Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This action is in response to application filed 03/31/2020.
Claims 1-17 are pending in this application.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claims 1, 3-4, 13, 16 are rejected under 35 U.S.C. 103 as being unpatentable over Garrett et al. (US 2021/0194929 A1) in view of Abzarian et al. (US 2009/0063584 A1).
Regarding claim 1, Garrett discloses a method of security hardening for a networked system comprising at least one client site including a plurality of computers including at least one computer system class (computer class) connected together by at least one communications network ([0053]:  The security rules may be directed to a plurality of system components included in computer systems, including, but not limited to, an operating system, a software application, firmware, programmable computer hardware, or other types of system component), comprising: 
obtaining one or more cybersecurity hardening benchmarks that includes initial cybersecurity configuration settings (CCS) for the computer class ([0022]:  a STIG file 112 can be obtained from a data source that hosts STIG data files 112 (e.g., the National Vulnerability Database (NVD)).  [0054]:  STIG standards can be generated for the system components using configuration settings specified by the security standards); 
([0022]-[0023], [0053]:  Security configuration information obtained from the STIG file 112 can be parsed to identify individual security configuration rules which specify configuration settings for various system components, including operating systems, software applications, programmable hardware, and other system components that have configuration settings that can be modified. In one example, protocol markers contained in the STIG file 112 may delimit security configuration rules directed to system components); 
adding other CCS and the compatible portion to provide interim CCS ([0023]: the decomposition and simplification of security configuration information obtained from STIG files 112 into a format more readily usable in compliance checking and remediation allows for customization of STIG file content, while maintaining consistency in configuration and compliance of system components 124a-c included in computer systems 122a-c); 
testing compatibility of the interim CCS to find compatible ones of the interim CCS and incompatible ones of the interim CCS ([0056], [0058]:  a configuration compliance package can be generated to evaluate a configuration setting of the system component for compliance to the STIG standard. In one example, the configuration compliance package can be generated to include a computer script that initiates execution of a task on the computer system to evaluate the configuration setting and determine whether a value of the configuration setting corresponds to the STIG standard. Also, the configuration compliance package can be generated to output an indication whether a configuration setting complies with a STIG standard included in the set of STIG standards.  The STIG compliance service can be configured to generate a configuration implementation package, which can be used to implement at least a portion of the STIG standards on a computing system by updating configuration settings for a system component to values indicated by the STIG standards. For example, the configuration implementation package can include one or more computer scripts that are configured to update the configuration settings of a system component to comply with a STIG standard directed to the system component); 
revising the incompatible interim CCS to generate revised interim CCS ([0053]:  In some examples, as part of performing a compliance evaluation using a configuration compliance package, configuration settings of system components determined to be out of compliance can be updated to comply with STIG standards directed to the system components using computer scripts included in a configuration implementation package).
However, Garrett does not disclose translating the compatible interim CCS together with the revised interim CCS into a CCS generating file, the CCS generating file including group policy objects (GPOs) and policy setting scripts for automatically generating a plurality of CCS.
In an analogous art, Abzarian discloses translating the compatible interim CCS together with the revised interim CCS into a CCS generating file ([0173]:  In an embodiment a translation collection is generated or updated to provide the necessary translation information to translate between two or more versions of the policy 1705), the CCS generating file including group policy objects (GPOs) and policy setting scripts for automatically generating a plurality of CCS ([0177]:  a determination is made that all policy translations have been generated, the respective management console forwards the new policy version and all translated policy versions to a GPO of the managed environment system 1740. The GPO thereafter deploys the current policy version and/or one or more translated policy versions, as needed, to one or more clients in the managed environment system. [0183]:  Such policy versioning is efficient in that one policy version is used to generate one or more translated policy versions that are deployed to various clients in a managed environment system).
Therefore, it would have been obvious before the effective filed date of the claimed invention to a person having ordinary skill in the art to modify Garrett to comprise “translating the compatible interim CCS together with the revised interim CCS into a CCS generating file, the CCS generating file including group policy objects (GPOs) and policy setting scripts for automatically generating a plurality of CCS” taught by Abzarian.
One of ordinary skilled in the art would have been motivated because it would have enabled generate one or more translated policy versions that are deployed to various clients (Abzarian, [0183]).  

Regarding claim 3, Garrett-Abzarian discloses the method of claim 1, wherein the GPOs are applicable for all of the computer classes (Abzarian, [0146]:  it can be advantageous to deploy more than one version of a policy to support managing group policy objects ("GPO"). In circumstances where various clients in a managed environment system I 00 support various versions, it is advantageous to deploy policy versions to these clients that are each compatible with the respective client-supported major version. [0177]:  a determination is made that all policy translations have been generated, the respective management console forwards the new policy version and all translated policy versions to a GPO of the managed environment system), and wherein the policy setting scripts are applicable for at least one of the computer classes, but not all of the computer classes (Abzarian, [0165]:  new firewall policy version 4.2 is forwarded to client B 1505 as client B 1505 supports major version four (4). Translated firewall policy version 3.8 is forwarded to client C 1510 as client C 1510 supports major version three (3). Translated firewall policy version 2.5 is forwarded to client D 1515 and translated firewall policy version 1.3 is forwarded to client E 1520 as client D 1515 supports major version two (2) and client E 1520 supports major version one (1).  The same rationale applies as in claim 1.

Regarding claim 4, Garrett-Abzarian discloses the method of claim 1, wherein the plurality of computers further comprises different computer system application classes, and wherein there are additional ones of the GPOs to customize the plurality of CCS between the different computer system application classes (Garrett, [0029]-[0030]:  security baseline can be deployed to a windows based computer system 122a-c using a GPO that includes configuration settings specified by STIG standards 104 that are directed to the windows operating system.  A GPO 306 can then be created using the STIG standards 304 to determine various configuration settings implemented via the components of the GPO 306. In the case that MICROSOFT adds or removes GPO features, the STIG standards 304 implemented via a GPO can be maintained on a computer system using the GPO).

Regarding claim 13, Garrett discloses a non-transitory computer-readable medium containing at least one cybersecurity configuration setting (CCS) generating file including instructions that when executed cause at least one processor of a computer ([0069], claim 1:  one processor; a memory device including instructions that, when executed by the at least one processor) located at a node in a networked system having a plurality of the computers including at least one computer system class (computer class) to generate a plurality of CCS ([0014]:  the STIG compliance service 130 can include a plurality of modules 106/108/110 used to provide functionality related to creating security baselines that are based on STIG standards 104, generating configuration implementation packages 114 for deployment and implementation on computer systems 122a-c, and generating configuration compliance packages 116 used to maintain the security baselines on the computer systems 122a-), comprising: the CCS generating file including group policy objects (GPOs) applicable to all computers in the network system ([0029]:  generating a configuration implementation package 114 can include creating a group policy object (GPO) that can be implemented on a computer system 122a-c that has an installed version of the MICROSOFT windows operating system (or another type of operating system that uses a form of group policy to control a working environment), and group policy definition files which provide a policy setting library for at least the computer class ([0027]:  a configuration implementation package 114 may include instructions that set or modify configuration settings stored in a configuration file (e.g., a config file and/or files that have .cnf, .conf, .cf, or .ini extensions) or another file type used to store configuration settings for a software application).
However, Garrett does not disclose policy setting scripts that are applicable to less than all the computers in the networked system; wherein execution of the CCS generating file at the node automatically generates a plurality of CCS for cybersecurity protection of the node.
In an analogous art, Abzarian disclose policy setting scripts that are applicable to less than all the computers in the networked system, and group policy definition files which provide a policy setting library for at least the computer class ([0165]:  new firewall policy version 4.2 is forwarded to client B 1505 as client B 1505 supports major version four (4). Translated firewall policy version 3.8 is forwarded to client C 1510 as client C 1510 supports major version three (3). Translated firewall policy version 2.5 is forwarded to client D 1515 and translated firewall policy version 1.3 is forwarded to client E 1520 as client D 1515 supports major version two (2) and client E 1520 supports major version one (1)). [0173]:  In an embodiment a translation collection is generated or updated to provide the necessary translation information to translate between two or more versions of the policy 1705); wherein execution of the CCS generating file at the node automatically generates a plurality of CCS for cybersecurity protection of the node ([0177]:  a determination is made that all policy translations have been generated, the respective management console forwards the new policy version and all translated policy versions to a GPO of the managed environment system 1740. The GPO thereafter deploys the current policy version and/or one or more translated policy versions, as needed, to one or more clients in the managed environment system. [0183]:  Such policy versioning is efficient in that one policy version is used to generate one or more translated policy versions that are deployed to various clients in a managed environment system).
Therefore, it would have been obvious before the effective filed date of the claimed invention to a person having ordinary skill in the art to modify Garrett to comprise “policy setting scripts that are applicable to less than all the computers in the networked system; wherein execution of the CCS generating file at the node automatically generates a plurality of CCS for cybersecurity protection of the node” taught by Abzarian.
One of ordinary skilled in the art would have been motivated because it would have enabled generate one or more translated policy versions that are deployed to various clients (Abzarian, [0183]).  

Regarding claim 16; the claim is interpreted and rejected for the same reason as set forth in claim 4.

Claims 2, 6-7, 14-15, 17 are rejected under 35 U.S.C. 103 as being unpatentable over Garrett in view of Abzarian, as applied to claim 1, in further view of Schlotman, JR. et al. (herein after Schlotman, US 2020/0220902 A1).
Regarding claim 2,  Garrett-Abzarian discloses the method of claim 1.
However, Garrett-Abzarian does not disclose wherein the computer class comprises a plurality of different ones of the computer classes that collectively include at least two different operating systems (OSs), further comprising combining together the respective CCS generating files as a single multi-class CCS generating file.
In an analogous art, Schlotman discloses wherein the computer class comprises a plurality of different ones of the computer classes that collectively include at least two different operating systems (OSs), further comprising combining together the respective CCS generating files as a single multi-class CCS generating file ([0024]:  The baseline service 118 can manage machine and/or user policies (e.g., Group Policy settings) and baselines 145 for enrolled devices 106. For example, the baseline service 118 can generate and manage a policy catalog 148 including policies supported by different versions of one or more operating systems).
Therefore, it would have been obvious before the effective filed date of the claimed invention to a person having ordinary skill in the art to modify Garrett-Abzarian to comprise “wherein the computer class comprises a plurality of different ones of the computer classes that collectively include at least two different operating systems (OSs), further comprising combining together the respective CCS generating files as a single multi-class CCS generating file” taught by Schlotman.
(Schlotman, [0024]).  

Regarding claim 6, Garrett-Abzarian discloses the method of claim 1.
However, Garrett-Abzarian does not disclose wherein the at least one client site comprises a plurality of client sites including two or more physical locations.
In an analogous art, Schlotman discloses wherein the at least one client site comprises a plurality of client sites including two or more physical locations ([0014]:  The computing devices can be located in a single installation or can be distributed among many different geographical locations.  [0028]-[0029]:  The device data 142 can include, for example, information specifying applications that are installed on the client device 106, configurations or settings that are applied to the client device 106, user accounts associated with the device 106, the physical location of the client device 106, the enterprise associated with the client device 106, the network to which the client device 106 is connected, the device group(s) to which the client device 106 belongs, and/or other information associated with the client device 10).
Therefore, it would have been obvious before the effective filed date of the claimed invention to a person having ordinary skill in the art to modify Garrett-Abzarian to comprise “wherein the at least one client site comprises a plurality of client sites including two or more physical locations” taught by Schlotman.
One of ordinary skilled in the art would have been motivated because it would have enabled an enterprise, such as one or more companies or other organizations, to operate a  (Schlotman, [0016]).  

Regarding claim 7, Garrett-Abzarian-Schlotman disclose the method of claim 2, wherein the CCS generating files are organized by the OS (Schlotman, [0055]:  the policies can be included in a policy catalog 148 and organized in a hierarchical configuration according to operating system 130, operating system version, policy type, and/or other features).  The same rationale applies as in claim 2.

Regarding claim 14; the claim is interpreted and rejected for the same reason as set forth in claim 2.

Regarding claim 15, Garrett-Abzarian-Schlotman discloses the method of claim 14, wherein the GPOs are applicable for all of the computer classes, and wherein the policy setting scripts are applicable for at least one of the computer classes, but not all of the computer classes (Abzarian, [0165]:  new firewall policy version 4.2 is forwarded to client B 1505 as client B 1505 supports major version four (4). Translated firewall policy version 3.8 is forwarded to client C 1510 as client C 1510 supports major version three (3). Translated firewall policy version 2.5 is forwarded to client D 1515 and translated firewall policy version 1.3 is forwarded to client E 1520 as client D 1515 supports major version two (2) and client E 1520 supports major version one (1).  The same rationale applies as in claim 13.

.

Claim 5 is rejected under 35 U.S.C. 103 as being unpatentable over Garrett in view of Abzarian, as applied to claim 1, in further view of Chernoguzov. et al. (US 2015/0215339 A1).
Regarding claim 5, Garrett-Abzarian discloses the method of claim 1.
However, Garrett-Abzarian does not disclose wherein the networked system comprises a process control system.
In an analogous art, Chernoguzov discloses wherein the networked system comprises a process control system ([0036], [0070]:  authentication, encryption, and key management techniques to provide policy-based secure communication capabilities to industrial control and automation systems, such as those that support standard Ethernet networking.  The system 100 could support a wide range of devices running different operating systems and using potentially different versions of IPsec and IKE. As a result, an access vector can be interpreted or translated in the context of the target device. For example, if the target device is a WINDOWS workstation, the interpretation/translation may produce a group policy object).
Therefore, it would have been obvious before the effective filed date of the claimed invention to a person having ordinary skill in the art to modify Garrett-Abzarian to comprise “wherein the networked system comprises a process control system” taught by Chernoguzov.
One of ordinary skilled in the art would have been motivated because it would have enabled to provide policy-based secure communication capabilities to industrial control and automation systems, (Chernoguzov, [0036])
Claim 8-12 are rejected under 35 U.S.C. 103 as being unpatentable over Garrett in view of Abzarian, as applied to claim 1, in further view of Hajost et al. (US 2020/0084105 A1) in further view of Schlotman, JR. et al. (herein after Schlotman, US 2020/0220902 A1).
Regarding claim 8, Garrett-Abzarian discloses the method of claim 1.
However, Garrett-Abzarian does not disclose further comprising: collecting cybersecurity data from the client site including existing group cybersecurity policies comprising existing GPOs and information describing a domain structure; analyzing the cybersecurity data by comparing the existing GPO's with the GPOs to identify incompatibilities; resolving the incompatibilities; and installing the CCS generating file on a first of the plurality of computers.
In an analogous art, Hajost discloses further comprising: collecting cybersecurity data from the client site including existing group cybersecurity policies comprising existing GPOs and information describing a domain structure ([0013]:  The remediation process begins with the performing of a rescan of policies, functions and systems affected by the domain controller stored at the endpoint and storing the results of the rescan. Subsequent to the rescan, a GPO update is pushed by the domain controller to the endpoint); analyzing the cybersecurity data by comparing the existing GPO's with the GPOs to identify incompatibilities ([0013],[0016]:  The two rescan results are compared to determine what was changed by the GPO update and whether the GPO's are out of compliance with the desired policies. The results of the rescans are compared in the compliance matrix 150 to determine whether any changes were made by the GPO update and if those changes are in compliance with the desired policy preferences); resolving the incompatibilities ([0013], [0016]:  If those changes are out of compliance with the desired preferences, a notification 160 is displayed in a display to end user 110 regarding the GPO update that caused the non-compliant changes….change the GPO of the Active Directory™ to bring the GPO in compliance with the desired preferences. This process may be automated to automatically and continuously bring the GPO non-compliant updates in compliance and synchronized with the local policy preferences stored on the endpoint 120A, 120B, 120N); and installing the CCS generating file on a first of the plurality of computer ([0021]:  the GPO update executes on the endpoint. After the GPO update executes, in block 350, the rescan of the selected endpoint is repeated and stored).
Therefore, it would have been obvious before the effective filed date of the claimed invention to a person having ordinary skill in the art to modify Garrett-Abzarian to comprise “further comprising: collecting cybersecurity data from the client site including existing group cybersecurity policies comprising existing GPOs and information describing a domain structure; analyzing the cybersecurity data by comparing the existing GPO's with the GPOs to identify incompatibilities; resolving the incompatibilities; and installing the CCS generating file on a first of the plurality of computers” taught by Hajost.
One of ordinary skilled in the art would have been motivated because it would have enabled to continuously bring the GPO non-compliant updates in compliance (Hajost, [0016]).  
However, Garrett-Abzarian-Hajost does not disclose collecting cybersecurity data from the client site an overall inventory of the networked system comprising a number of the computer system classes.
In an analogous art, Schlotman discloses further comprising: collecting cybersecurity data from the client site including existing group cybersecurity policies comprising existing GPOs and information describing a domain structure ([0040]:  As policies supported by an operating system 130 are updated and released over time, it can be beneficial to centralize policy management for groups of devices 106 in an enterprise network such that a given device 106 can access a baseline 145 for the device group associated with a given device 106 and apply the policies defined in the baseline 145 accordingly.  [0053]:  through the management console 114, can review the status of the different created baselines 145. As shown in FIG. 3D, the administrator can be notified of the number of devices 106 included in the group the baseline 145 is assigned to, the number of devices 106 that have installed the baseline 145, and the number of devices 106 that have not installed the baseline 145).
Therefore, it would have been obvious before the effective filed date of the claimed invention to a person having ordinary skill in the art to modify Garrett-Abzarian-Hajost to comprise “collecting cybersecurity data from the client site an overall inventory of the networked system comprising a number of the computer system classes” taught by Schlotman.
One of ordinary skilled in the art would have been motivated because it would have enabled to generate a policy catalog comprising of policies supported by one or more operating systems (Schlotman, [0024]).  

Regarding claim 9, Garrett-Abzarian-Hajost-Schlotman discloses the method of claim 8, further comprising responsive to the incompatibilities, adding an additional GPO before the installing to respond to each of the incompatibilities (Hajost, [0016]:  change the GPO of the Active Directory™ to bring the GPO in compliance with the desired preferences. This process may be automated to automatically and continuously bring the GPO non-compliant updates in compliance and synchronized with the local policy preferences stored on the endpoint). The same rationale applies as in claim 8.

(Hajost, [0015]:  The rescan is performed within a threshold period of time after a GPO update and before the next GPO update occurs.  GPO update compliance logic 130 then performs a second rescan of the endpoint 120A, 120B, 120N within a similar threshold period of time), and in accordance with a determination that at least one of the plurality of CCS is an affected CCS that is not in compliance, providing an alert, or acting to remediate the affected CCS (Hajost, [0016]:  The desired policy preferences may be the local policies. If those changes are out of compliance with the desired preferences, a notification 160 is displayed in a display to end user 110 regarding the GPO update that caused the non-compliant changes). The same rationale applies as in claim 8.

Regarding claim 11,  Garrett-Abzarian-Hajost-Schlotman discloses the method of claim 8, wherein the plurality of computers include a domain controller (DC), and the installing comprises implementing one of the CCS generating files corresponding to the DC before installing proceeds to any of the other plurality of computers (Hajost, [0013], [0019]:  The remediation process begins with the performing of a rescan of policies, functions and systems affected by the domain controller stored at the endpoint and storing the results of the rescan. Subsequent to the rescan, a GPO update is pushed by the domain controller to the endpoint.  The domain controller 240 of computing domain 230 pushes a GPO update over the network 220 to the selected endpoint 250A, 250B, 250N). The same rationale applies as in claim 8.
(Garrett, [0011]:   A configuration compliance package can be configured to output a compliance report that indicates whether the configuration settings of a computer system comply with STIG standards).


Additional References
	The prior art made of record and not relied upon is considered pertinent to applicants disclosure.
Davis et al., US 11,153,160 B1: Active Directory Configuration of External Network Resources. 
Vasishth et al., US 2006/0190985 A1: Automated Policy Change Alert in a Distributed Enterprise.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JUAN C TURRIATE GASTULO whose telephone number is (571)272-6707. The examiner can normally be reached Monday - Friday 8 am-4 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/J.C.T/Examiner, Art Unit 2446                                                                                                                                                                                                        
/SHEAN TOKUTA/Primary Examiner, Art Unit 2446