DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 04/30/2020 and 07/03/2020 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 1, 3-7, 8, 10-14 and 15, 17-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more. 
Regarding to Claim 1:
First, Claim 1 is directed to a device. Therefore, the claimed invention falls into one of the four statutory categories.
Second, claim 1 is analyzed for its underlying inventive concept:
Step 2A Prong One: 

security control information comprising a plurality of security controls, wherein:
each security control is associated with mitigating one or more vulnerability types; and
each security control comprises a hardware configuration for data storage devices; and
a processor operably coupled to the memory, configured to:
…
a data content type for the data element; and
a target data storage device;
identify approved data storage devices corresponding with the data content type for the data element;
compare the target data storage device to the approved data storage devices corresponding with the data content type for the data element;
determine the target data storage device does not match an approved data storage device;
determine a security level associated with the target data storage device, wherein the security level is based on security features associated with the target data storage device;
determine vulnerability types associated with the determined security level of the target data storage device;
identify security controls based on the determined vulnerability types”, as drafted, are a process that, under its broadest reasonable interpretation, covers performance of the limitation by human mind but for the recitation of generic computer components. That is, other than reciting “data storage devices” nothing in the claim element precludes the steps from practically being performed in the human mind. For example, but for “data storage devices” language, “identify approved data storage devices …; determine the target data storage device does not match an approved data storage device; determine a security level associated with the target data storage device…; determine vulnerability types associated with the determined security level…; identify security controls based on the determined vulnerability types” in the context of this claim encompasses the user manually comparing and matching data storage device and determining security level and vulnerability types and 
Step 2A Prong Two:
This judicial exception is not integrated into a practical application. In particular, the claim only recites additional elements “receive a data storage request and output the identified security controls“. The additional steps is recited at a high-level of generality (i.e., as a generic processor performing a generic computer function of receiving and outputting) such that it amounts no more than mere instructions to apply the exception using a generic computer component. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claim is directed to an abstract idea.
Third, Step 2B: claim 1 does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional element of “receive a data storage request and output the identified security controls;“ amounts to no more than mere instructions to apply the exception using a generic computer component. Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept. 
The claim 1 is not patent eligible.
Regarding to Claim 8: the claim is directed to a method claim. Therefore, the claim 8 is not patent eligible for reasons similar as claim 1.
Regarding to Claim 15: the claim is directed to a computer program with a non-transitory computer-readable media having executable instructions stored thereon for performing the method claimed in claim 1 and 8. Since the additional element “executable instructions” is generic computer component, it doesn’t integrate the abstract idea into a practical application and are sufficient to amount to significantly more than the judicial exception. Therefore, the claim 15 is not patent eligible for reasons similar as claim 1.



Allowable Subject Matter
Claims 1, 3-8, 10-15 and 17-20 would be allowable if the 101 rejection, set forth in this Office action, are overcome. 
Claims 2, 9 and 16 are allowable over prior art. 
Independent claims 1, 8 and 15 are allowable for following reasons:
Noted that the first closest prior art Bhosale et al. (Pub. No.: US 2020/0050769) teaches determining a classification associated with an instance of data, determining a vulnerability level of a first storage system at which the instance of data is currently located, and conditionally migrating the instance of data from the first storage system to a second storage system, based on the classification associated with the instance of data and the vulnerability level of the first storage system.
Noted that the second closest prior art Vinokurov et al. (Pub. No.: US 2008/0196088) teaches The device database 260 contains a record for each defined device type, device model, device configuration and device class. Each record in the database contains security policy considerations or device security rules to be used when access is requested through that type, model, configuration, or class of device including the security parameters (limits, thresholds, signatures, and so on), risks, and vulnerabilities inherent to the particular type, model, configuration, or class of device the record corresponds to (see paragraph [0031]).
Noted that the third closest prior art KIM et al. (Pub. No.: US 2016/0191544) teaches the security level analysis module 975 of the user terminal 100 determines a security level according to a security policy with reference to meta information following a type of content. The meta information may include a variety of information shown in FIGS. 34A and 34B. For example, a variety of information such as information on a location of a storage device in which an original file is stored, and a storage location of the original file may be included in the meta information. In this case, the security policy is related to determining the security level of which level when specific information are included in the meta information. For example, when the meta information indicates that the location of the storage device is 
However, Bhosale, Vinokurov and KIM individually or in combination fail to particularly disclose, fairly disclose, or render obvious the following limitations:
receive a data storage request comprising context information associated with storing a data element, wherein the context information identifies: a data content type for the data element; and a target data storage device; identify approved data storage devices within previously stored data storage information corresponding with the data content type for the data element, wherein: data storage device information comprising approved data storage devices; and each approved data storage device is associated with one or more data content types; compare the target data storage device to approved data storage devices corresponding with the data content type for the data element; determine the target data storage device does not match an approved data storage device; determine a security level associated with the target data storage device, wherein the security level is based on security features associated with the target data storage device; determine vulnerability types associated with the determined security level of the target data storage device; identify security controls based on the determined vulnerability types, wherein: each security control is associated with mitigating one or more vulnerability types; and each security control comprises a hardware configuration for data storage devices; and output the identified security controls.
Dependent claims 2-7, 9-14 and 16-20 are also allowable because they depend on claims containing allowable subject matter.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Tripp (Pub. No.: US 2014/0123293) - Weighted security analysis
Kymal et al. (Pub. No.: US 2011/0055566) - Method and system for risk assessment analysis

Any inquiry concerning this communication or earlier communications from the examiner should be directed to MENG LI whose telephone number is (571)272-8729.  The examiner can normally be reached on M-F 8:30-5:30.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s acting supervisor, Kristine Kincaid can be reached on (571) 272-4063.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8729.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MENG LI/
Primary Examiner, Art Unit 2437