DETAILED ACTION
Response to Amendment
 	This Final office action is in response to Applicant’s amendment filed 9/27/2021. Claims 1, 4, 8, 15 and 18 have been amended. Claims 1-20 are pending.

 	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

 	Applicant's arguments filed 9/27/2021 have been fully considered but they are not persuasive.

 	Regarding the previously pending 35 USC 101 rejection, the claims as a whole, recite additional elements that integrate the judicial exception into a practical application, under Prong Two of Step 2A of the Alice analysis.

Claim Rejections - 35 USC § 102
 	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
 	The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

 	Claims 1 and 14-20 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Sharifi Mehr (US 20210029156 A1).
As per claim 1, Sharifi Mehr discloses a data security evaluation computing device for evaluating data security of a target system, the data security evaluation computing device communicatively coupled to a plurality of data sources including the target system, the data security evaluation computing device (i.e., an IoT security service collects data from IoT devices being monitored and possibly other related components, analyzes the collected data to detect defined facilitators and indicators associated with an IoT kill chain, and uses the detected facilitators and indicators to continuously or periodically calculate at least two scores for individual devices or for groups of devices: a security threat level score and a security breach likelihood score, ¶ 0018) comprising a processor in communication with a memory device, the processor programmed to:
receive, from an acquiring party computing device, a security review request message requesting a data security review for the target system, the security review request message including a first identifier of the target system (i.e., users can use the IoT security system to request and gain insight into the factors that are used to calculate the threat level and breach likelihood scores (for example, the identified facilitators and indicators), ¶ 0018); 

query, using the first identifier of the target system, a first data source of the plurality of data sources, to receive data representing whether the target system has been a subject of a past data breach (i.e., the IoT device data 120 can be collected from a number of disparate data sources, the received data can be represented using a variety of different formats (for example, various log data formats, network traffic data records, various data formats generated by device management/audit systems, and so forth, ¶ 0029, a calculation of a breach likelihood score is based on a combination of identified indicators, recent threat level scores, and possibly other factors including historical observations related to a device, ¶ 0037); 
locally cache, in the memory device, the data representing whether the target system has been a subject of a past data breach (i.e., An IoT security service 110 may convert the data collected from these systems into a standard set of data fields, modify or supplement fields in the data (for example, to convert IP addresses into domain names, supplement the data with user account identifiers, and so forth), or perform any other operations on the data to facilitate subsequent analyses, ¶ 0029 and figure 1); 
query, using the at least one alternative identifier of the target system, at least one second data source of the plurality of data sources, to receive data associated with a potential for a future data breach at the target system (i.e., the IoT device data 120 can be collected from a number of disparate data sources, the received data 
locally cache, in the memory device, the data associated with the potential for a future data breach at the target system (i.e., An IoT security service 110 may convert the data collected from these systems into a standard set of data fields, modify or supplement fields in the data (for example, to convert IP addresses into domain names, supplement the data with user account identifiers, and so forth), or perform any other operations on the data to facilitate subsequent analyses, ¶ 0029 and figure 1); 
generate a data security score by analyzing the locally cached data, the data security score representing a likelihood that the target system has been the subject of a data breach and is vulnerable to a future data breach (i.e., the calculation of a threat level score, breach likelihood score, or both, for a particular IoT device 104 can be based in part on data that relates to one or more other IoT devices, ¶ 0040); 
compile the data security score and one or more additional data elements into a data security report, the one or more additional data elements including a recommendation to reduce vulnerability to a future data breach at the target system (i.e., FIG. 4 is a graph illustrating a relationship between identified security threat facilitators and indicators related to one or more IoT devices and calculated threat likelihood scores and breach likelihood scores according to some embodiments, ¶ 0066); and 

As per claim 14, Sharifi Mehr discloses the second data source includes the target system (i.e., For example, because the IoT device data 120 can be collected from a number of disparate data sources, the received data can be represented using a variety of different formats (for example, various log data formats, network traffic data records, various data formats generated by device management/audit systems, and so forth), ¶ 0029).
As per claim 16, Sharifi Mehr discloses retrieving, from the memory device, scoring parameters defining how to weight the locally cached data and an output format for the data security report; generating the data security score based on the scoring parameters; and formatting the data security report according to the scoring parameters (i.e., a baseline of historical activity of a device can be accounted for when calculating the breach likelihood score. For example, if an indicator has been observed regularly for past 30 days, it may be weighted relatively low, whereas an indicator that suddenly starts occurring without any history can be weighted more heavily, ¶ 0038).
As per claim 17, Sharifi Mehr discloses generating a first sub-score by analyzing the locally cached data representing whether the target system has been a subject of a past data breach; generating a second sub-score by analyzing the locally cached data associated with the potential for a future data breach at the target 
Claim 15 is rejected based upon the same rationale as the rejection of claim 1, since it is the method claim corresponding to the system claim.
Claims 18-20 are rejected based upon the same rationale as the rejection of claims 1, 16 and 17, respectively, since they are the computer-readable storage medium claims corresponding to the system claims.

Claim Rejections - 35 USC § 103
 	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new 
 	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

 	Claims 11 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Sharifi Mehr (US 20210029156 A1), in view of Lunsford et al (US 20200193022 A1).
As per claim 11, Sharifi Mehr does not disclose the second data source includes a compliance review database storing compliance assessments descriptive of the target system's compliance with data security standards, and wherein the processor is further programmed to: receive, from the compliance review database, any compliance assessments associated with the target system; and locally cache the compliance assessments.
Lunsford et al disclose the process 800 can generate a compliance report. The compliance report can include all information available to the process 800 and which pertain to the tasks of the playbook identified for the cyber event. In an example, the compliance report can be or can be a basis for a final compliance report that is mandated to be provided to a regulatory agency (¶ 0128).
Sharifi Mehr and Lunsford et al are concerned with effective workforce management.  It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include the second data source 
As per claim 12, Sharifi Mehr does not disclose the processor is further programmed to: generate a compliance sub-score based on the locally cached compliance assessments; and generate the data security score based in part on the compliance sub-score.
Lunsford et al disclose Playbooks and/or tasks can be added, deleted, and/or changed, by one or more components of the system 302, to reflect the updated risk. The system 302 can report changes to risk score of the instant enterprise based on the changes (¶ 0108).
Sharifi Mehr and Lunsford et al are concerned with effective workforce management.  It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include the processor is further programmed to: generate a compliance sub-score based on the locally cached compliance assessments; and generate the data security score based in part on the compliance sub-score in Sharifi Mehr, as seen in Lunsford et al, since the claimed .

Response to Arguments
 	In the Remarks, Applicant argues Sharifi Mehr does not describe or suggest each and every limitation of Claim 1. Specifically, Sharifi Mehr does not describe or suggest a data security evaluation computing device having a processor programmed to (i) receive, from an acquiring party computing device, a security review request message requesting a data security review for the target system, the security review request message including a first identifier of the target system, and (ii) in response to the security review request message, automatically retrieve and store at least one alternative identifier of the target system, wherein the at least one alternative identifier differs in at least one of a format or a type from the first identifier, as recited in Claim 1. The Examiner respectfully disagrees.
 As discussed in the updated rejection, Sharifi Mehr discloses receive, from an acquiring party computing device, a security review request message requesting a data security review for the target system, the security review request message including a first identifier of the target system (i.e., users can use the IoT security system to request and gain insight into the factors that are used to calculate the threat level and breach likelihood scores (for example, the identified facilitators and indicators), ¶ 0018); and in response to the security review request message, automatically retrieve and store at least one alternative identifier of the target system, wherein the at least one alternative identifier differs in at least one of a format or a type from the first identifier (i.e., The identification of IoT devices can be based on IP addresses associated with the devices (if the addresses are public and the devices are not behind a proxy) or using any other identifiers of the devices, ¶ 0024. An IoT security service 110 may convert the data collected from these systems into a standard set of data fields, modify or supplement fields in the data (for example, to convert IP addresses into domain names, supplement the data with user account identifiers, and so forth), or perform any other operations on the data to facilitate subsequent analyses, ¶ 0029).

Allowable Subject Matter
 	Claims 2-10 and 13 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Conclusion
 	THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 

 	Any inquiry concerning this communication or earlier communications from the examiner should be directed to ANDRE D BOYCE whose telephone number is (571)272-6726. The examiner can normally be reached M-F 10a-6:30p.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Rutao (Rob) Wu can be reached on (571) 272-6045. The fax phone 
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/ANDRE D BOYCE/Primary Examiner, Art Unit 3623                                                                                                                                                                                                        January 1, 2022