DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Objections
Claims 3-5, 9 and their corresponding claims are objected to because of the following informalities:  various grammatical errors and typos.  Appropriate correction is required.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claims 1-20 are  rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being incomplete for omitting essential structural cooperative relationships of elements, such omission amounting to a gap between the necessary structural connections.  See MPEP § 2172.01.  The omitted structural cooperative relationships are: claim 1 and other independent claims show a gap between the limitations reciting “receive,…, a list of internet protocol (IP) addresses..” and “determine, …whether…” with the other limitations that follow such as “generate…; execute…; receive…; transmit…;” and others. For example, how do the IP . 
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 2, 5, 8-12, 15, and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Cole et al. (US 2012/0144493 A1, hereinafter Cole) in view of Newman (US 2010/0050249 A1, hereinafter Newman) and in further view of Anand et al. (US 2011/0258478 A1, hereinafter Anand) with Bazalgette et al (US 2020/0358792 A1, hereinafter Bazalgette) for inherency.
Regarding claim 1, Cole teaches a network segmentation effectiveness system, [Figure 13 as an example], comprising: an electronic memory; an interactive user interface that receives user input via a communication network; and a computer processor coupled to the electronic memory and the interactive user interface, [Figure 13] and further programmed to execute the following functions: 
receive, by an electronic input, a list of internet protocol (IP) addresses for information technology (IT) assets within a defined scope, [Par.[0045] describes receiving IP address ranges for scanning and Figure 18]; 
generate, by the computer processor, a notification of a segmentation scan; execute, by the computer processor, a plurality of segmentation scans using a plurality of software agents, wherein the computer processor is programmed to deploy and orchestrate the software agents across multiple network tiers, [claim does not recite to whom the notification is generated for; Par.[0045] describes a plurality of segmentation scans with batches of IP addresses on the target network running in parallel; Par.[0047] describes a scanning module; see Figure 12 and Figure 18 for scanning in batches in parallel; Abstract describes hierarchical (multi-tier) representation for a target network]; 
receive, by the communication network, results from the plurality of segmentation scans, [Par.[0047] describes a vulnerability record management module that receives scanning results; Figures 3, 6, 10, 11, 22-25, 28, 29 shows reporting after receiving scanning results];
transmit, by the communication network, the results of the plurality of segmentation scans to a penetration test reporting module, [Par.[0047] describes a vulnerability record management module that receives scanning results; Figures 3, 6, 10, 11, 22-25, 28, 29 shows reporting after receiving scanning results]; 
automatically generate, by the computer processor, a report from the results of the segmentation scan, [Figures 3, 6, 10, 11, 22-25, 28, 29 shows reporting after receiving scanning results]; and 
automatically post, by the user interface, the report for authorized users to access, [Figures 3, 6, 10, 11, 22-25, 28, 29 shows reporting after receiving scanning results and some with GUI for a user];
Cole does not explicitly teach (scanning) from outside a cardholder data environment (CDE); a corresponding scope including one or more parameters (for the list of assets for scanning);
Newman explicitly teaches generating a notification (to SOC) and (scanning) from outside a cardholder data environment (CDE); a corresponding scope including one or more parameters (for scanning), [Abstract: a display unit to provide compliance information on a secure basis, a back-end unit to automate and manage compliance-related tasks and data security events, and a control unit to monitor compliance performance in real-time and to implement required procedures to ensure compliance with data security standards; Par.[0033] describes back-end PCI compliance infrastructure automating tasks that ensure the integrity of controls deployed at the stores; Par.[0038]-[0039] describe a CDE and also describing the scope of the target network for PCI compliance]
it would have been obvious to one of ordinary skill in the art to modify Cole to define CDE with a known scope as taught by Newman. The motivation/suggestion would have been to comply with required procedures to ensure compliance with data security standards, [Newman: Abstract];
Cole teaches information technology service management (ITSM) identifier, [Figure 15 shows ticket management interface with ticket ID information (ITSM identifier) for the scanning and vulnerability assessment task], and is inherent about classless inter-domain routing (CIDR) format for the IP addresses but does not explicitly teach (to) determine, by the computer processor, whether an associated with the list of IP addresses for IT assets and an information technology service management (ITSM) identifier refer to the same list of assets, [CIDR is inherent in Cole, See MPEP 2131.01.III]; 
Anand teaches (to) determine, by the computer processor, whether an associated with the list of IP addresses for IT assets and an information technology service management (ITSM) identifier refer to the same list of assets and a corresponding scope including one or more parameters, [claim language is vague and the specification does not offer any substantive details other than to say that the ticket information is verified against the scan list, for example in Par.[0031] of Applicant’s specification; Abstract and elsewhere in Anand describe comparing intercepted command information (scan list) with a corresponding change ticket (ITSM ticket) to make sure that they both represent the same information];
it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Cole to verify ITSM information. The motivation/suggestion would have been to minimize errors in the change actions or commands executed by users, [Anand: Par.[0004]-[0005]];
Bazalgette shows CIDR format for IP addresses in network scanning processes and shows evidence for inherency of this feature in Cole, [See Par.[0139] describing IP address space (for scanning) can represent an IP address range, or Classless Inter-Domain Routing (CIDR) address range]. 

Claim 11 is a method claim corresponding to system claim 1 and is rejected as above.
Regarding claim 2, combined teachings of Cole, Newman, and Anand disclose the system of claim 1 and Cole teaches wherein the function to receive results from the plurality of segmentation scans further comprises: automatically interpret and certify the results of the plurality of segmentation scans, [claim language is incomplete because it is not clear what ‘certify’ is referring to; scanning results are analyzed and reported in multiple ways as shown in Figures 3, 6, 10, 11, 22-25, 28, 29 reporting after receiving scanning results and some with GUI for a user; if the certification is referring to PCI compliance, Newman reference teaches the same as noted in claim 1]. 
Regarding claim 5, combined teachings of Cole, Newman, and Anand disclose the system of claim 1 and Cole teaches wherein the function of execute a plurality of segmentation scans further comprises: replicate one or more scans via one or more software agents from the plurality of software agents from the plurality of software agents, [Par.[0045] and Figure 18 support the claim limitation].
Regarding claim 8, combined teachings of Cole, Newman, and Anand disclose the system of claim 1 and Cole teaches wherein the plurality of software agents fetch instructions comprising one or more of: a request to perform a host discovery scan against a specific network, [Par.[0077] describes host discovery scan], provide past scan results and perform a tear-down process to uninstall a software agent.
Regarding claim 9, combined teachings of Cole, Newman, and Anand disclose the system of claim 1 and Newman teaches wherein the notification is sent to a security operations center (SOC), [dependent claim is obvious over Cole in view of Newman for the same reasons set forth in claim 1; SOC is interpreted under BRI as a PCI compliance architecture and Abstract and Par.[0032]-[0033] in Newman describes a security portal  and back-end unit].
Regarding claim 10, combined teachings of Cole, Newman, and Anand disclose the system of claim 1 and Newman teaches wherein the defined scope relates to one or more Payment Card Information Data Security Standard (PCI DSS) requirements, [dependent claim is obvious over Cole in view of Newman for the same reasons set forth in claim 1; Par.[0002] describes PCI DSS requirements]. 
Claims 12, 15, and 18-20 are corresponding claims to claims 2, 5, and 8-10, respectively and are rejected as above.
Claims 3, 4, 13, and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Cole in view of Newman and Anand, and in further view of Gula et al. (US 2005/0229255 A1, hereinafter Gula).
Regarding claim 3, combined teachings of Cole, Newman, and Anand disclose the system of claim 1 and they do not explicitly teach wherein the function of execute a plurality of segmentation scans further comprises: perform a collaborative gap analysis identifies one or more external scan results gaps;
Gula in an analogous art, teaches wherein the function of execute a plurality of segmentation scans further comprises: perform a collaborative gap analysis identifies one or more external scan results gaps, [Par.[0061] describes identifying “gaps” in active scans];
it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Cole to identify gaps in period scanning. The motivation/suggestion would have been to mitigate security risks through identifying gaps and addressing vulnerabilities, [Gula: Abstract].
Regarding claim 4, combined teachings of Cole, Newman, Anand, and Gula disclose the system of claim 3, and Gula teaches wherein the function of execute a plurality of segmentation scans further comprises: perform an orchestrated scanning that performs rapid scans on the one or more external scan results gaps, [dependent claim is obvious over modified Cole in view of Gula for the same reasons as above; Par.[0061] describes using passive scanning (~rapid scans) to mitigate gaps between active scans]. 
Claims 13 and 14 are corresponding claims to claims 3 and 4, respectively and are therefore, rejected as above. 
Claims 6 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Cole in view of Newman and Anand, and in further view of Ionescu et al. (US 2017/0085579 A1, hereinafter Ionescu).
Regarding claim 6, combined teachings of Cole, Newman, and Anand disclose the system of claim 1 and they do not explicitly teach wherein the plurality of software agents are deployed to one or more sub-networks comprising a demilitarized zone (DMZ) network;
Ionescu in an analogous art, teaches wherein the plurality of software agents are deployed to one or more sub-networks comprising a demilitarized zone (DMZ) network, [Figure 1 shows security devices in a DMZ that include scan function, see Par.[0021]];
it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Cole to include devices with scanning function in a DMZ. The motivation/suggestion would have been to assess interfaces of systems for vulnerabilities and also provide emergency scan facilities at the border between secure and unsecure zones, [Ionescu: Par.[0021]]. 
Claim 16 is a corresponding claims to claim 6, respectively and are therefore, rejected as above. 
Claims 7 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Cole in view of Newman and Anand, and in further view of Schrecker et al. (US 2013/0174246 A1, hereinafter Schrecker).
Regarding claim 7, combined teachings of Cole, Newman, and Anand disclose the system of claim 1 and they do not explicitly teach wherein the plurality of software agents are deployed to one or more sub-networks comprising a cloud network;
Schrecker in an analogous art, teaches wherein the plurality of software agents are deployed to one or more sub-networks comprising a cloud network, [Figures 3-6 show various configuration where scanners are deployed in a cloud];
it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Cole to include cloud-based scanning or computer vulnerabilities in a network environment. The motivation/suggestion would have been a cloud-based automated service that would alleviate the burden of maintenance and control of network environment by IT administrators, [Schrecker: Par.[0002]].
Claim 17 is a corresponding claims to claim 7, respectively and are therefore, rejected as above. 
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to PADMA MUNDUR whose telephone number is (571)272-5383.  The examiner can normally be reached on 9:30 AM to 6:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Wing Chan can be reached on 571 272 7493.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/PADMA MUNDUR/Primary Examiner, Art Unit 2441