plan information 1402, associate all the requirements to test procedures 1404, add and/or edit test procedures 1406, enter test results 1408, and/or publish test results 1410.  Any of the above steps can optionally be repeated as needed, as indicated in decision step 1412.”  See also Paragraph 0160: “As discussed above in the context of the SRTM, one or more test procedures within the test procedure database can be mapped to, linked with, and/or otherwise associated with each of the individual requirements within each respective requirements document (FIG. 12).”  See also Paragraphs 0071 and 0148.  Examiner submits test procedures are implementation notes.  Furthermore, since the limitation describes element recited in claim 1, examiner relies on the same rationale for including Tracy in the combination of references.).
With respect to claim 5: The combination of Tewari and Tracy references discloses the method of claim 1, wherein the compliance report further comprises a release for the product, the release for the product defining a security requirement score for the product (See at least Tracy Paragraph 0152: “With the security requirements traceability matrix in place (a portion of which is illustratively shown in FIG. 13), the user proceeds to the testing step 104.  In at least some embodiments of the present invention, user interfaces will be provided, in accordance with the steps shown in FIG. 14, for the user to have the system 600 generate one or more test procedures, and/or add and and/or edit test plan information 1402, associate all the requirements to test procedures 1404, add and/or edit test procedures 1406, enter test results 1408, and/or publish test results 1410.  Any of the above steps can optionally be repeated as needed, as indicated in decision step 1412.”  See also Paragraph 0183: “In the publishing step 108, the present invention collates the results of the certification process and optionally generates the documents needed for accreditation.  The present invention takes the information gathered during the steps corresponding to blocks 100, 102, 104 and 106, and reformats the information by, for example, organizing it into to appropriate documents, document subsections or subparagraphs, sections and/or appendices, etc.”  See also Paragraph 0073.  Examiner notes the identification of security requirements occurs at step 102 and testing and risk assessment occur at steps 104 and 106.  Examiner also relies on the same rationale for including Tracy in the combination of references since the limitation describes elements previously recited in claim 1.).
	Furthermore, examiner additionally submits the limitation recites non-functional descriptive material.  It has been held that USPTO personnel need not give patentable weight to an additional instructional limitation absent a new and unobvious functional 
With respect to claim 6: The combination of Tewari and Tracy references discloses the method of claim 1, wherein the compliance report further comprises a security requirement (See at least Tracy Paragraph 0183: “In the publishing step 108, the present invention collates the results of the certification process and optionally generates the documents needed for accreditation.  The present invention takes the information gathered during the steps corresponding to blocks 100, 102, 104 and 106, and reformats the information by, for example, organizing it into to appropriate documents, document subsections or subparagraphs, sections and/or appendices, etc.”
Examiner notes the identification of security requirements occurs at step 102.  Examiner further relies on the same rationale for including Tracy in the combination of references since the limitation describes elements previously recited in claim 1.).
	Furthermore, examiner additionally submits the limitation recites non-functional descriptive material.  It has been held that USPTO personnel need not give patentable weight to an additional instructional limitation absent a new and unobvious functional relationship between the limitation and operative steps performed by the claimed invention.  See MPEP §2111.05.  The limitation only provides an additional description 
With respect to claim 9: Tewari discloses a system (See at least Paragraph 0006: “In some embodiments, the present invention discloses methods, and systems to perform the methods, for simplifying a process of devising a compliance testing strategy for a product.  The methods can include automatically processing compliance standard documents to generate meta data.”) comprising:
	a compliance standard input processor for receiving a standards content (See at least Paragraph 0040: “The compliance meta data generation engine can accept the compliance standard documents as input….”  See also Paragraph 0064:
“Operation 600 receives a compliance standard document….  The document can be a government document, issued to establish standards and guidelines to various products.  The document can be a new or an updated document, meaning the compliance meta data generation engine can automatically run when there is a new or updated compliance document, to generate new compliance meta data [to] formulate a new compliance strategy for a product.”  See also Paragraph 0108: “A compliance standard document processor 950 can receive and process all the compliance standard documents 920.  The compliance standard document processor can populate a document graph 951, which includes information from the compliance standard documents 920, and which can be used as input for generating meta data.  
	a compliance mapping database connected to the compliance standard input processor, the compliance mapping data database comprising the standards content and a set of information about a product; a compliance mapping database editor for adding a correlation for the security requirement (See at least Paragraph 0040: “The compliance meta data generation engine can … generate compliance standards meta data that contain relevant information in the compliance standard documents, such as compliance requirements related to certain countries, to certain products, or to certain aspects of compliance requirements.”  See also Paragraph 0058: “FIG. 4 illustrates a flow chart for generating a compliance strategy from compliance meta data according to some embodiments.  Operation 400 provides information related to a product.  The information includes characteristics of the product that are subjected to governmental regulations….  Operation 410 consults a database, such as a document that contains compliance meta data.  The database can be small or large, depending on the scope of the desired compliance strategy.  For example, a large database can include compliance standards for multiple countries, covering a wide range of products.  A small database can include compliance standards for a single country and for a particular set of compliance aspect.”  See also Paragraph 0077: “In some embodiments, the compliance aspects can include safety standards, environmental standards, electromagnetic emission standards, and other standards.”  Examiner asserts “safety standards … and other standards” aspects are security requirements.); and
a compliance report generator connected to the compliance mapping database for outputting a compliance report for the product (See at least Paragraph 0059: “Operation 420 obtains, from the database, information related to compliance requirements of the product.  The information can be automatically gathered from the database, instead of going through the compliance standard documents.  Operation 430 generates a compliance strategy for the product, wherein the compliance strategy comprises a compliance testing guide and a compliance document.”).
	Tewari does not explicitly disclose the remaining limitations.  However, Tracy discloses a release product requirements scorecard editor connected to the compliance mapping database for inputting a security requirement score for a security requirement for the product (See at least Paragraph 0148: “The SRTM, as discussed above, can be a mapping of one or more test procedures to each individual requirement within a requirements document.  Satisfactory completion of the respective one or more test procedures that can be mapped to each requirement is generally considered to render the requirement satisfied.”  See also Paragraph 0152: “With the security requirements traceability matrix in place (a portion of which is illustratively shown in FIG. 13), the user proceeds to the testing step 104.  In at least some embodiments of the present invention, user interfaces will be provided, in accordance with the steps shown in FIG. 14, for the user to have the system 600 generate one or more test procedures, and/or add and/or edit test plan information 1402, associate all the requirements to test procedures 1404, add and/or edit test procedures 1406, enter test results 1408, and/or publish test results 1410.  Any of the above steps can optionally be repeated as needed, as indicated in decision step 1412.  Each of these See also Paragraph 0161: “It should be appreciated, however, that various embodiments of the present invention contemplate that the present invention automatically initiates the test, and obtains the results, without the need for any additional manual entry steps.”).
	It would have been obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to include technical features to obtain results from a test associated with a security requirement as described by Tracy in Tewari’s invention with the motivation of offering a “system that substantially automates the process of performing security risk assessments” as taught by Tracy over the Tewari reference.  Tracy Paragraph 0006.   
With respect to claim 10: Claim 10 recites limitations that are similar to those in claim 4.  Thus, the arguments applied to claim 4 also apply to claim 10.
With respect to claim 11: The combination of Tewari and Tracy references discloses the system of claim 9, wherein the compliance report comprises the security requirement for the product and the security requirement score for the product (See at least Tracy Paragraph 0073: “Upon completion of testing 104, the risk assessment step (as indicated by block 106) then involves assessing for each test failure (should any exist) the vulnerability of the system, as well as the level of the threat as determined by the information gathered.  The risk assessment 106 provides as output an estimate of the risk level for each individual test failed.  Each of the failed tests are also collectively considered and used to evaluate the risk level of the system as a whole.  Then, documentation can be optionally printed 108 that includes information pertaining to the first four elements that would enable an accreditation See also Paragraph 0183: “In the publishing step 108, the present invention collates the results of the certification process and optionally generates the documents needed for accreditation.  The present invention takes the information gathered during the steps corresponding to blocks 100, 102, 104 and 106, and reformats the information by, for example, organizing it into to appropriate documents, document subsections or subparagraphs, sections and/or appendices, etc.”  Examiner notes the identification of security requirements occurs at step 102 and the testing and risk assessment occur at steps 104 and 106.  Examiner also relies on the same rationale for including Tracy in the combination of references since the limitation recites elements previously recited in claim 9.).
	Furthermore, examiner additionally submits the limitation recites non-functional descriptive material.  It has been held that USPTO personnel need not give patentable weight to an additional instructional limitation absent a new and unobvious functional relationship between the limitation and operative steps performed by the claimed invention.  See MPEP §2111.05.  The limitation only provides an additional description of the “compliance report.”  It adds little, if anything, to the claimed steps in a manner that distinguishes the invention from the prior art.  Thus, prior to the effective filing date of the claimed invention, it would have been obvious to a person of ordinary skill in the art to provide an additional description of the “compliance report” since the description is not functionally related to the operative steps performed by the claimed invention.
Claims 3 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Tewari in view of Tracy and further in view of Gemmell (Pub. No. 2013/0091486).
With respect to claim 3: The combination of Tewari and Tracy references discloses the method of claim 1, wherein the standards content comprises a compliance standard… (See at least Tewari Paragraph 0065: “Operation 600 receives a compliance standard document….  The document can be a government document, issued to establish standards and guidelines to various products.  The document can be a new or an updated document….”).  However, the references do not explicitly teach compliance standard documents include a compliance standard whitepaper.  Gemmell discloses a compliance standard whitepaper (See at least Paragraph 0036: “In one example, the compliance data model may include a pointer to a white paper, which may specify steps to be taken for compliance with a regulation.”).
	Gemmell could further modify the combination of references to include white papers in the set of compliance standard documents previously obtained in Tewari.  It would have been obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to include technical features to obtain compliance white papers as taught by Gemmell in the combination of references.  As demonstrated by Gemmell, it is within the capabilities of one of ordinary skill in the art to include such features in the combination of references with the predictable result of generating a compliance strategy for a product as needed in Tewari at Paragraph 0059.  KSR International Co. v. Teleflex Inc., 127 S. Ct. 1727, 1739 (2007). 
	Furthermore, examiner additionally submits the limitation recites non-functional descriptive material.  It has been held that USPTO personnel need not give patentable weight to an additional instructional limitation absent a new and unobvious functional relationship between the limitation and operative steps performed by the claimed 
With respect to claim 13: The combination of Tewari and Tracy references discloses the method of claim 9, wherein the standards content comprises a compliance standard … a National Institute of Standards Technology 800-53 (See at least Tewari Paragraph 0065: “Operation 600 receives a compliance standard document….  The document can be a government document, issued to establish standards and guidelines to various products.  The document can be a new or an updated document….”  Examiner submits government documents include both compliance standards and the National Institute of Standards Technology 800-53.).  However, the references do not explicitly teach compliance standard documents include a compliance standard whitepaper.  Gemmell discloses a compliance standard whitepaper (See at least Paragraph 0036: “In one example, the compliance data model may include a pointer to a white paper, which may specify steps to be taken for compliance with a regulation.”).
	Gemmell could further modify the combination of references to include white papers in the set of compliance standard documents previously obtained in Tewari.  It would have been obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to include technical features to obtain compliance white KSR International Co. v. Teleflex Inc., 127 S. Ct. 1727, 1739 (2007). 
	Furthermore, examiner additionally submits the limitation recites non-functional descriptive material.  It has been held that USPTO personnel need not give patentable weight to an additional instructional limitation absent a new and unobvious functional relationship between the limitation and operative steps performed by the claimed invention.  See MPEP §2111.05.  The limitation only provides an additional description of the “standards content.”  It adds little, if anything, to the claimed steps in a manner that distinguishes the invention from the prior art.  Thus, prior to the effective filing date of the claimed invention, it would have been obvious to a person of ordinary skill in the art to provide an additional description of the “standards content” since the description is not functionally related to the operative steps performed by the claimed invention.
Claims 7, 8, and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Tewari in view of Tracy and further in view of Perkins (Pub. No. 2010/0058114).
With respect to claim 7: Although the combination of Tewari and Tracy references discloses the method of claim 1, the references do not explicitly teach the remaining limitations.  However, Perkins discloses wherein the compliance report further comprises a product solution (See at least Paragraph 0034:The method can also include identifying any failures from the received results, creating a program management responsive to the failures, the program management including mitigation 
	It would have been obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to include technical features to publish mitigation responses to identified failures as taught by Perkins in the combination of references.  As demonstrated by Perkins, it is within the capabilities of one of ordinary skill in the art to include such features in the combination of references with the predictable result of generating a compliance strategy for a product as needed in Tewari at Paragraph 0059.  KSR International Co. v. Teleflex Inc., 127 S. Ct. 1727, 1739 (2007).  
With respect to claim 8: The combination of Tewari, Tracy, and Perkins references discloses the method of claim 7, further comprising matching correlations between the product solution and the standards content (See at least Tewari Paragraph 0025: “For example, after obtaining characteristics of a product, the meta data can identify the compliance standard documents that will need to be consulted.”  See also Paragraph 0044: “In some embodiments, a product 210 can be evaluated by the compliance engine 240 using input from the meta data 230 to generate a compliance strategy 215, e.g., information related to compliance requirements and testing procedure to obtain the information for the product.  The product 210 can be represented by its characteristics, e.g., characteristics that need to be evaluated to satisfy compliance standards.”  See also Paragraph 0058: “Operation 410 consults a database, such as a document that contains compliance meta data.  The database can be small or large, depending on the scope of the desired compliance strategy.  For 
	Notwithstanding, the above citation to the Tewari reference, examiner submits the limitation merely describes the repetition of previously recited steps.  Thus, prior to the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to repeat previously recited steps since it has been held that the mere duplication of the essential working parts of a device involves only routine skill in the art.  St Regis Paper Co. v. Bemis Co., 193 USPQ 8.
With respect to claim 12: Although the combination of Tewari and Tracy references discloses the method of claim 11, the references do not teach the remaining limitations.  However, Perkins discloses wherein the compliance report further comprises a release and a product solution (See at least Paragraph 0034:The method can also include identifying any failures from the received results, creating a program management responsive to the failures, the program management including mitigation responses to the failures, and wherein publishing further includes publishing a program management report.”  Examiner submits mitigation responses include a release and a product solution.).
	It would have been obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to include technical features to publish mitigation responses to identified failures as taught by Perkins in the combination of references.  As demonstrated by Perkins, it is within the capabilities of one of ordinary skill in the art KSR International Co. v. Teleflex Inc., 127 S. Ct. 1727, 1739 (2007).  
	Furthermore, examiner additionally submits the limitation recites non-functional descriptive material.  It has been held that USPTO personnel need not give patentable weight to an additional instructional limitation absent a new and unobvious functional relationship between the limitation and operative steps performed by the claimed invention.  See MPEP §2111.05.  The limitation only provides an additional description of the “compliance report.”  It adds little, if anything, to the claimed steps in a manner that distinguishes the invention from the prior art.  Thus, prior to the effective filing date of the claimed invention, it would have been obvious to a person of ordinary skill in the art to provide an additional description of the “compliance report” since the description is not functionally related to the operative steps performed by the claimed invention.
Claims 14, 15, 17, 19, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Tewari in view of Gemmell.
With respect to claim 14: Tewari discloses a non-statutory computer readable medium comprising computer executable instructions stored thereon that, when executed by one or more processing units in a source system (See at least Paragraph 0006: “In some embodiments, the present invention discloses methods, and systems to perform the methods, for simplifying a process of devising a compliance testing strategy for a product.  The methods can include automatically processing compliance standard documents to generate meta data.” See also Paragraph 0115: “In some embodiments, the present invention may also be embodied in a machine or cause the one or more processing units to:
	read a compliance standard with a compliance standard input processor; update the set of security of requirements in the compliance mapping databased based on an additional standards content that is read by the compliance standard input (See at least Paragraph 0040: “The compliance meta data generation engine can accept the compliance standard documents as input….”  See also Paragraph 0064:
“Operation 600 receives a compliance standard document….  The document can be a government document, issued to establish standards and guidelines to various products.  The document can be a new or an updated document, meaning the compliance meta data generation engine can automatically run when there is a new or updated compliance document, to generate new compliance meta data [to] formulate a new compliance strategy for a product.”  See also Paragraph 0069: “Operation 640 repeats for other compliance standard documents.”  See also Paragraph 0108: “A compliance standard document processor 950 can receive and process all the compliance standard documents 920.  The compliance standard document processor can populate a document graph 951, which includes information from the compliance standard documents 920, and which can be used as input for generating meta data.  Alternatively, each compliance standard document can be processed individually to generate meta data for each document.”);
load a set of security requirements based on the standards content into a compliance mapping database (See at least Paragraph 0040: “The compliance meta data generation engine can … generate compliance standards meta data that contain relevant information in the compliance standard documents, such as compliance requirements related to certain countries, to certain products, or to certain aspects of compliance requirements.”  See also Paragraph 0077: “In some embodiments, the compliance aspects can include safety standards, environmental standards, electromagnetic emission standards, and other standards.”  Examiner asserts “safety standards … and other standards” aspects are security requirements.); and
	load correlations of the set of security requirements on the compliance standard [documents]… (The limitation describes identifying security requirements relevant to an identified product under the broadest reasonable interpretation of the claim.  See at least Paragraph 0044: “In some embodiments, a product 210 can be evaluated by the compliance engine 240 using input from the meta data 230 to generate a compliance strategy 215, e.g., information related to compliance requirements and testing procedure to obtain the information for the product.  The product 210 can be represented by its characteristics, e.g., characteristics that need to be evaluated to satisfy compliance standards.”  See also Paragraphs 0058-0059: “Operation 400 provides information related to a product.  The information includes characteristics of the product that are subjected to governmental regulations, such as safety or public exposure.  Operation 410 consults a database, such as a document that contains compliance meta data.  The database can be small or large, depending on the scope of the desired compliance strategy.  For example, a large database can include compliance standards for multiple countries, covering a wide range of products.  A small database can include compliance standard for a single country and for a particular set of compliance aspect.  Operation 420 obtains, from the database, information related to compliance requirements of the product.  The information can be automatically gathered from the database, instead of going through the compliance standard documents.” Examiner again asserts “safety standards … and other standards” aspects are security requirements.  See Paragraph 0077.).
	Although Tewari discloses technical features to receive and process compliance standard documents, the reference does not teach compliance standard documents include a compliance standard whitepaper.  Gemmell discloses read a compliance standard whitepaper with the compliance standard input processor … into the compliance mapping database (Gemmell discloses technical features to locate / obtain a compliance white paper.  See at least Paragraph 0036: “In one example, the compliance data model may include a pointer to a white paper, which may specify steps to be taken for compliance with a regulation.”).
	Gemmell could modify Tewari’s invention to include white papers in the set of compliance standard documents obtained and stored in a database as previously taught in Tewari.  It would have been obvious to one having ordinary skill in the art prior to the effective filing date of the claimed invention to include technical features to obtain compliance white papers as taught by Gemmell in Tewari’s invention.  As demonstrated by Gemmell, it is within the capabilities of one of ordinary skill in the art to include such features in Tewari’s invention with the predictable result of generating a compliance KSR International Co. v. Teleflex Inc., 127 S. Ct. 1727, 1739 (2007). 
With respect to claim 15: The combination of Tewari and Gemmell references discloses the non-transitory computer readable medium of claim 14, further comprising instructions stored thereon that, when executed by the one or more processing units, cause the one or more processing units to update the set of security requirements in the compliance mapping database based on an additional compliance standard whitepaper that is read by the compliance standard input processor (See at least Tewari Paragraph 0064: “Operation 600 receives a compliance standard document….  The document can be a government document, issued to establish standards and guidelines to various products.  The document can be a new or an updated document, meaning the compliance meta data generation engine can automatically run when there is a new or updated compliance document, to generate new compliance meta data [to] formulate a new compliance strategy for a product.”  See also Paragraph 0069: “Operation 640 repeats for other compliance standard documents.”).
	Notwithstanding, the above citation to the Tewari reference, examiner submits the limitation merely describes the repetition of previously recited steps.  Thus, prior to the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to repeat previously recited steps since it has been held that the mere duplication of the essential working parts of a device involves only routine skill in the art.  St Regis Paper Co. v. Bemis Co., 193 USPQ 8.
With respect to claim 17: The combination of Tewari and Gemmell references discloses the non-transitory computer readable medium of claim 14, further comprising to correlate a plurality of products to the set of security requirements (See at least Tewari Paragraph 0044: “In some embodiments, a product 210 can be evaluated by the compliance engine 240 using input from the meta data 230 to generate a compliance strategy 215, e.g., information related to compliance requirements and testing procedure to obtain the information for the product.  The product 210 can be represented by its characteristics, e.g., characteristics that need to be evaluated to satisfy compliance standards.”  See also Paragraphs 0058-0059: “Operation 400 provides information related to a product.  The information includes characteristics of the product that are subjected to governmental regulations, such as safety or public exposure.  Operation 410 consults a database, such as a document that contains compliance meta data.  The database can be small or large, depending on the scope of the desired compliance strategy.  For example, a large database can include compliance standards for multiple countries, covering a wide range of products.  A small database can include compliance standard for a single country and for a particular set of compliance aspect.  Operation 420 obtains, from the database, information related to compliance requirements of the product.  The information can be automatically gathered from the database, instead of going through the compliance standard documents.”  Examiner reiterates “safety standards … and other standards” aspects are security requirements.  See Paragraph 0077.).
With respect to claim 19: The combination of Tewari and Gemmell references discloses the non-transitory computer readable medium of claim 17, further comprising instructions stored thereon that, when executed by the one or more processing units, to generate a compliance report based on the product and the set of security requirements (See at least Tewari Paragraph 0059: “Operation 420 obtains, from the database, information related to compliance requirements of the product.  The information can be automatically gathered from the database, instead of going through the compliance standard documents.  Operation 430 generates a compliance strategy for the product, wherein the compliance strategy comprises a compliance testing guide and a compliance document.”  See also Paragraph 0077: “In some embodiments, the compliance aspects can include safety standards, environmental standards, electromagnetic emission standards, and other standards.”  Examiner asserts “safety standards … and other standards” aspects are security requirements.).
With respect to claim 20: The combination of Tewari and Gemmell discloses the non-transitory computer readable medium of claim 17, further comprising instructions stored thereon that, when executed by the one or more processing units, cause the one or more processing units to generate a compliance report based on a product solution and the set of security requirements (See at least Tewari Paragraph 0059: “Operation 420 obtains, from the database, information related to compliance requirements of the product.  The information can be automatically gathered from the database, instead of going through the compliance standard documents.  Operation 430 generates a compliance strategy for the product, wherein the compliance strategy comprises a compliance testing guide and a compliance document.”  See also Paragraph 0077: “In some embodiments, the compliance aspects can include safety standards, environmental standards, electromagnetic emission standards, and other standards.”  Examiner asserts “safety standards … and other standards” aspects are security requirements.  Examiner further submits a product solution is itself a product.).
Claims 16 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Tewari in view of Gemmell and further in view of Tracy.
With respect to claim 16: Although the combination of Tewari and Gemmell references discloses the non-transitory computer readable medium of claim 14, the references do not explicitly disclose the remaining limitation.  Tracy discloses further comprising instructions stored thereon that, when executed by the one or more processing units cause the one or more processing units to edit an implementation note on one security requirement of the set of security requirements through a compliance mapping database editor (See at least Paragraph 0152: “With the security requirements traceability matrix in place (a portion of which is illustratively shown in FIG. 13), the user proceeds to the testing step 104.  In at least some embodiments of the present invention, user interfaces will be provided, in accordance with the steps shown in FIG. 14, for the user to have the system 600 generate one or more test procedures, and/or add and and/or edit test plan information 1402, associate all the requirements to test procedures 1404, add and/or edit test procedures 1406, enter test results 1408, and/or publish test results 1410.  Any of the above steps can optionally be repeated as needed, as indicated in decision step 1412.”  See also Paragraph 0160: “As discussed above in the context of the SRTM, one or more test procedures within the test procedure database can be mapped to, linked with, and/or otherwise associated with each of the individual requirements within each respective 
	It would have been obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to include technical features to edit a test procedure for an associated security requirement as described by Tracy in the combination of references.  As demonstrated by Tracy, it is within the capabilities of one having ordinary skill in the art to include such features in Tewari’s invention with the predictable result of generating a compliance strategy for a product as needed in Tewari at Paragraph 0059.  KSR International Co. v. Teleflex Inc., 127 S. Ct. 1727, 1739 (2007).  Examiner also submits it would have been obvious to one of ordinary skill in the art to include such features in the combination of references with the motivation of offering a “system that substantially automates the process of performing security risk assessments” as taught by Tracy over the Tewari reference.  Tracy Paragraph 0006.   
With respect to claim 18: Although the combination of Tewari and Gemmell references discloses the non-transitory computer readable medium of claim 17, the references do not explicitly disclose the remaining limitation.  Tracy discloses further comprising instructions stored thereon that, when executed by the one or more processing units cause the one or more processing units to enter a score for a security requirement in the set of security requirements for the product (See at least Paragraph 0152: “With the security requirements traceability matrix in place (a portion of which is illustratively shown in FIG. 13), the user proceeds to the testing step 104.  In at least some embodiments of the present invention, user interfaces will be provided, in accordance with the steps shown in FIG. 14, for the user to have the enter test results 1408, and/or publish test results 1410.  Any of the above steps can optionally be repeated as needed, as indicated in decision step 1412.”  See also Paragraph 0161: “[Various] embodiments of the present invention contemplate that the present invention automatically initiates the test, and obtains the results, without the need for any additional manual entry steps.”).
	It would have been obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to include technical features to obtain results from a test associated with a security requirement as described by Tracy in the combination of references with the motivation of offering a “system that substantially automates the process of performing security risk assessments” as taught by Tracy over the cited references.  Tracy Paragraph 0006.   

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
	(A)	Desai (Pub. No. 2018/0032331) discloses a method and system for determining safety compliance level of a software product.  Paragraphs 0027-0029.
	(B)	Kamat (Pub. No. 2013/0262484) discloses “methods and systems for managing, collecting, and presenting data pertaining to product regulations and standards.”  Paragraph 0002.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to JOHNATHAN J LINDSEY III whose telephone number is (571)270-3986.  The examiner can normally be reached on Monday-Friday 8:00 AM -4:30 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Nathan Uber can be reached on 571-270-3923.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private 



/J.J.L/Examiner, Art Unit 3687                                                                                                                                                                                                        

/ANDREW B WHITAKER/Primary Examiner, Art Unit 3629                                                                                                                                                                                                        


    
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
    

    
        1 2019 Revised Patent Subject Matter Eligibility Guidance, 84 Fed. Reg. 50, 52 (Jan. 7, 2019) [hereinafter 2019 Revised Guidance].
        2 Id. at 55.
        3 Id.
        4 MPEP §2106.05(b).  
        5 Id.  
        6 Id.  
        7 MPEP §2106.05(d)(II).  
        8 Id.