DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The Amendment filed 03 December 2021 has been received and considered.
Claims 1-20 are pending.
This Action is Final.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 3-6, 8-11, 13, 14, and 17-20 are rejected under 35 U.S.C. 103 as being unpatentable over Gupta et al. (US 20180048668) in view of de Alfaro et al. (US 8781990) and further in view of Nsouli (US 20190190947).
As per claims 1, 5, and 11, Gupta et al. discloses a system and process for implementing device level security, the process comprising: detecting a device having security profile, wherein the security profile has an incomplete parameter, wherein the incomplete parameter comprises an attribute, trait, or value that is associated with the device, wherein the incomplete parameter comprises a parameter 
receiving feedback to supply a data value for the incomplete parameter (see paragraphs [0119]-[0120] filling the missing information); 
identifying, on the device, potential attack vectors and associated vulnerabilities, based on the data value; implementing a security measure based on the identified potential attack vectors and associated vulnerabilities (see paragraphs [0056]-[0058] and [0121]-[0124] where the risk is determined based on the vulnerabilities and attack vectors and mitigations are performed based on the risk); and 
updating the security profile of the device (see paragraph [0120] where the risk is calculated and the profile is updated with the obtained missing information).
While Gupta et al. teaches receiving a supplied data value for the incomplete parameter, there lacks an explicit teaching of receiving feedback from a first user to supply a data value for the incomplete parameter; receiving feedback from a second user to supply a data value for the incomplete parameter; validating the received feedback from the first user by comparing the received feedback from the first user with the received feedback from the second user.
However, de Alfaro et al. teaches receiving feedback from a first user to supply a data value for the incomplete parameter; receiving feedback from a second user to supply a data value for the incomplete parameter; validating the received feedback from the first user by comparing the received feedback from the first user with the received feedback from the second user (see column 3 lines 1-14; column 4 lines 18-28 and column 7 lines 33-51 where multiple users submit data values for a missing parameter and information about the users and the data submitted are used to determine a consensus, i.e. validated, value).

Motivation, as recognized by one of ordinary skill in the art, to do so would have been to allow for multiple users to provide suggested values thereby increasing the likelihood of a proper value for the missing information.
While the modified Gupta et al. and de Alfaro et al. system discloses collecting information from different sources (i.e. internal sources controlled by an administrator, see, for example paragraph [0114], for Gupta et al. and anonymous external sources for Alfaro et al.), there lacks any specific teaching of the first and second users having profiles that include a username and at least one of a user role; a user rank; or a user history.
However, Nsouli teaches a system that uses information provided by both the internal and external sources where the system includes user profiles with usernames and at least one of a user role; a user rank; or a user history (see paragraph [0034] where the users have names and historical data and reputation data which is used to rank the responses).
At a time before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to use both internal and external sources ranked based on profile information for the information in the modified Gupta et al. and Alfaro et al. system.
Motivation, as recognized by one of ordinary skill in the art, to do so would have been that collecting data from additional sources and using, for example reputation data, further refines the system providing more precise and accurate data.
While the modified Gupta et al., de Alfaro et al., and Nsouli system teaches the incomplete parameters and feedback provided include a device type and operating system, there lacks an explicit teaching of the remaining elements of the group: a device make; a device model; a device serial number; a device Food and Drug Administration (FDA) class; a device firmware; an open port of the device; external connectivity of the device; a device description; a device manufacturer; a device processor type; an amount of random access memory (RAM) of the device; a number of access ports; networking capabilities of the device; data storage capabilities of the device; encryption capabilities of the device; a 
However, Official Notice is taken that at a time before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to include/substitute the remaining elements in the group as part of the profile as they are all well-known and common device information and such a substitution would result in the predictable result of a profile with additional information.
As per claims 3, 4, 13, 14, and 18, the modified Gupta et al., de Alfaro et al., and Nsouli system discloses the process substantially similar to claim 1 and additionally discloses accessing a data source, the data source having a collection of security profiles, each security profile having a confidence rating assigned thereto, wherein the confidence rating characterizes at least one of a confidence completeness of the data stored in the security profile or accuracy of the data stored in the security profile and computing an updated confidence rating based upon the first feedback and the second feedback and a completeness score, an update score, a validation score, or a combination thereof; and calculating a risk rating for the updated security profile based off of risk contributions, wherein the risk contributions comprises vulnerabilities associated with the device (see Gupta et al. paragraphs [0110]-[0111] and [0119] where each table has a risk score that is based on and updated by calculating the risk R based on the impacts and likelihood; see also de Alfaro et al. column 7 lines 33-51 where various ratings/scores are used in determining the consensus value).
As per claim 6, the modified Gupta et al., de Alfaro et al., and Nsouli system discloses detecting a device having security profile comprises at least one of discriminating between product level information or asset level information (see Gupta et al. paragraphs [0096]-[0097]).
As per claims 8-10 and 17, the modified Gupta et al., de Alfaro et al., and Nsouli system discloses detecting a device having security profile comprises detecting the device using a communication protocol on a processing device, wherein the processing device has a graphical user interface; 
As per claim 19, the modified Gupta et al., de Alfaro et al., and Nsouli system discloses implementing a correction action when the first feedback and the second feedback do not agree (see de Alfaro et al. column 4 lines 5-61 where various steps are taken to determine the best value when the provided values do not agree).
As per claim 20, the modified Gupta et al., de Alfaro et al., and Nsouli system discloses prioritizing a security profile, wherein prioritizing a security profile comprises: comparing parameters of two security profiles within the collection of security profiles; and assigning a prioritization modifier to one of the compared security profiles based on the calculated confidence rating, a completeness of the security profile instance, a need-based modifier, or a combination thereof (see Gupta et al. paragraph [0164]).
Claims 2, 7, 12, 15, and 16 are rejected under 35 U.S.C. 103 as being unpatentable the modified Gupta et al., de Alfaro et al., and Nsouli system as applied to claims 1 and 11 above, and further in view of Cran et al. (US 10972494).
As per claims 2 and 12, the modified Gupta et al., de Alfaro et al., and Nsouli system generally discloses rewarding users (see Nsouli paragraph [0034], providing, for example, a free license), but fails to explicitly disclose rewarding at least one of the first user the second user for received feedback relating to the device via an interactive score-based user platform.
However, Cran et al. teaches rewarding at least one of the first user the second user for received feedback relating to the device via an interactive score-based user platform (see column 7 lines 34-46).

Motivation, as recognized by one of ordinary skill in the art, to do so would have been to incentivize users providing feedback, thereby increasing participation and increasing the likelihood of proper information being provided.
As per claims 7, 15, and 16, the modified Gupta et al., de Alfaro et al., and Nsouli system discloses obtaining a security measure, but fails to explicitly disclose implementing a security measure comprises: obtaining a security measure that corresponds to the associated vulnerabilities; and installing the security measure on the device; wherein obtaining a security measure that corresponds to the associated vulnerabilities comprises web-scraping a data source.
However, Cran et al. teaches implementing a security measure comprises: obtaining a security measure that corresponds to the associated vulnerabilities; and installing the security measure on the device; wherein obtaining a security measure that corresponds to the associated vulnerabilities comprises web-scraping a data source (see column 9 lines 11-24; column 10 lines 27-45; and column 15 lines 28-41).
At a time before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to obtain and install the security measure corresponding to a web-scraped data source in the modified Gupta et al., de Alfaro et al., and Nsouli system.
Motivation to do so would have been to obtain the information directly from the entities relevant to the assets (see Cran et al. column 9 lines 11-24).

Response to Arguments
Applicant’s arguments with respect to claim(s) 1-20 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
Applicant's arguments filed 03 December 2021 have been fully considered but they are not persuasive. While Applicant’s arguments and affidavits are considered moot in view of the above response, the Examiner is further clarifying that with the combination of Nsouli the combination does not render Gupta unsatisfactory for its intended purpose.  Nsouli considers the potential problems with receiving data from external sources but solves this problem with the ranking system of the received data and therefore shows a system that receives both trusted internal data and untrusted external data.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: the remaining references put forth on the PTO-892 form are directed to security/device profiles.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL J PYZOCHA whose telephone number is (571)272-3875.  The examiner can normally be reached on Monday-Thursday 7:30am-5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Hadi Armouche can be reached on (571) 270-3618.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.