DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Status of Claims
	Claims 1-15 are pending.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 10/16/2020 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claim 8-11 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  The claim(s) does/do not fall within at least one of the four categories of patent eligible subject matter because the claim recites “a controller comprising a processor in communication with a memory resource including instructions...”.  Under broadest reasonable interpretation, a “processor” can be interpreted as software per se, and a “memory resource” (as opposed to a “memory” itself), can be interpreted as e.g. the instructions within a memory (thus, a “memory resource”), i.e. software per 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-6, 8, 10-11 is/are rejected under 35 U.S.C. 103 as being unpatentable over Neystadt et al (PGPUB 2020/0117808), and further in view of Patel et al (PGPUB 2018/0351987).

Regarding Claim 1:
Neystadt teaches a non-transitory computer readable medium containing instructions executable by a processor to cause the processor to (paragraph 77, 80, computer readable medium having computer readable program code embodied thereon and executable on a computer): 
determine information associated with a device, the information comprising (abstract, method and apparatus for assessing vulnerability in a system of electronic devices, comprises determining a distinguishing characteristic of a version of a computer program as installed in a usable format to distinguish that version from at least one further version; paragraph 49-52, scanning service receives list of devices to scan) firmware information (paragraph 22, method determines version of program or data entity; paragraph 45-50, 56-58, it is determined which libraries and their versions comprise a firmware binary), and security bulletin information (paragraph 45-48, scanning engine looks up in CVE database (Common Vulnerabilities and Exposures) a list of vulnerabilities known for each library version, CVE-id, description, and severity (can be viewed as associated security bulletin)); 
combine the information to determine a vulnerability state of the device (paragraph 59, after receiving scan output from all devices, the Scanning Service constructs a set of data (possibly in the form of a report), with information such as a list and number of affected devices, and how many devices are affected by each of the vulnerability or each severity—for example, 10% of devices have a critical vulnerability and 20% have moderate vulnerability); and 
create a report of the vulnerability state of the device, the report comprising information associated with the vulnerability state and associated security bulletin information (paragraph 59, after receiving scan output from all devices, the Scanning Service constructs a set of data (possibly in the form of a report), with information such as a list and number of affected devices, and how many devices are affected by each of the vulnerability or each severity—for example, 10% of devices have a critical vulnerability and 20% have moderate vulnerability).
Neystadt does not explicitly teach the information comprising device model information.
However, Patel teaches information comprising device model information (abstract, process of remediating device security vulnerabilities is carried out by determining identifications of electronic devices associated with an entity and calculating, for each device, a security cyber-vulnerability score; paragraph 64, cyber-vulnerability scoring component 216 scores medical device risk, which is used by the workflow component 214 to schedule remediation/mitigation activities and perform other workflow operations; the cyber-vulnerability scoring component 216 interacts with the data storage interface 206 to extract information from medical device threat and vulnerability library; paragraph 56, the medical device threat and vulnerability library 224 stores information that can include, but is not limited to, information from medical device manufacturers (e.g., validated software patch releases, security and/or operational alerts, device recall notifications, device end of life and end of support notifications (i.e. device model information), combinations thereof, etc.)).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the device support detection teachings of Patel with the vulnerability state analysis teachings of Neystadt.  It is well-known in the art that as devices age, new vulnerabilities are found, and updated versions of the software/firmware which operates the device must be created which overcome these detected vulnerabilities.  Failure to update the device leaves end users exposed to malicious agents which exploit known vulnerabilities or defects.  Therefore, it is beneficial to incorporate a determination as to whether a device is being actively supported to defend against vulnerabilities as part of an overall device vulnerability state analysis, in order to assist users and administrators in determining whether to replace or deactivate a device which will no longer be updated, thereby improving the security environment.

Regarding Claim 2:
Neystadt in view of Patel teaches the medium of claim 1.  In addition, Neystadt teaches wherein the instructions executable to combine the information to determine a vulnerability state comprise instructions executable to prioritize one of a plurality of vulnerability states of the device to be the vulnerability state of the device (paragraph 52-59, scanning service loops over list of devices, performing for each device: sending full list of signatures of firmware libraries on device to EndPointSecurity module on device to scan, invoking local vulnerability scanning engine to scan the firmware, outputting list of matched vulnerable libraries or vulnerabilities, and outputting to scanning device, which constructs set of data including whether device is affected by vulnerability and severity; vulnerability ranking done using ranking system (i.e. vulnerability state is prioritized from many possible states)).

Regarding Claim 3:
Neystadt in view of Patel teaches the medium of claim 1.  In addition, Patel teaches wherein the vulnerability state comprises the device having no known security bulletins associated therewith, the device having current firmware support, and the device having no more than one firmware revision out-of-date (paragraph 106, device level cyber-vulnerability score derived from medical device threat and vulnerability library; paragraph 56, medical device threat and vulnerability library comprises information from medical device manufacturers including e.g., validated software patch releases, security and/or operational alerts, device recall notifications, device end of life and end of support notifications, combinations thereof, etc.; information includes device vulnerability information reported to the Medical Device Vulnerability Intelligence Program for Evaluation and Response MD-VIPER database; therefore, cyber-vulnerability score (i.e. “vulnerability state”) considers whether or not a device has current support, whether or not there are known security bulletins, and/or whether or not there are available validated software patch releases (i.e. the software/firmware revision(s) are out of date); paragraph 97, information associated with patch, e.g. cyber-vulnerability score).
The rationale to combine Neystadt and Patel is the same as provided for claim 1 due to the overlapping subject matter between claims 1 and 3.

Regarding Claim 4:
Neystadt in view of Patel teaches the medium of claim 1.  In addition, Patel teaches wherein the vulnerability state comprises the device having no known security bulletins associated therewith, the device having current firmware support, and the device having a plurality of firmware revisions out-of-date (paragraph 106, device level cyber-vulnerability score derived from medical device threat and vulnerability library; paragraph 56, medical device threat and vulnerability library comprises information from medical device manufacturers including e.g., validated software patch releases, security and/or operational alerts, device recall notifications, device end of life and end of support notifications, combinations thereof, etc.; information includes device vulnerability information reported to the Medical Device Vulnerability Intelligence Program for Evaluation and Response MD-VIPER database; therefore, cyber-vulnerability score (i.e. “vulnerability state”) considers whether or not a device has current support, whether or not there are known security bulletins, and/or whether or not there are available validated software patch releases (i.e. the software/firmware revision(s) are out of date)).
The rationale to combine Neystadt and Patel is the same as provided for claim 1 due to the overlapping subject matter between claims 1 and 4.

Regarding Claim 5:
Neystadt in view of Patel teaches the medium of claim 1.  In addition, Patel teaches wherein the vulnerability state comprises the device having no known security bulletins associated therewith, and the device having no current firmware support (paragraph 106, device level cyber-vulnerability score derived from medical device threat and vulnerability library; paragraph 56, medical device threat and vulnerability library comprises information from medical device manufacturers including e.g., validated software patch releases, security and/or operational alerts, device recall notifications, device end of life and end of support notifications, combinations thereof, etc.; information includes device vulnerability information reported to the Medical Device Vulnerability Intelligence Program for Evaluation and Response MD-VIPER database; therefore, cyber-vulnerability score (i.e. “vulnerability state”) considers whether or not a device has current support and/or whether or not there are known security bulletins).


Regarding Claim 6:
Neystadt in view of Patel teaches the medium of claim 1.  In addition, Neystadt teaches wherein the vulnerability state comprises the device having a known security bulletin associated therewith (paragraph 59, data set includes devices affected by each of the vulnerability and severity; vulnerability ranking done using ranking system, such as CVSS, as indicated in original vulnerability database that was used to produce the signatures).

Regarding Claim 8:
Neystadt teaches a controller comprising a processor in communication with a memory resource including instructions executable to (paragraph 77, 80, computer readable medium having computer readable program code embodied thereon and executable on a computer): 
determine information associated with a plurality of devices, the information comprising (abstract, method and apparatus for assessing vulnerability in a system of electronic devices, comprises determining a distinguishing characteristic of a version of a computer program as installed in a usable format to distinguish that version from at least one further version; paragraph 49-52, scanning service receives list of devices to scan) firmware information  (paragraph 22, method determines version of program or data entity; paragraph 45-50, 56-58, it is determined which libraries and their versions comprise a firmware binary), and firmware security bulletin information (paragraph 45-48, scanning engine looks up in CVE database (Common Vulnerabilities and Exposures) a list of vulnerabilities known for each library version, CVE-id, description, and severity (can be viewed as associated security bulletin)); 
(paragraph 59, after receiving scan output from all devices, the Scanning Service constructs a set of data (possibly in the form of a report), with information such as a list and number of affected devices, and how many devices are affected by each of the vulnerability or each severity—for example, 10% of devices have a critical vulnerability and 20% have moderate vulnerability); and 
create a sortable report of the plurality of devices, the report comprising the vulnerability state of each one of the plurality of devices, a percentage of the devices having each one of the plurality of vulnerability states, and firmware security bulletin information for each one of the plurality of devices (paragraph 59, after receiving scan output from all devices, the Scanning Service constructs a set of data (possibly in the form of a report), with information such as a list and number of affected devices, and how many devices are affected by each of the vulnerability or each severity—for example, 10% of devices have a critical vulnerability and 20% have moderate vulnerability; list is therefore sorted).
Neystadt does not explicitly teach the information comprising device model information.
However, Patel teaches information comprising device model information (abstract, process of remediating device security vulnerabilities is carried out by determining identifications of electronic devices associated with an entity and calculating, for each device, a security cyber-vulnerability score; paragraph 64, cyber-vulnerability scoring component 216 scores medical device risk, which is used by the workflow component 214 to schedule remediation/mitigation activities and perform other workflow operations; the cyber-vulnerability scoring component 216 interacts with the data storage interface 206 to extract information from medical device threat and vulnerability library; paragraph 56, the medical device threat and vulnerability library 224 stores information that can include, but is not limited to, information from medical device manufacturers (e.g., validated software patch releases, security and/or operational alerts, device recall notifications, device end of life and end of support notifications (i.e. device model information), combinations thereof, etc.)).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the device support detection teachings of Patel with the vulnerability state analysis teachings of Neystadt.  It is well-known in the art that as devices age, new vulnerabilities are found, and updated versions of the software/firmware which operates the device must be created which overcome these detected vulnerabilities.  Failure to update the device leaves end users exposed to malicious agents which exploit known vulnerabilities or defects.  Therefore, it is beneficial to incorporate a determination as to whether a device is being actively supported to defend against vulnerabilities as part of an overall device vulnerability state analysis, in order to assist users and administrators in determining whether to replace or deactivate a device which will no longer be updated, thereby improving the security environment.

Regarding Claim 10:
Neystadt in view of Patel teaches the controller of claim 8.  In addition, Neystadt teaches wherein: 
the firmware information further comprises information associated with out-of-date firmware revisions (paragraph 22, method determines version of program or data entity; paragraph 45-50, 56-58, it is determined which libraries and their versions comprise a firmware binary; EndPointSecurity module determines whether libraries have existing vulnerabilities; paragraph 27, if a vulnerability is discovered after a device is released, firmware must be adapted, tested and rebuilt with the most recent version of the third-party library that fixes the vulnerability, i.e. firmware is out-of-date); and
Patel teaches the device model information further comprises information associated with active firmware support of the device model (paragraph 56, the medical device threat and vulnerability library 224 stores information that can include, but is not limited to, information from medical device manufacturers (e.g., validated software patch releases, security and/or operational alerts, device recall notifications, device end of life and end of support notifications (i.e. device model information), combinations thereof, etc.)). 
The rationale to combine Neystadt and Patel is the same as provided for claim 8 due to the overlapping subject matter between claims 8 and 10.

Regarding Claim 11:
Neystadt in view of Patel teaches the controller of claim 8.  In addition, Neystadt teaches wherein the instructions executable to determine firmware security bulletin information comprise instructions executable to determine which of the plurality of devices has a firmware security bulletin associated therewith (paragraph 45-48, scanning engine looks up in CVE database (Common Vulnerabilities and Exposures) a list of vulnerabilities known for each library version, CVE-id, description, and severity (can be viewed as associated security bulletin)).

Claim 7 is/are rejected under 35 U.S.C. 103 as being unpatentable over Neystadt in view of Patel, and further in view of Bowman et al (PGPUB 2017/0118014).

Regarding Claim 7:
Neystadt in view of Patel teaches the medium of claim 1.
Neither Neystadt nor Patel explicitly teaches wherein the vulnerability state comprises an unknown vulnerability state in response to the device having insufficient information associated therewith.
(abstract, system used to provide security assurance information; paragraph 30, in some cases, a security assurance character can be determined to be unknown; for example, if the RA does not have access of the security assurance character associated with the UE).
	It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the unknown vulnerability state teachings of Bowman with the vulnerability state analysis teachings of Neystadt in view of Patel, in order to assign a specific classification to new or difficult to measure devices, thereby improving security by preventing unknown devices from being able to participate in secure activities merely because they had not yet been rated.

Claim 9 is/are rejected under 35 U.S.C. 103 as being unpatentable over Neystadt in view of Patel, and further in view of Pilkington et al (PGPUB 2019/0044969).

Regarding Claim 9:
Neystadt in view of Patel teaches the controller of claim 8.  Neither Neystadt nor Patel explicitly teaches wherein the plurality of devices comprises a plurality of printing devices.
However, Pilkington teaches the concept wherein a plurality of devices comprises a plurality of printing devices (abstract, computing aggregate risk score over population of entities with associated security risk score; entity populations include printers).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the printing device teachings of Pilkington with the vulnerability state analysis teachings of Neystadt in view of Patel, in order to apply the vulnerability state analysis to a broader range of network attached devices, thereby improving system/network security by preventing .

Claim 12 is/are rejected under 35 U.S.C. 103 as being unpatentable over Neystadt in view of Patel, and further in view of Clark et al (PGPUB 2015/0358345).

Regarding Claim 12:
Neystadt in view of Patel teaches the controller of claim 8.  In addition, Patel teaches the controller, further comprising instructions executable to display the report via a graphical user interface (paragraph 74, cyber-vulnerability scoring is also displayed in a user dashboard, thus the cyber-vulnerability scoring and threat modeling algorithm 310 (or at least the output thereof) is also communicably coupled to a graphical user interface (GUI) 316), the display comprising: 
a list of the plurality of devices (paragraph 186, dashboard that electronically displays a vulnerability status of medical devices, integrating into the dashboard, navigable elements that enable a user to drive through multiple views, including a whole organization view, a specific department view, a specific type of electronic medical device view, writing to a central repository, at least one report of available patches, and vulnerable devices, combinations thereof, etc.); and 
for each one of the plurality of devices: 
a number of associated out-of-date firmware revisions (paragraph 186, report of available patches; this indicates firmware is out-of-date).
a current device support status (paragraph 186, report of available patches).
The rationale to combine Neystadt and Patel is the same as provided for claim 8 due to the overlapping subject matter between claims 8 and 12.
Neither Neystadt nor Patel explicitly teaches the display comprising:

a count of associated firmware security bulletins.
However, Clark teaches the concept of a display comprising:
for each one of a plurality of devices: 
a count of associated firmware security bulletins (paragraph 18, system monitors sensor alert information of multiple sensors, and provides interface for alert summary and detailed alert information to be transmitted to a user; paragraph 24, remote sensor collects security alerts and reports them to user in a summary count by severity, as well as detailed alert information if requested; paragraph 26, ability to display information).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the security bulletin count teachings of Clark with the vulnerability state analysis teachings of Neystadt in view of Patel, in order to provide a user with a quick overview of system health by correlating alerts/bulletins into a single count, thereby allowing a user to make rapid and efficient decisions as to where to focus security improvement efforts based on the targeting systems with the most vulnerabilities.

Claims 13-15 is/are rejected under 35 U.S.C. 103 as being unpatentable over Neystadt, and further in view of Carpenter et al (PGPUB 2016/0232359) and Wiggs et al (PGPUB 2016/0006641).

Regarding Claim 13:
Neystadt teaches a method, comprising: 
determining information associated with each one of a plurality of devices, the information comprising (abstract, method and apparatus for assessing vulnerability in a system of electronic devices, comprises determining a distinguishing characteristic of a version of a computer program as installed in a usable format to distinguish that version from at least one further version; paragraph 49-52, scanning service receives list of devices to scan): 
whether a firmware revision of each one of the plurality of devices is out-of-date (paragraph 22, method determines version of program or data entity; paragraph 45-50, 56-58, it is determined which libraries and their versions comprise a firmware binary; EndPointSecurity module determines whether libraries have existing vulnerabilities; paragraph 27, if a vulnerability is discovered after a device is released, firmware must be adapted, tested and rebuilt with the most recent version of the third-party library that fixes the vulnerability, i.e. firmware is out-of-date); and 
whether each one of the plurality of devices has a firmware security bulletin associated therewith (paragraph 45-48, scanning engine looks up in CVE database (Common Vulnerabilities and Exposures) a list of vulnerabilities known for each library version, CVE-id, description, and severity (can be viewed as associated security bulletin)); 
determining for each one of the plurality of devices a vulnerability state of a plurality of vulnerability states based on a combination of the information associated with each one of the plurality of devices (paragraph 59, after receiving scan output from all devices, the Scanning Service constructs a set of data (possibly in the form of a report), with information such as a list and number of affected devices, and how many devices are affected by each of the vulnerability or each severity—for example, 10% of devices have a critical vulnerability and 20% have moderate vulnerability); 
creating a report of the plurality of devices, the report comprising the vulnerability state of each one of the plurality of devices, a percentage of the devices having each one of the plurality of vulnerability states, and firmware security bulletin information for each one of the plurality of devices (paragraph 59, after receiving scan output from all devices, the Scanning Service constructs a set of data (possibly in the form of a report), with information such as a list and number of affected devices, and how many devices are affected by each of the vulnerability or each severity—for example, 10% of devices have a critical vulnerability and 20% have moderate vulnerability).
Neystadt does not explicitly teach the information comprising whether firmware of each one of the plurality of devices is actively supported.
However, Carpenter teaches the concept of information comprising whether firmware of each one of a plurality of devices is actively supported (abstract, method of patch monitoring and analysis; paragraph 34, solution to evaluate current patch/update status of firmware; paragraph 53-54, output shows for each software on a device, status of software with respect to patch versions, e.g. patch collector notes which versions are considered “deprecated” (i.e. no longer supported), and which versions are “outdated”, i.e. have a more current patch, i.e. are actively supported); and
displaying a report via a graphical user interface (paragraph 38, risk dashboard 205 that provides a user interface so that the user can view reports 220 and other information from the patch analysis 215 and can configure the patch analysis 215).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the firmware support detection teachings of Carpenter with the vulnerability state analysis teachings of Neystadt.  It is well-known in the art that as software/firmware ages, new vulnerabilities are found, and updated versions of the software/firmware must be created which overcome these detected vulnerabilities.  Failure to update the software/firmware leaves end users exposed to malicious agents which exploit known vulnerabilities.  Therefore, it is beneficial to incorporate a determination as to whether software/firmware is being actively patched or upgraded to defend against vulnerabilities as part of an overall device vulnerability state analysis, in order to assist users and administrators in determining whether to change software or deactivate a device which will no longer be updated, thereby improving the security environment.

However, Wiggs teaches the concept of displaying a report such that the report is interactive and sortable by particular categories (abstract, system for diagnosing state of a device; paragraph 17, all reports are aggregated to or in a server, which allows the network administrator access to the details of all the reports generated within their system; according to embodiments, the network administrator can filter and sort all reports based on many factors including, e.g., time, device type, wireless network used, phone number, issue severity, and probable root cause; this allows a network administer to focus on emergent and severe issues).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the report sorting teachings of Wiggs with the vulnerability state analysis teachings of Neystadt in view of Carpenter.  It is well-known in the art to generate displays of information with sortable categories in order to present information to a user in a way which is useful or intuitive to said user.  Therefore, allowing a user to sort report categories provides the benefit of improved user convenience and improved ability to read and act upon reported data.  As the data in the reports of Neystadt, Carpenter, and Wiggs relate to device security state, providing a means for a user to more easily interpret security data therefore further improves the security environment.

Regarding Claim 14:
Neystadt in view of Carpenter and Wiggs teaches the method of claim 13.  In addition, Neystadt teaches wherein determining whether each one of the plurality of devices has a firmware security bulletin associated therewith comprises associating known firmware security bulletins with a particular firmware release associated with each one of the plurality of devices (paragraph 45-48, Scanning engine needs to perform the following logic: receive a set of pre-generated vulnerability signatures and a firmware image; perform a firmware binary scan, outputting a list of matching libraries and their versions; look up in the CVE database (A) a list of vulnerabilities known for each library version, its CVE-id, description and severity).

Regarding Claim 15:
Neystadt in view of Carpenter and Wiggs teaches the method of claim 13, further comprising: 
receiving a request from a user, via the graphical user interface, to sort the report by an associated firmware security bulletin, number of out-of-date firmware revisions, or a common vulnerability scoring system score (abstract, system for diagnosing state of a device; paragraph 17, all reports are aggregated to or in a server, which allows the network administrator access to the details of all the reports generated within their system; according to embodiments, the network administrator can filter and sort all reports based on many factors including, e.g., time, device type, wireless network used, phone number, issue severity (i.e. vulnerability score), and probable root cause; this allows a network administer to focus on emergent and severe issues; paragraph 172, method displays, sorts, and filters reports); 
sorting the report responsive to the request (paragraph 17, network administrator sorts all reports based on factors including issue severity); and 
displaying the sorted report via the graphical user interface (paragraph 172, method displays reports; reports are sorted).
The rationale to combine Neystadt and Wiggs is the same as provided for claim 13 due to the overlapping subject matter between claims 13 and 15.

Conclusion

Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 5712723972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/FORREST L CAREY/Examiner, Art Unit 2491                                                                                                                                                                                                        

/ASHOKKUMAR B PATEL/Supervisory Patent Examiner, Art Unit 2491