DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 11-15 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  The claim(s) does/do not fall within at least one of the four categories of patent eligible subject matter. 
Regarding claim 11, the claimed invention is directed to non-statutory subject matter because it is drawn to a computer readable medium. Claim 11 provides “A computer program product, the computer program product comprising a computer-readable storage medium having computer-readable program code embodied therewith”.  The claim does not fall within at least one of the four categories of patent eligible subject matter because the recitation of a computer program product encompasses transitory forms of signal transmission or carrier waves. The broadest interpretation of a claim that covers transitory signals, and signals do not fall within the four categories of invention. Therefore, claim 11 is directed to non-statutory subject matter. See for example In re Nuijten, 500 F.3d 1346, 1356-57 (Fed. Cir. 2007) (transitory embodiments are not directed to statutory subject matter) and Interim Examination Instructions for Evaluating Subject Matter Eligibility Under 35 U.S.C. § 101, Aug. 24, 2009; p. 2.

Regarding claim 12-15, the additional recited limitations fail to cure the deficiencies of their parent claim 11 and therefore inherit the rejection.



Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-15 are rejected under 35 U.S.C. 103 as being unpatentable over Garrett et al. (US 20210194929) hereinafter Garrett in view of Goyal et al. (US 20180084009) hereinafter Goyal.
Regarding claim 1, Garrett teaches a method for migrating security benchmark compliance content from a source platform to a target platform (see [0042]: the STIG compliance service 130 (i.e. source) can send the configuration compliance package 116 over a network 118 to the client computer 120.  The configuration compliance package 116 can then be deployed to a computer system 122b-c (i.e. target) to evaluate configuration settings of system components 124b-c located on the computer system 122b-c), the method comprising:
filtering a set of configuration parameters in a source platform to a subset of configuration parameters each corresponding to a respectively different entry in a security checklist of a security benchmark (see Fig. 2 steps 208-210 and [0019-20]: For example, the STIG processing module 106 may cause a STIG file 112 to be parsed to identify individual security configuration rules specifying configuration 
presenting in a user interface, a listing of each of the configuration parameters (see [0040]: The STIG compliance service 130 may allow users, via a user interface, to request a configuration compliance package 116 for a specific computer system configuration, or for a specific system component 124a-c. For example, a user, via a client computer 120, can select a system configuration from a list of system configurations (e.g., list of operating systems, software applications, etc.) or provide system configuration details (e.g., operating system type and version, software application type and version, etc.), and the user can request a configuration compliance package 116 for the system configuration) and, for each one of the configuration parameters, a corresponding entry in the security checklist regulating the one of the configuration parameters according to a range of values (see [0026]: the STIG configuration module 108 can be configured to generate configuration implementation packages 114 directed to specific system components 124a-c of computer systems 122a-c … A configuration implementation package 114 can contain instructions (e.g., source code or bytecode) that, when executed by a processor, sets or modifies configuration values of one or more system components 124a-c to values specified by one or 
applying the configuration parameters in the subset to a target platform (see [0011]: In another example, the configuration compliance package can be transferred over a computer network to a computing device that hosts the computer system; [0033]: the STIG compliance service 130 can deploy a configuration implementation package 114 directly to a computer system 122a that is in network communication with the STIG compliance service 130.  In one example, a user, via a client computer 120, can request that the STIG compliance service 130 generate a configuration implementation package 114 directed to one or more system components 124a located on the computer system 122a and deploy the configuration implementation package 114 to the computer system 122a).
However, the Garrett reference does not explicitly teach a method wherein the configuration parameters in the subset are applied to a target resource excepting for at least one of the configuration parameters and for the at least one of the configuration parameters, instead receiving as input in the user interface an alternative value within the range of values of the corresponding entry in the security checklist and applying the alternative value to the target platform in lieu of the at least one of the configuration parameters.
In the same field of endeavors, Goyal teaches a method in accordance with the present invention, the method to provide resource security and configured to:
apply the configuration parameters to a target platform except for at least one of the configuration parameters and for the at least one of the configuration parameters, instead receiving as input in the user interface an alternative value within the range of values of the corresponding entry in the security checklist and 
Accordingly, it would have been obvious to one of ordinary skill in the art before the effective filing date of the present invention to modify the teachings of Garrett suggesting a method for determining compliance with STIG standards with the method of Goyal suggesting receiving as input in the user interface an alternative value within a range of values and applying the alternative value to the target platform in lieu of the at least one of the configuration parameters. Doing so would have provide numerous benefits to the system of Garrett, namely improving methods and making less cumbersome ways for managing target resources configuration for security benchmark compliance, and providing the best solutions for the remediation of defects and/or vulnerabilities to comply with the enabled rules of the security benchmark.

Regarding claim 2, Garrett in view of Goyal is applied as disclosed in claim 1 examined above. The combination of Garrett and Goyal teaches a method for migrating security benchmark compliance content from a source platform to a target platform. Goyal further teaches a method comprising:
determining that one of the configuration parameters in the subset falls outside of the range of values specified by the corresponding entry in the security checklist and thus is non-compliant with respect to the security benchmark (see [0042]: the monitor function of the security accessory monitors the target resource for non-compliant configuration changes and reports them via the interface 308 as they occur, as further described with reference to FIG. 7; see also Fig. 4 steps 404-406 and [0047]: At block 404, the example assessor 302 tests (e.g., evaluates) the one or inure benchmarks against a target resource … If the example assessor 302 identifies resource insufficiencies based on the output of block 404 (block 406: YES), the control proceeds to block 408);
prompting in the user interface to accept the non-compliant one of the configuration parameters (see Fig. 7 step 718 and [0052]: At block 718, the example communicator 306 sends an alert: for presentation to a user via the interface 308.  In some examples, the alert notifies users of compliant status of the resource (e.g., compliance and/or non-compliance)); and
applying the non-compliant one of the configuration parameters to the target platform (see Fig. 7 step 720 and [0052]: completing the security assessment of the target resource).

Regarding claim 3, Garrett in view of Goyal is applied as disclosed in claim 1 examined above. The combination of Garrett and Goyal teaches a method comprising filtering a set of 

Regarding claim 4, Garrett in view of Goyal is applied as disclosed in claim 1 examined above. The combination of Garrett and Goyal further teaches a method wherein the filtering is performed by searching the security benchmark for an entry in the security checklist corresponding to each one of the configuration parameters and including in the subset, only ones of the configuration parameters for which a corresponding entry in the security checklist is located (see [0019]: the STIG processing module 106 may cause a STIG file 112 to be parsed to identify individual security configuration rules specifying configuration settings for various system components 124a-c (e.g., operating systems, applications, programmable hardware, etc.) and correlate the security configuration rules to the system components 124a-c).

Regarding claim 5, Garrett in view of Goyal is applied as disclosed in claim 1 examined above. The combination of Garrett and Goyal teaches a method for migrating security benchmark compliance content from a source platform to a target platform. Furthermore, Garrett teaches a method wherein the security benchmark is a Security Technical Implementation Guide (STIG) (see [0009, 10]: Garrett teaches a technology for determining compliance with security technical implementation guide (STIG) … a STIG compliance service may be used to evaluate computer systems for compliance with STIG standards.  The STIG compliance service may be configured to generate a configuration compliance package containing one or more computer scripts that evaluate configuration settings of one or more system components of a particular computer system to determine whether the values of the configuration settings correspond to STIG standards for the system components). 

Regarding claim 6, Garrett teaches a data processing system configured for migrating security benchmark compliance content from a source platform to a target platform, the system comprising: 
a host computing platform comprising one or more computers, each with memory and at least one processor (see Fig. 1 item 100); and 
a security benchmark compliant migration module (see Fig. 1 box 102a) comprising computer program instructions enabled upon execution in the host computing platform to perform: 
filtering a set of configuration parameters in a source platform to a subset of configuration parameters each corresponding to a respectively different entry in a security checklist of a security benchmark (see Fig. 2 steps 208-210 and [0019-20]: For example, the STIG processing module 106 may cause a STIG file 112 to be parsed to identify individual security configuration rules specifying configuration settings for various system components 124a-c (e.g., operating systems, applications, programmable hardware, etc.) and correlate the security 
presenting in a user interface presented in a display of the host computing platform, a listing of each of the configuration parameters (see [0040]: The STIG compliance service 130 may allow users, via a user interface, to request a configuration compliance package 116 for a specific computer system configuration, or for a specific system component 124a-c. For example, a user, via a client computer 120, can select a system configuration from a list of system configurations (e.g., list of operating systems, software applications, etc.) or provide system configuration details (e.g., operating system type and version, software application type and version, etc.), and the user can request a configuration compliance package 116 for the system configuration) and, for each one of the configuration parameters, a corresponding entry in the security checklist regulating the one of the configuration parameters according to a range of values (see [0026]: the STIG configuration module 108 can be configured to generate configuration implementation packages 114 directed to specific system components 124a-c of computer systems 122a-c … A configuration implementation package 114 can contain instructions (e.g., source code or bytecode) that, when executed by a processor, sets or modifies configuration values of one or more system components 124a-c to values specified by one or more STIG standards 104; [0027]: a configuration implementation package 114 
applying the configuration parameters in the subset to a target platform (see [0011]: In another example, the configuration compliance package can be transferred over a computer network to a computing device that hosts the computer system; [0033]: the STIG compliance service 130 can deploy a configuration implementation package 114 directly to a computer system 122a that is in network communication with the STIG compliance service 130.  In one example, a user, via a client computer 120, can request that the STIG compliance service 130 generate a configuration implementation package 114 directed to one or more system components 124a located on the computer system 122a and deploy the configuration implementation package 114 to the computer system 122a).
However, Garrett fails to explicitly disclose a system comprising:
applying the configuration parameters to a target platform excepting for at least one of the configuration parameters and for the at least one of the configuration parameters, instead receiving as input in the user interface an alternative value within the range of values of the corresponding entry in the security checklist and applying the alternative value to the target platform in lieu of the at least one of the configuration parameters.
In the same field of endeavors, Goyal teaches a system in accordance with the present invention, the system adapted to perform a method to provide resource security and configured to:
apply the configuration parameters to a target platform except for at least one of the configuration parameters and for the at least one of the configuration parameters, instead receiving as input in the user interface an alternative value 
Accordingly, it would have been obvious to one of ordinary skill in the art before the effective filing date of the present invention to modify the teachings of Garrett suggesting an apparatus for determining compliance with STIG standards with the system of Goyal suggesting receiving as input in the user interface an alternative value within a range of values and applying the alternative value to the target platform in lieu of the at least one of the configuration parameters. Doing so would have provide numerous benefits to the system of Garrett, namely improving methods and making less cumbersome ways for managing target resources configuration for security benchmark compliance, and providing the best solutions for the 

Regarding claims 7 and 12, they discloses the same limitations as claim 2 examined above. Therefore, the same rationale of rejection is applied. 

Regarding claims 8 and 13, they discloses the same limitations as claim 3 examined above. Therefore, the same rationale of rejection is applied.

Regarding claims 9 and 14, they discloses the same limitations as claim 4 examined above. Therefore, the same rationale of rejection is applied.

Regarding claims 10 and 15, they discloses the same limitations as claim 5 examined above. Therefore, the same rationale of rejection is applied.

Regarding claim 11, Garrett teaches a computer program product for migrating security benchmark compliance content from a source platform to a target platform, the computer program product including a computer readable storage medium having program instructions embodied therewith, the program instructions executable by a device to cause the device to perform a method including: 
filtering a set of configuration parameters in a source platform to a subset of configuration parameters each corresponding to a respectively different entry in a security checklist of a security benchmark (see Fig. 2 steps 208-210 and [0019-20]: For example, the STIG processing module 106 may cause a STIG file 112 to be parsed to identify individual security configuration rules specifying configuration settings for various system components 124a-c (e.g., operating systems, 
presenting in a user interface, a listing of each of the configuration parameters and for each one of the configuration parameters, a corresponding entry in the security checklist regulating the one of the configuration parameters according to a range of values (see [0040]: The STIG compliance service 130 may allow users, via a user interface, to request a configuration compliance package 116 for a specific computer system configuration, or for a specific system component 124a-c. For example, a user, via a client computer 120, can select a system configuration from a list of system configurations (e.g., list of operating systems, software applications, etc.) or provide system configuration details (e.g., operating system type and version, software application type and version, etc.), and the user can request a configuration compliance package 116 for the system configuration) and, for each one of the configuration parameters, a corresponding entry in the security checklist regulating the one of the configuration parameters according to a range of values (see [0026]: the STIG configuration module 108 can be configured to generate configuration implementation packages 114 directed to specific system components 124a-c of computer systems 122a-c … A configuration implementation package 114 can contain instructions (e.g., source code or bytecode) that, when executed by a processor, sets or modifies configuration 
applying the configuration parameters in the subset to a target platform (see [0011]: In another example, the configuration compliance package can be transferred over a computer network to a computing device that hosts the computer system; [0033]: the STIG compliance service 130 can deploy a configuration implementation package 114 directly to a computer system 122a that is in network communication with the STIG compliance service 130.  In one example, a user, via a client computer 120, can request that the STIG compliance service 130 generate a configuration implementation package 114 directed to one or more system components 124a located on the computer system 122a and deploy the configuration implementation package 114 to the computer system 122a).
However, Garrett fails to explicitly disclose a system comprising:
applying the configuration parameters to a target platform excepting for at least one of the configuration parameters and for the at least one of the configuration parameters, instead receiving as input in the user interface an alternative value within the range of values of the corresponding entry in the security checklist and applying the alternative value to the target platform in lieu of the at least one of the configuration parameters.
In the same field of endeavors, Goyal teaches a system in accordance with the present invention, the system adapted to perform a method to provide resource security and configured to:
apply the configuration parameters to a target platform except for at least one of the configuration parameters and for the at least one of the configuration parameters, instead receiving as input in the user interface an alternative value within the range of values of the corresponding entry in the security checklist and applying the alternative value to the target platform in lieu of the at least one of the configuration parameters (see steps 406-408 in Fig. 4, steps 808-820 in Fig. 8 and [0053-54]: At block 808, the example assessor 302 instructs the target resource to monitor for changes in configurations that could affect benchmark compliance.  At block 810, the target resource monitors for changes … If the example assessor 302 identifies a defect or insufficiency (block 818: YES), control proceeds to block 820.  At block 820, the example remediator 304 instructs the example communicator 306 to send remediation actions to the target resource (i.e. applying an alternative value to the target platform).  The remediation actions are then executed at the target resource to bring the target resource into compliance with the corresponding policy; additionally, Garrett teaches in [0055]: the example communicator 306 sends an alert for presentation to a user via the interface 308 identifying one or more defects or insufficiencies.  At block 912, the user selects one or more of the defects or insufficiencies for remediation (i.e. receiving as input in the user interface an alternative value).  At block 914, the example remediator 304 instructs the example communicator 306 to send remediation actions rules to the target resource based on the user selected defects or insufficiencies.) 
Accordingly, it would have been obvious to one of ordinary skill in the art before the effective filing date of the present invention to modify the teachings of Garrett suggesting an apparatus for determining compliance with STIG standards with the system of Goyal suggesting receiving as input in the user interface an alternative value within a range of values and applying the alternative value to the target platform in lieu of the at least one of the configuration 

Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to PATRICK F NGANKAM whose telephone number is (571)270-3659. The examiner can normally be reached M-F 9:30-7:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Glenton Burgess can be reached on (571) 270-3659. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/P.F.N/Examiner, Art Unit 2454       

/GLENTON B BURGESS/Supervisory Patent Examiner, Art Unit 2454