DETAILED ACTION
Responsive to the Applicant reply filed on 11/22/2021, Applicant’s amendments to claims have been entered and respective arguments carefully considered and responded in the following.  Claims 1-25 are pending with claims 1, 8, 14, 20, and 23 being in independent form.  

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
The claim amendments and remarks filed by the Applicant on 11/22/2021, have been carefully considered and are responded in the following.

In response to the Applicant arguments, page(s) 8-9, regarding Claims 1-25 being rejected under 35 U.S.C. 101, the Applicant’s arguments in view of the amendments have been carefully considered and are persuasive. Therefore, the rejection has been withdrawn.

Regarding the claims 1-6 and 20-22 invoking 35 U.S.C. 112(f), see pages 9-12 of the Remarks, the Applicant’s argument that “the cited components are stored and executed (See instant specification, for example, paragraphs [0026, 0046-47, 0049, 0054-55, and 0164])” in the memory, see page 11, is persuasive.  Accordingly, the claims 1-6 and 20-22 are no longer interpreted under 35 U.S.C. 112(f).

In response to the Applicant arguments, page(s) 9-12, regarding Claims 1-6 and 20-22 being rejected under 35 U.S.C. 112(b) for reciting non-structural placeholders in the claims.  

Applicant’s arguments, page(s) 8-9 of the Remarks, with regards to claims 1-25 being rejected under 35 U.S.C. § 103 have been considered carefully. 
First, Applicant argues claims 1-2, 8-9, and 14-15 focusing on the newly added limitation “a trainer component that trains a machine-learning model to assign risk scores to compliance processes based on respective groups of risk assessment metrics of different compliance process vulnerability scoring systems” in claim 1. (Emphasis added.)  It is noted that claim 1 previously recited “a risk assignment component that assigns a risk score of the compliance process based on the one or more risk assessment metrics.”  Now the amended claim 1 specifies different compliance processes to which risk scores are assigned.  At pages 12-14 of the Remarks, Applicant basically argues the cited references Conver and McGovern fails to disclose the added limitation.
In response, the Examiner respectfully points out that this newly added limitation necessitates a new ground of rejection. DiMag is found to disclose a machine-learning model configured for determining maturity levels; par. 0044-0045:   In DiMag, which maturity levels are the same as risk scores to determine the levels of compliance processes.  DiMag also discloses compliance processes being evaluated over groups of risk assessment metrics, such as NIST and HIPAA control policy and procedure families.  DiMag also discloses a scoring system; par. 0084-0087; wherein machine learning component 710 can utilize recurrent neural networks to generate groupings of compliance data and remediation data related to maturity levels par. 0116, and 0122; which are risk scores which are based on a modification of the set of compliance program data or the set of remediation data to the set of requirement data.  DiMag uses historical data for updating and assessing risk scores.  For instance, as compliance items are remediated, the updates to remediation data can result … updated risk score(s)). In DiMag, the risk scores are the maturity levels which are assigned/updated …based on an active learning algorithm that utilizes historical maturity level data inputs to predict future maturity level data; par. 0119.

Turning to dependent claims 3, 7, 10, and 16, see pages 14-16 of the Remark, Applicant relies on the argument over claim 1 to argue the rejections.  In response, the Examiner respectfully points out DiMag teaches the newly added limitation  “a trainer component that trains a machine-learning model to assign risk scores to compliance processes based on respective groups of risk assessment metrics of different compliance process vulnerability scoring systems” in claim 1 for the aforementioned reasons.  DiMag additionally discloses the use of historical data par. 0119-0020 and a machine learning component 710 which is mapped to the trainer component; employs a machine learning model to label sets of compliance program data based on a level of similarity; generate groupings of compliance data; Furthermore, previous client data (which is historical vulnerability data) …can be utilized as training data; see par. 0122 and 0142.  DiMag also discloses transfer learning data; see a previous assessment data and the previous average maturity level of a respective NIST control (or regulation) at par. 0045-0046.  Therefore, the Applicant’s arguments are not persuasive.

	Regarding the rejection of claims 4, 11, 17, and the rejection of claims 5, 12, and 18, see pages 16-18 of the Remarks, Applicant continues to relies on the argument over claim 1 to argue these rejections.  For the same reason as that of claim 1, the Applicant arguments are not persuasive.

	Regarding the rejections of claims 6, 13, 19-21 and 22-25, see pages 18-20 of the Remarks, Applicant also relies on the argument over claim 1 to argue these rejections.  For the same reason as that of claim 1, the Applicant arguments are not persuasive.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):

(B)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:

The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. 


Claims 1-25 are rejected under 35 U.S.C. 112 (b), as being indefinite for failing to particularly point out and distinctly claim the subject matter which applicant regards as the invention.  This determination is explained in the following:

Claims 1, 8, and 14 each recite a limitation “assign[ing] … a risk score to/of the compliance process” in the last clause, respectively.  The elements for “a risk score” and “the compliance process” are unclear or lack sufficient antecedent basis thereof, because the added limitation in the amendment “a trainer component that trains a machine-learning model to assign risk scores to compliance processes based on respective groups of risk assessment metrics of different compliance process vulnerability scoring systems” has corresponding instances for “risk scores” and “compliance processes” in plural form.  It is unclear whether these instances are related or separate.
Claims 20 and 23 each recite a limitation “the group of compliance processes based on the aggregate risk score” in the last clause, respectively. The instances for “the group of compliance processes” and “the aggregate risk score” are unclear because of the newly added limitations for “risk scores” and “groups of compliance processes” (which are in plural 
Claims 2-7, 9-13, 15-19, 21-22, and 24-25 are also rejected under 35 U.S.C. 112 (b) because they each depend from the rejected base claims 1, 8, 14, 20, and 23, respectively.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Claims 1-3, 7-10, and 14-16 are rejected under 35 U.S.C. 103 as being unpatentable over Convertino (US 20190312910 A1; hereinafter “Conver”) in view of McGovern (US 20090024663 A1), and further in view of DiMaggio (US 20180018602 A1; hereinafter “DiMag”).

As per claim 1, Conver teaches a system, comprising: 
a memory that stores computer executable components (Conver, par. 0053 and 0114: memory); and 
a processor that executes the computer executable components stored in the memory (Conver, par. 0177: processor), wherein the computer executable components comprise: 
a metric assignment component that assigns, using the machine-learning model, one or more risk assessment metrics of the respective groups of risk assessment metrics based on vulnerability data of a compliance process (Conver, par. 0093-0094 and 0097: the determination of appropriate risk metrics; one or more risk metrics corresponding to the goal are determined. If the goal is received as a risk metric, then this step simply designates the risk metric specified in goal as the appropriate risk metric corresponding to the goal; Qualitative risk metrics …. Include a policy compliance status … and risk score); and 
a risk assignment component that [assigns], using the machine-learning model, a risk score to the compliance process based on the one or more risk assessment metrics (Conver, par. 0082-0084: computing risk scores wherein the quantitative risk metrics can include metrics such as risk score (an aggregate risk score for the grouping based upon the corresponding data stores); par. 0113, 0129, and 0132: the risk metrics…is used to compute risk … and used to rank the groupings).
While Conver discloses computing risk scores, Conver does not but do not explicitly disclose assigning a risk score of the compliance process. This aspect of the claim is identified as a further difference.
McGovern teaches:
a risk assignment component that assigns] a risk score (McGovern, par. 0037-0038: assigning numerical scores may already reflect the weight of a security parameter within an overall scoring scheme);
Conver and McGovern are analogous art, because they are in a similar field of endeavor in improving the evaluation of assets at risk.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to combine them and to modify Conver with McGovern to assign the calculated risk scores according to the metrics. For this combination, the motivation would have been to improve the accuracy of the risk evaluations with quantified risk values of risk assessment metrics.
However, Conver and McGovern as combined do not explicitly disclose assigning a plurality of risk scores to compliance processes based on respective groups of risk assessment metrics of different compliance process vulnerability scoring systems.  This aspect of the claim is identified as a further difference.
In a related art, DiMag teaches:
a trainer component that trains a machine-learning model to assign risk scores to compliance processes based on respective groups of risk assessment metrics of different compliance process vulnerability scoring systems (DiMag, par. 0044-0045: determining maturity levels which are risk scores in DiMag, [assigned to] NIST and HIPAA control policy and procedure families, i.e., groups of risk assessment metrics of different compliance process and scoring system; par. 0084-0087; par. 0116, and 0122: machine learning component 710 can utilize recurrent neural networks … to generate groupings of compliance data and remediation data related to maturity levels, which are risk scores in DiMag; par. 0116: updates … the risk score based on a modification of the set of compliance program data or the set of remediation data to the set of requirement data…which is continuously updated with new tasks, changes in existing tasks, and revisions to compliance plans.  For instance, as DiMag, the risk scores are the maturity levels which are assigned/updated …based on an active learning algorithm that utilizes historical maturity level data inputs to predict future maturity level data; par. 0119).
DiMag is analogous art to the claimed invention in a similar field of endeavor in improving risk evaluation by risk scoring.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to modify the Conver-McGovern system with DiMag to use DiMag’s machine-learning model to assign and update risk scores of groups/families of NIST and HIPAA control policy and procedure based on continuously updated set of compliance program data and controls. For this combination, the motivation would have been to improve the machine learning model for assessing the overall risk scores of compliance processes.

As per claim 2, the references as combined above teach the system of claim 1, wherein the computer executable components further comprise: 
a collection component that collects historical vulnerability data comprising at least one of vulnerability descriptions, vulnerability categories, or vulnerability scores corresponding to vulnerabilities of the compliance processes (Note that optional limitations are recited herein) (Conver, par. 0128-0129: groupings of risk metric, which includes previous and current values; par. 0130: groupings can be ranked according to …a user's interaction history. Regarding the corresponding vulnerabilities of the compliance process, Conver’s quantitative risk metrics includes metrics such as risk score …and data risk cost computed by policy penalty, data volume).

As per claim 3, the references as combined above teach the system of claim 1, and DiMag also teaches:
at least one of historical vulnerability data, expert feedback, operational data feedback, or transfer learning data (Note that optional limitations are recited herein; emphasis added) (DiMag, par. 0119-0020: historical data; par. 0122 and 0142: a machine learning component 710 which is mapped to the trainer component; employs a machine learning model to label sets of compliance program data based on a level of similarity; generate groupings of compliance data; Furthermore, previous client data (which is historical vulnerability data) …can be utilized as training data; DiMag also discloses transfer learning data; see a previous assessment data and the previous average maturity level of a respective NIST control (or regulation) at par. 0045-0046).
DiMag is analogous art to the claimed invention in a similar field of endeavor in improving risk evaluation by risk scoring.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to modify the Conver-McGovern system with DiMag to a model that can be used to assign risk assessment metrics or the risk score based on at least one of historical vulnerability data. For this combination, the motivation would have been to improve the accuracy of the risk evaluations with a machine learning model.

As per claim 7, the references as combined above teach the system of claim 1, wherein the risk assessment metrics comprise at least one of 
exploitability metrics or impact metrics of a compliance process vulnerability scoring system (DiMag, par. 0031 and 0059-0061: the impact of compliance activities and/or remediation activities; non-compliance and compliance related impact factors), and 
wherein the compliance process comprises at least one of (Note: optional limitation is recited): 
DiMag, par. 0083: accessing the updated data input by compliance management system 115 in order to update maturity level determinations; par. 0085: indicate that information security processes are constantly improved through monitoring feedback from existing processes); 
Note that the following limitations are optional and thus not examined at this time.  However, the cited references may disclose one or more of the features in the following.
a patching process; 
an identity and access management process; 
a development and operations process; 
a development, security, and operations process; or 
a runtime process.

As per claim 8, Conver teaches a computer-implemented method, comprising: 
assigning, by the system, using the machine learning model, one or more risk assessment metrics of the respective groups of risk assessment metrics based on vulnerability data of a compliance process (Conver, par. 0093-0094 and 0097: the determination of appropriate risk metrics; one or more risk metrics corresponding to the goal are determined. If the goal is received as a risk metric, then this step simply designates the risk metric specified in goal as the appropriate risk metric corresponding to the goal; Qualitative risk metrics …. Include a policy compliance status … and risk score); and 
[assigning], by the system, using the machine-learning model, a risk score to the compliance process based on the one or more risk assessment metrics (Conver, par. 0082-0084: computing risk scores wherein the quantitative risk metrics can include metrics such as risk score (an aggregate risk score for the grouping based upon the corresponding data stores); par. 0113, 0129, and 0132: the risk metrics…is used to compute risk … and used to rank the groupings).
Conver discloses computing risk scores, Conver does not but do not explicitly disclose assigning a risk score of the compliance process. This aspect of the claim is identified as a further difference.
In a related art, McGovern teaches:
a risk assignment component that assigns] a risk score (McGovern, par. 0037-0038: assigning numerical scores may already reflect the weight of a security parameter within an overall scoring scheme);
Conver and McGovern are analogous art, because they are in a similar field of endeavor in improving the evaluation of assets at risk.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to combine them and to modify Conver with McGovern to assign the calculated risk scores according to the metrics. For this combination, the motivation would have been to improve the accuracy of the risk evaluations with quantified risk values of risk assessment metrics.
However, Conver and McGovern as combined do not explicitly disclose assigning a plurality of risk scores to compliance processes based on respective groups of risk assessment metrics of different compliance process vulnerability scoring systems.  This aspect of the claim is identified as a further difference.
In a related art, DiMag teaches:
training, by a system operatively coupled to a processor, a machine-learning model to assign risk scores to compliance processes based on respective groups of risk assessment metrics of different compliance process vulnerability scoring systems (DiMag, par. 0044-0045: determining maturity levels which are risk scores in DiMag, [assigned to] NIST and HIPAA control policy and procedure families, i.e., groups of risk assessment metrics of different compliance process and scoring system; par. 0084-0087; par. 0116, and 0122: machine learning component 710 can utilize recurrent neural networks … to generate groupings of compliance data and remediation data related to maturity levels, which are risk scores in DiMag; par. 0116: updates … the risk score based on a modification of the set of compliance program data or the set of remediation data to the set of requirement data…which is continuously updated with new tasks, changes in existing tasks, and revisions to compliance plans.  For instance, as compliance items are remediated, the updates to remediation data can result … updated risk score(s)). In DiMag, the risk scores are the maturity levels which are assigned/updated …based on an active learning algorithm that utilizes historical maturity level data inputs to predict future maturity level data; par. 0119).
DiMag is analogous art to the claimed invention in a similar field of endeavor in improving risk evaluation by risk scoring.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to modify the Conver-McGovern system with DiMag to use DiMag’s machine-learning model to assign and update risk scores of groups/families of NIST and HIPAA control policy and procedure based on continuously updated set of compliance program data and controls. For this combination, the motivation would have been to improve the machine learning model for assessing the overall risk scores of compliance processes.

As per claim 9, the references as combined above teach the computer-implemented method of claim 8, further comprising: 
collecting, by the system, historical vulnerability data comprising at least one of vulnerability descriptions, vulnerability categories, or vulnerability scores corresponding to vulnerabilities of the compliance processes (Conver, par. 0128-0129: groupings of risk metric, which includes previous and current values; par. 0130: groupings can be ranked according to …a user's interaction history. Regarding the corresponding vulnerabilities of the compliance process, Conver’s quantitative risk metrics includes metrics such as risk score …and data risk cost computed by policy penalty, data volume).

As per claim 10, it is directed to the computer-implemented method of claim 8, further reciting the same limitation as claim 3. For the same reason as that of claim 3, claim 10 is similarly rejected.

As per claim 14, Conver teaches a computer program product facilitating compliance process risk assessment, the computer program product comprising a computer readable storage medium having program instructions embodied therewith, the program instructions executable by a processor to cause the processor to: 
assign, by the processor, using the machine-learning model, one or more risk assessment metrics of the respective groups of risk assessment metrics based on vulnerability data of a compliance process (Conver, par. 0093-0094 and 0097: the determination of appropriate risk metrics; one or more risk metrics corresponding to the goal are determined. If the goal is received as a risk metric, then this step simply designates the risk metric specified in goal as the appropriate risk metric corresponding to the goal; Qualitative risk metrics …. Include a policy compliance status … and risk score); and 
assign, by the processor, using the machine-learning model, a risk score of the compliance process based on the one or more risk assessment metrics (Conver, par. 0082-0084: computing risk scores wherein the quantitative risk metrics can include metrics such as risk score (an aggregate risk score for the grouping based upon the corresponding data stores); par. 0113, 0129, and 0132: the risk metrics…is used to compute risk … and used to rank the groupings).
While Conver discloses computing risk scores, Conver does not but do not explicitly disclose assigning a risk score of the compliance process. This aspect of the claim is identified as a further difference.
In a related art, McGovern teaches:
McGovern, par. 0037-0038: assigning numerical scores may already reflect the weight of a security parameter within an overall scoring scheme);
Conver and McGovern are analogous art, because they are in a similar field of endeavor in improving the evaluation of assets at risk.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to combine them and to modify Conver with McGovern to assign the calculated risk scores according to the metrics. For this combination, the motivation would have been to improve the accuracy of the risk evaluations with quantified risk values of risk assessment metrics.
However, Conver and McGovern as combined do not explicitly disclose assigning a plurality of risk scores to compliance processes based on respective groups of risk assessment metrics of different compliance process vulnerability scoring systems.  This aspect of the claim is identified as a further difference.
In a related art, DiMag teaches:
train, by the processor, a machine-learning model to assign risk scores to compliance processes based on respective groups of risk assessment metrics of different compliance process vulnerability scoring systems (DiMag, par. 0044-0045: determining maturity levels which are risk scores in DiMag, [assigned to] NIST and HIPAA control policy and procedure families, i.e., groups of risk assessment metrics of different compliance process and scoring system; par. 0084-0087; par. 0116, and 0122: machine learning component 710 can utilize recurrent neural networks … to generate groupings of compliance data and remediation data related to maturity levels, which are risk scores in DiMag; par. 0116: updates … the risk score based on a modification of the set of compliance program data or the set of remediation data to the set of requirement data…which is continuously updated with new tasks, changes in existing tasks, and revisions to compliance plans.  For instance, as compliance items are remediated, the updates to remediation data can result … updated risk score(s)). In DiMag, the risk scores are the maturity levels which are assigned/updated …based on an active learning algorithm that utilizes historical maturity level data inputs to predict future maturity level data; par. 0119).
DiMag is analogous art to the claimed invention in a similar field of endeavor in improving risk evaluation by risk scoring.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to modify the Conver-McGovern system with DiMag to use DiMag’s machine-learning model to assign and update risk scores of groups/families of NIST and HIPAA control policy and procedure based on continuously updated set of compliance program data and controls. For this combination, the motivation would have been to improve the machine learning model for assessing the overall risk scores of compliance processes.

As per claim 15, the references as combined above teach the computer program product of claim 14, wherein the program instructions are further executable by the processor to cause the processor to: collect, by the processor, historical vulnerability data comprising at least one of vulnerability descriptions, vulnerability categories, or vulnerability scores corresponding to vulnerabilities of the compliance process (Conver, par. 0128-0129: groupings of risk metric, which includes previous and current values; par. 0130: groupings can be ranked according to …a user's interaction history. Regarding the corresponding vulnerabilities of the compliance process, Conver’s quantitative risk metrics includes metrics such as risk score …and data risk cost computed by policy penalty, data volume).

As per claim 16, it is directed to the computer program product of claim 14, and the claim also recites the same limitation as claim 3. For the same reason as that of claim 3, claim 16 is similarly rejected.


Claims 4, 11, and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Conver and McGovern and DiMag, as applied to claim 1, and further in view of Bassin (US 20110067005 A1).

As per claim 4, the references of Conver and McGovern and DiMag as combined above teach the system of claim 1, but do not explicitly disclose adjusting the risk score based on feedback data corresponding to the risk score.  This aspect of the claim is identified as a further difference.
In a related art, Bassin teaches:
wherein the risk assignment component adjusts the risk score based on feedback data corresponding to the risk score (Bassin, par. 0035: dynamic adjustment of defect related risk; par. 0036: using … feedback to adjust the risk score and/or update the risk evaluation).
Bassin is analogous art to the claimed invention in a similar field of endeavor in improving risk evaluation by risk scoring.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to modify the Conver-McGovern system with Bassin to allow the risk score to be adjusted based on feedback data corresponding to the risk score. For this combination, the motivation would have been to improve the accuracy of the risk evaluations with score adjustment.

As per claim 11, the references of Conver and McGovern and DiMag as combined above teach the computer-implemented method of claim 8.  Given claim 11 recites the same limitation as claim 4, it is rejected for the same reason as that of claim 4.

As per claim 17, the references of Conver and McGovern and DiMag as combined above teach the computer program product of claim 14.  Given claim 17 also recites the same limitation as claim 4, it is rejected for the same reason as that of claim 4.

Claims 5, 12, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Conver and McGovern and DiMag, as applied to claim 1, and further in view of Inagaki (US 20200050770 A1; hereinafter “Ina”).

As per claim 5, the references of Conver and McGovern and DiMag as combined above teach the system of claim 1, but do not explicitly disclose adding or including at least one of the vulnerability data or the risk score to a vulnerability database.  This aspect of the claim is identified as a further difference.
In a related art, Ina teaches:
wherein the computer executable components further comprise: an update component that adds at least one of the vulnerability data or the risk score to a vulnerability database (Ina, par. 0086: receive a new risk score associated with a vulnerability from the external vulnerability database 412; par. 0088 and 0108: the modification module 426 may be configured to modify the new risk score.  Note here that receiving a new risk score means adding a new risk score).
Ina is analogous art to the claimed invention in a similar field of endeavor in improving risk evaluation by risk scoring.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to modify the Conver-McGovern system with Ina to add the risk score to a vulnerability database. For this combination, the motivation would have been to keep a record of risk scores and adjustments.

As per claim 12, the references of Conver and McGovern and DiMag as combined above teach the computer-implemented method of claim 8. Given that claim 12 recites the same limitation as claim 5, it is rejected for the same reason as that of claim 5.

As per claim 18, the references of Conver and McGovern and DiMag as combined above teach the computer program product of claim 14. Given that claim 18 also recites the same limitation as claim 5, it is rejected for the same reason as that of claim 5.


Claims 6, 13, and 19-25 are rejected under 35 U.S.C. 103 as being unpatentable over Conver and McGovern and DiMag, as applied to claim 1, and further in view of Biswas (US 20200273046 A1).

As per claim 6, the references of Conver and McGovern and DiMag as combined above teach the system of claim 1, wherein the computer executable components further comprise: a manager component that assigns a level of priority to management of an asset of the compliance process based on the risk score, thereby facilitating at least one of reduced impact to or exploitation of vulnerabilities of the asset (Biswas, par. 0087: The risk compliance index score or scores for the entity enable the entity to identify entity-specific compliance-related business risks and prioritize compliance actions to address high -risk areas with a higher or highest priority. The RCMI framework works as a decision-support system; see also par. 0013-0016 for facilitating at least one of reduced impact).
Biswas is analogous art to the claimed invention in a similar field of endeavor in improving the evaluation of assets at risk.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to combine them and to Conver-McGovern system to assigns a level of priority based on the aggregate risk score. For this combination, the motivation would have been to set the priority of the risk score.

As per claim 13, the references of Conver and McGovern and DiMag as combined above teach the computer-implemented method of claim 8.  Given the claim recites the same limitation as claim 6, it is rejected for the same reason as that of claim 6.

As per claim 19, the references of Conver and McGovern and DiMag as combined above teach the computer program product of claim 14.  Given the claim recites the same limitation as claim 6, it is rejected for the same reason as that of claim 6.

As per claim 20, Conver teaches a system, comprising: 
a memory that stores computer executable components (Conver, par. 0053 and 0114: memory); and 
a processor that executes the computer executable components stored in the memory (Conver, par. 0177), wherein the computer executable components comprise: 
a risk assignment component that assigns, using the machine-learning model, an aggregate risk score to a group of compliance processes based on risk assessment metrics of different compliance process vulnerability scoring systems (Conver, par. 0082-0084: an aggregate risk score; computing risk scores wherein the quantitative risk metrics can include metrics such as risk scor - an aggregate risk score for the grouping based upon the corresponding data stores); par. 0113, 0129, and 0132: the risk metrics…is used to compute risk … and used to rank the groupings).
While Conver discloses computing risk scores, Conver does not but do not explicitly disclose assigning a risk score of the compliance process. This aspect of the claim is identified as a further difference.
McGovern teaches:
a risk assignment component that assigns, using the machine-learning model, a risk score … (McGovern, par. 0037-0038: assigning numerical scores may already reflect the weight of a security parameter within an overall scoring scheme);
Conver and McGovern are analogous art, because they are in a similar field of endeavor in improving the evaluation of assets at risk.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to combine them and to modify Conver with McGovern to assign the calculated risk scores according to the metrics. For this combination, the motivation would have been to improve the accuracy of the risk evaluations with quantified risk values of risk assessment metrics.
However, the combination of Conver and McGovern does not explicitly disclose assigns a level of priority to management of one or more assets of the different compliance processes based on the aggregate risk score. This aspect of the claim is identified as a further difference.
In a related art, Biswas teaches:
a manager component that assigns a level of priority to management of one or more assets of the different compliance processes based on the aggregate risk score (Biswas, par. 0087: The risk compliance index score or scores for the entity enable the entity to identify entity-specific compliance-related business risks and prioritize compliance actions to address high -risk areas with a higher or highest priority. The RCMI framework works as a decision-support system; see also par. 0013-0015 for a risk compliance index score generated for representing a risk compliance maturity).
Biswas is analogous art to the claimed invention in a similar field of endeavor in improving the evaluation of assets at risk.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to combine them and to modify the Conver-McGovern system to assigns a level of priority based on the aggregate risk 
However, Conver and McGovern and Biswas as combined do not explicitly disclose assigning a plurality of risk scores to compliance processes based on respective groups of risk assessment metrics of different compliance process vulnerability scoring systems.  This aspect of the claim is identified as a further difference.
In a related art, DiMag teaches:
a trainer component that trains a machine-learning model to assign aggregate risk scores to groups of compliance processes based on respective groups of risk assessment metrics of different compliance process vulnerability scoring systems (DiMag, par. 0044-0045: determining maturity levels which are risk scores in DiMag, [assigned to] NIST and HIPAA control policy and procedure families, i.e., groups of risk assessment metrics of different compliance process and scoring system; par. 0084-0087; par. 0116, and 0122: machine learning component 710 can utilize recurrent neural networks … to generate groupings of compliance data and remediation data related to maturity levels, which are risk scores in DiMag; par. 0116: updates … the risk score based on a modification of the set of compliance program data or the set of remediation data to the set of requirement data…which is continuously updated with new tasks, changes in existing tasks, and revisions to compliance plans.  For instance, as compliance items are remediated, the updates to remediation data can result … updated risk score(s)). In DiMag, the risk scores are the maturity levels which are assigned/updated …based on an active learning algorithm that utilizes historical maturity level data inputs to predict future maturity level data; par. 0119).
DiMag is analogous art to the claimed invention in a similar field of endeavor in improving risk evaluation by risk scoring.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to modify the Conver-McGovern system with DiMag to use DiMag’s machine-learning model to assign and update 

As per claim 21, the references of Conver and McGovern and Biswas and DiMag as combined above teach the system of claim 20, wherein the computer executable components further comprise: a metric assignment component that assigns the risk assessment metrics based on vulnerability data of the group of compliance processes (Conver, par. 0082-0084: computing risk scores wherein the quantitative risk metrics can include metrics such as risk score (an aggregate risk score for the grouping based upon the corresponding data stores); par. 0113, 0129, and 0132: the risk metrics…is used to compute risk … and used to rank the groupings).

As per claim 22, the references of Conver and McGovern and Biswas and DiMag as combined above teach the system of claim 21, DiMag also teaches:
Wherein the trainer component trains the machine-learning model based on at least one of historical vulnerability data, expert feedback, operational data feedback, or transfer learning data, thereby facilitating at least one of improved accuracy, efficiency, or performance of at least one of the risk assignment component, the manager component, or the processor (DiMag, par. 0122 and 0142: a machine learning component 710 which is mapped to the trainer component; employs a machine learning model to label sets of compliance program data based on a level of similarity; generate groupings of compliance data; Furthermore, previous client data within such data subsets can be utilized as training data; machine learning component 710 can facilitate a determination of real‐time changes to risk score data as well).
DiMag is analogous art to the claimed invention in a similar field of endeavor in improving risk evaluation by risk scoring.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to modify the Conver-McGovern system with DiMag to a model that can be used to assign risk assessment metrics or the risk score based on at least one of historical vulnerability data. For this combination, the motivation would have been to improve the accuracy of the risk evaluations with a machine learning model.

As per claim 23, Conver teaches a computer-implemented method, comprising: 
assigning, by the system, using the machine learning model, an aggregate risk score to a group of compliance processes based on the respective groupings of risk assessment metrics of the different compliance process vulnerability scoring systems Conver, par. 0082-0084: an aggregate risk score; computing risk scores wherein the quantitative risk metrics can include metrics such as risk score - an aggregate risk score for the grouping based upon the corresponding data stores); par. 0113, 0129, and 0132: the risk metrics…is used to compute risk … and used to rank the groupings).
While Conver discloses computing risk scores, Conver does not but do not explicitly disclose assigning a risk score of the compliance process. This aspect of the claim is identified as a further difference.
In a related art, McGovern teaches:
assigning, by the system, using the machine learning model, a risk score (McGovern, par. 0037-0038: assigning numerical scores may already reflect the weight of a security parameter within an overall scoring scheme);
Conver and McGovern are analogous art, because they are in a similar field of endeavor in improving the evaluation of assets at risk.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to combine Conver with McGovern to assign the calculated risk scores according to the metrics. For this combination, the motivation would have been to improve the accuracy of the risk evaluations with quantified risk values of risk assessment metrics.
However, the combination of Conver and McGovern does not explicitly disclose assigns a level of priority to management of one or more assets of the different compliance processes based on the aggregate risk score. This aspect of the claim is identified as a further difference.
In a related art, Biswas teaches:
assigning, by the system, using the machine learning model, a level of priority to management of one or more assets of the group of compliance processes based on the aggregate risk score (Biswas, par. 0087: The risk compliance index score or scores for the entity enable the entity to identify entity-specific compliance-related business risks and prioritize compliance actions to address high -risk areas with a higher or highest priority. The RCMI framework works as a decision-support system; see also par. 0013-0015 for a risk compliance index score generated for representing a risk compliance maturity).
Biswas is analogous art to the claimed invention in a similar field of endeavor in improving the evaluation of assets at risk.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to combine them and to modify the Conver-McGovern system to assigns a level of priority based on the aggregate risk score. For this combination, the motivation would have been to improve the accuracy of the risk evaluations with the aggregate risk score.
However, Conver and McGovern and Biswas as combined do not explicitly disclose assigning a plurality of risk scores to compliance processes based on respective groups of risk assessment metrics of different compliance process vulnerability scoring systems.  This aspect of the claim is identified as a further difference.
In a related art, DiMag teaches:
DiMag, par. 0044-0045: determining maturity levels which are risk scores in DiMag, [assigned to] NIST and HIPAA control policy and procedure families, i.e., groups of risk assessment metrics of different compliance process and scoring system; par. 0084-0087; par. 0116, and 0122: machine learning component 710 can utilize recurrent neural networks … to generate groupings of compliance data and remediation data related to maturity levels, which are risk scores in DiMag; par. 0116: updates … the risk score based on a modification of the set of compliance program data or the set of remediation data to the set of requirement data…which is continuously updated with new tasks, changes in existing tasks, and revisions to compliance plans.  For instance, as compliance items are remediated, the updates to remediation data can result … updated risk score(s)). In DiMag, the risk scores are the maturity levels which are assigned/updated …based on an active learning algorithm that utilizes historical maturity level data inputs to predict future maturity level data; par. 0119).
DiMag is analogous art to the claimed invention in a similar field of endeavor in improving risk evaluation by risk scoring.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to modify the Conver-McGovern system with DiMag to use DiMag’s machine-learning model to assign and update risk scores of groups/families of NIST and HIPAA control policy and procedure based on continuously updated set of compliance program data and controls. For this combination, the motivation would have been to improve the machine learning model for assessing the overall risk scores of compliance processes.

As per claim 24, the references of Conver and McGovern and Biswas and DiMag as combined above teach the computer-implemented method of claim 23, and Conver also teaches further comprising: 
assigning, by the system, the risk assessment metrics based on vulnerability data of the group of compliance processes (Conver, par. 0082-0084: computing risk scores wherein the quantitative risk metrics can include metrics such as risk score (an aggregate risk score for the grouping based upon the corresponding data stores); par. 0113, 0129, and 0132: the risk metrics…is used to compute risk … and used to rank the groupings).

As per claim 25, the references of Conver and McGovern and Biswas and DiMag as combined above teach the computer-implemented method of claim 24, and DiMag also teaches:
training, by the system, a model to assign at least one of the risk assessment metrics or the aggregate risk score based on at least one of historical vulnerability data, expert feedback, operational data feedback, or transfer learning data (Note that optional limitations are recited herein; emphasis added) (DiMag, par. 0119-0020: historical data; par. 0122 and 0142: a machine learning component 710 which is mapped to the trainer component; employs a machine learning model to label sets of compliance program data based on a level of similarity; generate groupings of compliance data; Furthermore, previous client data (which is historical vulnerability data) …can be utilized as training data; DiMag also discloses transfer learning data; see a previous assessment data and the previous average maturity level of a respective NIST control (or regulation) at par. 0045-0046).
DiMag is analogous art to the claimed invention in a similar field of endeavor in improving risk evaluation by risk scoring.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to modify the Conver-McGovern system with DiMag to a model that can be used to assign risk assessment metrics 

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Don Zhao whose telephone number is (571)272-9953.  The examiner can normally be reached on 9 am to 5 pm Monday thru Friday.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on 571-272-3862.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR 


/Don G Zhao/
Examiner, Art Unit 2493
01/14/2022