DETAILED ACTION
 	Claims 1-20 are pending and have been examined.

 	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 101
      35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


      Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  The claims are directed to an abstract idea without significantly more.
Here, under step 1 of the Alice analysis, method claims 1-7 are directed to a series of steps, computer-readable storage medium claims 8-14 are directed to stored computer program instructions, and system claims 15-20 are directed to a processor; and a non-transitory computer-readable storage medium comprising stored computer program instructions. Thus the claims are directed to a process, manufacture, and machine, respectively.
Under step 2A of the analysis, the claimed invention is directed to an abstract idea without significantly more. The claims recite generating a recommendation, including retrieving, identifying, generating, and providing steps.  

Specifically, the claim elements include retrieving data corresponding to an asset, wherein the asset is a computing device or software application of an enterprise system; identifying a set of vulnerabilities of the asset; for each vulnerability in the set of vulnerabilities, generating a recommendation for mitigating the vulnerability; and generating a list of the recommendations for display.
That is, other than reciting a computing device, a processor and a user interface, nothing in the claim elements preclude the steps from practically being performed in the mind.  If the claim limitations, under the broadest reasonable interpretation, cover performance of the limitations in the mind, but for the recitation of generic computer components, then they fall within the “Mental Processes” grouping of abstract ideas.  Accordingly, the claims recite an abstract idea.
This judicial exception is not integrated into a practical application.  The claims include a computing device, a processor and a user interface.  The computing device, processor and user interface in the steps is recited at a high-level of generality, such that it amounts no more than mere instructions to apply the exception using a generic computer component.  Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea.  As a result, the claims are directed to an abstract idea.

None of the dependent claims recite additional limitations that are sufficient to amount to significantly more than the abstract idea. Claims 2-4 further describe the current workflow. Claim 5 recites additional receiving, converting and storing steps.  Claim 6 further describes converting the workflow. Claims 7-9 further describe the past workflow data. Claim 10 further describes the contextual knowledge. Similarly, dependent claims 12-19 recite additional details that further restrict/define the abstract idea. A more detailed abstract idea remains an abstract idea.
Under step 2B of the analysis, the claims include, inter alia, a computing device, a processor and a user interface.
As discussed with respect to Step 2A Prong Two, the additional elements in the claim amount to no more than mere instructions to apply the exception using a generic computer component.  The same analysis applies here in 2B, i.e., mere instructions to apply an exception on a generic computer cannot integrate a judicial exception into a practical application at Step 2A or provide an inventive concept in Step 2B.

In addition, as discussed in paragraphs 0074-0075 of the specification, “The machine may be a server computer, a client computer, a personal computer (PC), a tablet PC, a set-top box (STB), a personal digital assistant (PDA), a cellular telephone, a smartphone, a web appliance, a network router, switch or bridge, or any machine capable of executing instructions 624 (sequential or otherwise) that specify actions to be taken by that machine. Further, while only a single machine is illustrated, the term "machine" shall also be taken to include any collection of machines that individually or jointly execute instructions 124 to perform any one or more of the methodologies discussed herein. The example computer system 600 includes a processor 602 (e.g., a central processing unit (CPU), a graphics processing unit (GPU), a digital signal processor (DSP), one or more application specific integrated circuits (ASICs), one or more radio-frequency integrated circuits (RFICs), or any combination of these), a main memory 604, and a static memory 606, which are configured to communicate with each other via a bus 608. The computer system 600 may further include visual display interface 610. The visual 
As such, this disclosure supports the finding that no more than a general purpose computer, performing generic computer functions, is required by the claims.
Viewed as a whole, these additional claim element(s) do not provide meaningful limitation(s) to transform the abstract idea into a patent eligible application of the abstract idea such that the claim(s) amounts to significantly more than the abstract idea itself.  Therefore, the claim(s) are rejected under 35 U.S.C. 101 as being directed to non-statutory subject matter.  See Alice Corporation Pty. Ltd. v. CLS Bank Int’l et al., No. 13-298 (U.S. June 19, 2014).

Claim Rejections - 35 USC § 102
 	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new 
 	The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

 	Claims 1-20 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Sarkissian (US 20200410001 A1).
As per claim 1, Sarkissian discloses a method, comprising: 
retrieving data corresponding to an asset, wherein the asset is a computing device or software application of an enterprise system (i.e., FIGS. 1A and 1B show a dataflow diagram of systems and techniques according to various examples. Some examples include categorizing, collecting and processing data to create a baseline dataset, ¶ 0042, wherein An event-source device 802 (e.g., a Question & Answer (Q&A) user interface (UI), API client device, or computer running a software agent to detect or report events) can be configured to collect data from external sources (e.g., risk-relevant changes outside the system's immediate and internal environment) relevant to users of system 800. The event-source device 802 can, e.g., collect of data from set formats delivered from various utility, organizational, security, cyber security or compliance tools such as vulnerability scans results, penetration test results, quality assurance test results or other Form Data, ¶ 0151); 

for each vulnerability in the set of vulnerabilities, generating a recommendation for mitigating the vulnerability (i.e., Such software configured to identify resolutions to risks and to prioritize responses to such risks. Such software configured to perform machine learning training or to use trained models for any or all of: risk identification, risk diagnosis, decision making, management, pre-emptive risk planning and mitigation, or risk management ¶ 0037); 
generating a user interface for the asset comprising a list of the recommendations; and providing the user interface for display (i.e., decisions regarding suggestions (or recommended treatments and solutions) or other items in the Stream (1c) can include, e.g., decisions to accept a recommendation, accept a risk (e.g., refuse a recommendation), or postpone a decision. Other actions can take in the form of a confirmation (or a decision) of an advice, reminder, notification or alert by clicking Confirm, Decline, OK, or Skip, ¶ 0043, wherein Various examples determine commands, e.g., commands to present recommendations of actions which users will find useful via a user interface (e.g., FIGS. 11, 15, 16, 18, 20), or commands to carry out those actions (e.g., configuration commands) (e.g., FIGS. 12, 22, 24), ¶ 0091).

As per claim 3, Sarkissian discloses wherein the user interface comprises a risk factors and mitigations panel that lists tactics for mitigating risk for the asset (i.e., Dashboard (10) can provide a summary view of determined risk(s) associated with a project, e.g., via a graphical user interface presented on an electronic display, or via another user interface, ¶ 0082. Dashboard (10) can provide various visualizations. Visualizations can include, but are not limited to: graphs with configurable filtering and timeframe options, heat maps, or a timeline representation showing when milestones were achieved (such as reaching compliance with a framework). Example heatmaps can plot risk, likelihood of an adverse event vs. the severity of that event, and associated costs for preventing or mitigating a risk, ¶ 0083).
As per claim 4, Sarkissian discloses wherein the user interface comprises an installed applications panel listing software applications installed upon the asset (i.e., "Risk Data" can include, but is not limited to: relevant sections of the platform or application or meta-information, ¶ 0039).
As per claim 5, Sarkissian discloses receiving a user interaction at a portion of a second user interface corresponding to the asset; wherein the user interface for the 
As per claim 6, Sarkissian discloses wherein the user interface comprises a risk score for the asset (i.e., In some examples, the Stream is configured to surface (e.g., present an indication of via a UI) risks of various importances (critical, high, medium, low, compliant) to a particular system (e.g., Client) on a per-system basis,  ¶ 0053, wherein system can determine risk scores. An example risk-scoring mechanism is: 1--critical, 2--high, 3--medium, 4--low, 5--compliant or N/A; another is a score of 1-3; still another is a score indicating likelihood versus impact. Some examples can use compute risk scores based at least in part on adding weights, likelihoods, or impacts of risks, or costs of remediations. Various examples standardize or index scores from different scales into grouped comparable data, ¶ 0054).
As per claim 7, Sarkissian discloses wherein the user interface comprises an indicator of a potential change in risk score if recommendations are implemented (i.e., The engine 502 will attempt to find a set of proposed treatments /solutions that, if implemented, would reduce the organization's risk score (e.g., unweighted or weighted by projected economic cost). Treatments /solutions can be unweighted or can be weighted by expected implementation costs). In some examples, the system can lower risk score in response to past data showing that the organization consistently and efficiently implements proposed treatments /solutions, or increase risk score in response to past data showing the organization does not do so, ¶ 0099).

Claims 15-20 are rejected based upon the same rationale as the rejection of claims 1-3 and 5-7, respectively, since they are the system claims corresponding to the  method claims.

Conclusion
 	The prior art made of record and not relied upon, listed in the PTO-892, considered pertinent to applicant's disclosure, discloses risk analysis and management.

 	Any inquiry concerning this communication or earlier communications from the examiner should be directed to ANDRE D BOYCE whose telephone number is (571)272-6726.  The examiner can normally be reached on M-F 10a-6:30p.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Matthew Gart can be reached on (571) 272-3955.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.







/ANDRE D BOYCE/Primary Examiner, Art Unit 3623                                                                                                                                                                                                        September 14, 2021