DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

This is a final office action in response to remarks filed on 18 August 2021.  Claims 1-4, 6-7, 10, 12, 14-15, 17-19, and 21 are amended.  No claims are canceled or added.  Claims 1-21 are pending.

Response to Amendment
The status identifiers for claim 2 is improper.  The claim’s status is currently amended however there are no amendments. See 37 CFR 1.121(c) and MPEP 714. II. C. A. Status Identifiers.

Response to Arguments
Applicant’s arguments, see remarks pages 8-9, filed 18 August 2021, with respect to the rejection of claims 1-11 under 35 USC 101 have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  

Applicant’s arguments, see remarks page 9, filed 18 August 2021, with respect to the rejection of claims 1-21 under 35 US 112(b) have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  

Applicant’s arguments, see remarks pages 9-13, filed 18 August 2021, with respect to the rejection of claims 1-21 under 35 USC 103 in view of Zimmerman and Salle have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of Santhi and Jagtap.
Applicant’s arguments are focused around the amended language and the applicability of previously cited Zimmerman and Salle for the amendments.  Additionally, regarding applicant’s statement that Salle’s disclosure of selecting a policy from among multiple policies is not relevant since this isn’t claimed (see remarks page 13 fifth paragraph), examiner respectfully points out that the claims were amended to remove a plurality of potential security policies and now recite a plurality of potential security models.

Response to Amendment
According to applicant’s explanation (see remarks page 10 first paragraph) the invention is directed towards generating a security policy as a service, however examiner respectfully points out that this is not actually claimed.  Examiner recommends making amendments to describe this interpretation.
Applicant’s amendment replacing ‘policy’ with ‘model’ removed the relationship between the model data store and multiple potential security policies.  As such, the claims now use security policy in only a descriptive capacity: “security policy engine computer platform” (independent claims 1, 12, and 19), “security policy package” (independent claims 1, 12, and 19, dependent claims 9-10 and 21), and “security policy 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-21 are rejected under 35 U.S.C. 103 as being unpatentable over Santhi et al. (U.S. Patent Publication 2015/0188927) in view Jagtap et al. (U.S. Patent 9,754,303).

Regarding claim 1, Santhi disclosed a system associated with security policy implementation (see Santhi 0005: cloud services include Managed Services which refers to providing security services | 0089: policy manager module enables implementation of various policies related to cloud services), comprising:
(a)    a security model data store (see Santhi 0099: data repositories for the functional components of the CSB platform | 0088: multiple models of user security | 0105: #202 CSB platform includes #278 cloud architecture engine which includes policy models and security controls, i.e. security model data store) containing a plurality of potential security models (see Santhi 0088: multiple models of user security | 0078: a knowledge base of parameters for potential services including provider pricing models and security dimensions and technologies (0088: accessing multiple models of user security which include defining user access control, password policies, different security technologies, and other security deployment information), i.e. plurality of potential security models (potential because the service has not yet been selected for implementation) | 0102: #272 cloud services catalog engine accesses and manages models of cloud services (e.g. security services (see 0005), i.e. plurality of potential security models (potential because the service has not yet been selected for implementation)), each accessible by multiple external applications (see Santhi Fig. 3A #234 security manager is part of #202 CSB platform and is accessible by enterprise and provider systems, i.e. external applications, as well as #215 cloud services, i.e. external applications (Fig. 4 illustrates additional ancillary cloud services and Fig. 2A refers to #215 as IT supplier organizations) | 0069: #202 integrates internal and external cloud provider services | 0105: #202 CSB platform includes #278 cloud architecture , i.e. models are accessible by external applications);
(b)    a security specifications data store (see Santhi 0099: data repositories for the functional components of the CSB platform | 0094: catalog of security services | Fig. 4 illustrates cloud services catalog is part of #202 CSB platform) containing a plurality of potential security specifications (see Santhi 0071: “Catalog supports an abstraction of marketplace services and categorizations and then maps provider specific catalog line items…Additionally, attributes that are specific to cloud service consumers such as, for example, pricing rules, security and access constraints can be defined in the same catalog”, i.e. consumer attributes are interpreted as functionally equivalent to potential security specifications (customer-side potential specifications) | 0072: “The catalog has predefined metadata for service providers and services such as capacity limits, and allowed capacity configurations…for different providers. The constraints are then applied at the time of solution design and Architecture”, i.e. predefined metadata for services and different providers are also interpreted as being functionally equivalent to potential security specifications (provider-side potential specifications)), each accessible by the multiple external applications (see Santhi Fig. 3A #234 security manager is part of #202 CSB platform and is accessible by enterprise and provider systems, i.e. external applications, as well as #215 cloud services, i.e. external applications (Fig. 4 illustrates additional ancillary cloud services and Fig. 2A refers to #215 as IT supplier organizations) | 0069: #202 integrates internal and external cloud provider services | 0105: #202 CSB platform includes #278 cloud , i.e. potential security specifications in the services catalog is accessible by external applications); and
(c)    a security policy engine computer platform (see Santhi Fig. 4 #202 Cloud Services Broker (CSB) Platform), coupled to the security model data store (see Santhi 0105: #202 CSB platform includes #278 cloud architecture engine which includes policy models and security controls | Fig. 3A #234 security manager is part of #202 CSB platform) and the security specifications data store (see Santhi Fig. 4 illustrates cloud services catalog is part of #202 CSB platform), the security policy engine computer platform comprising:
at least one programmable processor (see Santhi 0108: processor); and
a non-transitory machine-readable medium storing instructions that, when executed by the at least one programmable processor, cause the at least one programmable processor to perform operations (see Santhi 0113: computer readable medium) comprising:
(i)    receive from an external application an indication identifying (see Santhi 0122: user selects desired package | 0081: CSB platform includes an order module which is used by users to determine and select cloud services (0078: CSB platform presents multiple service packages), i.e. receiving an indication from an external application identifying the desired service. As explained above, the CSB platform communicates with external users and applications in external clouds) a security policy (see Santhi 0005: cloud services include Managed Services which refers to providing security services | 0088: multiple models of user security | 0089: policy manager | 0105: #202 CSB platform includes #278 cloud architecture engine which includes policy models and security controls) package (see Santhi 0073: resource solution center | 0074: saving solution scenarios | 0078: cloud services planning wizard assesses different architectures, resources, security technologies, SLAs, and package sizes in order to present the CSB platform user with a comparison of the closest matched cloud services and providers | 0079: using a normalized scheme of small, medium, large, and custom packages | 0085: demand and capacity planning module enables solution capacity modeling | 0086: demand profiles are applied to the solution design | 0088: security manager module enables user security management with subscription and role-based access controls),
(ii)    retrieve, based on the received indication (see Salle combination below), one of the potential security models from the security model data store (see Santhi 0078: cloud services planning wizard accesses a knowledge base of parameters for potential services including accessing provider pricing models and security dimensions and technologies (0088: accessing multiple models of user security which include defining user access control, password policies, different security technologies, and other security deployment information), i.e. retrieving potential security models (potential because the service has not yet been selected for implementation) | 0102: #272 cloud services catalog engine accesses and manages models of cloud services, i.e. retrieving potential models (potential because the service has not yet been selected for implementation),
(iii)    retrieve, based on the received indication (see Salle combination below), one of the potential security specifications from the security specifications data store (see Santhi 0084: cloud services catalog and asset manager module #228 accessing the services catalog (0071: “Catalog supports an abstraction of marketplace services and categorizations and then maps provider specific catalog line items…Additionally, attributes that are specific to cloud service consumers such as, for example, pricing rules, security and access constraints can be defined in the same catalog”, i.e. attributes are interpreted as functionally equivalent to potential security specifications | 0072: “The catalog has predefined metadata for service providers and services such as capacity limits, and allowed capacity configurations…for different providers. The constraints are then applied at the time of solution design and Architecture”, i.e. predefined metadata for services and different providers are interpreted as being functionally equivalent to potential security specifications), and
(iv)    arrange for a security policy package to be implemented for the external application, the security policy package being associated with the retrieved potential security model and the retrieved potential security specification (see Santhi 0081: CSB platform includes an order module for ordering cloud services (0078: service packages, 0005: providing security services, 0105: policy models and security controls, 0102: service catalog includes models, 0071: security constraints defined in the services catalog, i.e. service package is associated with security models and security specifications) | 0082: CSB platform includes a provision module for provisioning cloud services, i.e. arrange for the service (e.g. security policy) package to be implemented).

Santhi did not explicitly disclose the retrieval of potential security models and potential security specifications is “based on the received indication”.
However in a related art, Jagtap disclosed a user selecting a service from a catalog (see Jagtap 66:58-60).  The service consumer selects a cloud service package without selecting performance metrics (see Jagtap 67:36-39).  The system then reserves resources needed for the selected service (see Jagtap 67:62-65) according to the solution model deployment process #500 (see Jagtap 68:6-8). The solution model deployment process 500 is utilized to automatically provision, configure, and deploy a service (see Jagtap 49:50-60). The type of service is used to determine which reference implementation architecture is used as the model (see Jagtap 50:45-49), i.e. obtaining the model “based on the received indication”. The reference implementation architecture is selected from a plurality of stored reference implementation architectures (see Jagtap 50:59-62), i.e. a plurality of potential models.  Additionally, the solution model deployment process for provisioning, configuring, and deploying a service (see Jagtap 49:50-60) includes a CITS delivery solution (see Jagtap 50:10-16) which is customized according to obtained personalization information, e.g. security preferences (48:57-67), to suit a service provider’s specifications (see Jagtap 50:26-36), i.e. obtaining the service specifications “based on the received indication”.


Regarding claims 12 and 19, the claims contain the limitations, substantially as claimed, as described in claim 1 above and are rejected under Santhi-Jagtap according to the rationale provided above.  The motivation to combine Santhi and Jagtap is the same as that provided in claim 1 above.

Regarding claim 2, Santhi-Jagtap disclosed the system of claim 1, wherein the security model data store contains at least one of: (i) customer security models (see Santhi 0088: multiple models of user security), (ii) security model templates, and (iii) a pluggable component.  The motivation to combine Santhi and Jagtap is the same as that provided in claim 1 above.

Regarding claim 13, the claim contains the limitations, substantially as claimed, as described in claim 2 above and is rejected under Santhi-Jagtap according to the rationale provided above.  The motivation to combine Santhi and Jagtap is the same as that provided in claim 1 above.
Regarding claim 3, Santhi-Jagtap disclosed the system of claim 2, wherein at least one of the potential security models includes at least one of: (i) a role definition (see Santhi 0088: role-based access control, multiple models of user security), and (ii) an entity.  The motivation to combine Santhi and Jagtap is the same as that provided in claim 1 above.

Regarding claim 14, the claim contains the limitations, substantially as claimed, as described in claim 3 above and is rejected under Santhi-Jagtap according to the rationale provided above.  The motivation to combine Santhi and Jagtap is the same as that provided in claim 1 above.

Regarding claim 4, Santhi-Jagtap disclosed the system of claim 3, wherein at least one of the potential security models is associated with at least one of: (i) a Harrison, Ruzzo, Ullman protocol, (ii) a mandatory access control protocol, (iii) a discretionary access control protocol, (iv) a rule-based access control protocol, (v) matrix access control, (vi) a take-grant model, (vii) attribute-based access control, (viii) a Bell-LaPadulla protocol, (ix) a Chinese wall model, and (x) any other access control protocol (see Santhi 0088: role-based access control, multiple models of user security).  The motivation to combine Santhi and Jagtap is the same as that provided in claim 1 above.


Regarding claim 15, the claim contains the limitations, substantially as claimed, as described in claim 4 above and is rejected under Santhi-Jagtap according to the rationale provided above.  The motivation to combine Santhi and Jagtap is the same as that provided in claim 1 above.

Regarding claim 5, Santhi-Jagtap disclosed the system of claim 1, wherein the security specifications data store contains at least one of: (i) customer security models (see Santhi 0071: “Catalog supports an abstraction of marketplace services and categorizations and then maps provider specific catalog line items…Additionally, attributes that are specific to cloud service consumers such as, for example, pricing rules, security and access constraints can be defined in the same catalog”, i.e. attributes are interpreted as functionally equivalent to potential security specifications | 0072: “The catalog has predefined metadata for service providers and services such as capacity limits, and allowed capacity configurations…for different providers. The constraints are then applied at the time of solution design and Architecture” ), (ii) security model templates (see Santhi 0070: service package template), and (iii) a pluggable component.  The motivation to combine Santhi and Jagtap is the same as that provided in claim 1 above.

Regarding claim 16, the claim contains the limitations, substantially as claimed, as described in claim 5 above and is rejected under Santhi-Jagtap according to the rationale provided above.  The motivation to combine Santhi and Jagtap is the same as that provided in claim 1 above.
Regarding claim 6, Santhi-Jagtap disclosed the system of claim 5, wherein at least one of the potential security specifications is associated with at least one of: (i) a healthcare application, (ii) a finance application (see Santhi 0092: integrating with enterprise billing and payment systems), (iii) a software application, (iv) an education application, and (v) any other enterprise application (see Santhi 0008: cloud services include enterprise resource planning services | 0092: APIs for enterprise systems).  The motivation to combine Santhi and Jagtap is the same as that provided in claim 1 above.

Regarding claim 17, the claim contains the limitations, substantially as claimed, as described in claim 6 above and is rejected under Santhi-Jagtap according to the rationale provided above.  The motivation to combine Santhi and Jagtap is the same as that provided in claim 1 above.

Regarding claim 7, Santhi-Jagtap disclosed the system of claim 6, wherein at least one of the potential security specifications is associated with a list of rules and permissions (see Santhi 0088: role-based access control).  The motivation to combine Santhi and Jagtap is the same as that provided in claim 1 above.

Regarding claim 18, the claim contains the limitations, substantially as claimed, as described in claim 7 above and is rejected under Santhi-Jagtap according to the rationale provided above.  The motivation to combine Santhi and Jagtap is the same as that provided in claim 1 above.

Regarding claim 8, Santhi-Jagtap disclosed the system of claim 1, further comprising a web user interface to receive security policy design information from a security architect (see Santhi 0066: IT architects use the CSB platform | 0074: designing cloud services | 0071: customizing cloud service parameters | 0073: resource solution center is used by IT service providers to setup security policies | 0078: cloud services planning wizard assesses different architectures, resources, security technologies, SLAs, and package sizes in order to present the CSB platform user with a comparison of the closest matched cloud services and providers | 0088: cloud services security management includes models of user security, password policies, and other custom deployments).  The motivation to combine Santhi and Jagtap is the same as that provided in claim 1 above.

Regarding claim 20, the claim contains the limitations, substantially as claimed, as described in claim 8 above and is rejected under Santhi-Jagtap according to the rationale provided above.  The motivation to combine Santhi and Jagtap is the same as that provided in claim 1 above.

Regarding claim 9, Santhi-Jagtap disclosed the system of claim 1, further comprising a library data store containing security packages (see Santhi 0078: cloud services planning wizard assesses different architectures, resources, security technologies, SLAs, and package sizes in order to present the CSB platform user with a comparison of the closest matched cloud services and providers | 0079: using a normalized scheme of small, medium, large, and custom packages | 0095: libraries for 

Regarding claim 10, Santhi-Jagtap disclosed the system of claim 1, wherein the received indication of a security policy package is associated with at least one of: (i) an application programming interface (see Santhi 0097: supporting multiple standard APIs | Santhi 0091: cloud services are implemented according to APIs | Santhi 0095: each service is associated with an API), (ii) a software development kit, (iii) a model extension, and (iv) an authorization check.  The motivation to combine Santhi and Jagtap is the same as that provided in claim 1 above.

Regarding claim 21, the claim contains the limitations, substantially as claimed, as described in claim 10 above and is rejected under Santhi-Jagtap according to the rationale provided above.  The motivation to combine Santhi and Jagtap is the same as that provided in claim 1 above.

Regarding claim 11, Santhi-Jagtap disclosed the system of claim 1, at least one potential security model and potential security specification is associated with at least .

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Angela Widhalm de Rodriguez whose telephone number is (571)272-1035. The examiner can normally be reached M-F: 6am-2:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Thu Nguyen can be reached on (571) 272-6967. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/A.M.W/Examiner, Art Unit 2452                                                                                                                                                                                                        30 December 2021

/THU V NGUYEN/Supervisory Patent Examiner, Art Unit 2452