Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
	Claims 1-20 are presented for examination.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1-20 are rejected under 35 U.S.C. 102(a)(1)/(a)(2) as being anticipated by Ross et al., US 2018/0121658.

Regarding claim 1, Ross discloses a non-transitory machine-readable storage medium comprising instructions that upon execution cause a system to: 
receive input information relating to a security level for an information technology (IT) stack comprising a plurality of layers including a hardware layer and a software layer (Paragraph 0019: receiving, by a 
discover components of the plurality of layers of the IT stack (0011: identify a plurality of components for each of the technology stacks by utilizing functional point analysis); 
access a knowledge base that maps the security level and the discovered components to configuration instructions relating to security controls (Fig 3, 310: identify corresponding technical security standards.  0008: access one or more security standards in a data store connected to the processor, at least one of the security standards corresponding to at least one of the technology stacks; and determine a cyber risk score based on the data and the at least one of the security standards); and
configure the IT stack with the security controls using the configuration instructions (0011: categorize each of the components for each of the technology stacks into a plurality of severity categories.  0054: any suitable technical security standards may be employed, such as, for example, Security Technical Implementation Guides (STIGs).). Regarding claim 2, Ross discloses the non-transitory machine-readable storage medium of claim 1, wherein the security level associated with the input information comprises a user security specification (0050: a cyber insurance underwriter may first ask prospective clients to complete an information security assessment that covers all IT equipment as well as company IT policies and practices.). Regarding claim 3, Ross discloses the non-transitory machine-readable storage medium of claim 1, wherein the security level associated with the input information comprises a security service level agreement (SLA) (0079: an auditor 220 from audit management 218 reviews the audit checklist, and identifies a needed or desired level of audit at block 324, after which the auditor 220 contacts the customer 202 to set up and perform the audit at block 326 for customer data validation. Feedback from 
receive input information relating to a security level for an information technology (IT) stack (Paragraph 0019: receiving, by a processor, data corresponding to one or more technology stacks),  comprising a plurality of layers including a hardware layer and a software layer, wherein the input information is technology and product agnostic (0066: The overall system may be technology agnostic); discover IT components of the plurality of layers of the IT stack (0011: identify a plurality of components for each of the technology stacks by utilizing functional point analysis); 
search, based on the input information and the discovered components, a knowledge base that maps different security levels for respective IT components to configuration instructions relating to security controls ((Fig 3, 310: identify corresponding technical security standards.  0008: access one or more 
wherein the search provides selected configuration instructions retrieved from the knowledge base ((0011: categorize each of the components for each of the technology stacks into a plurality of severity categories.  0054: any suitable technical security standards may be employed, such as, for example, Security Technical Implementation Guides (STIGs)); and 
send, through an interface, the selected configuration instructions to the components of the IT stack to configure the components of the IT stack with respective security controls corresponding to the selected configuration instructions (0070: The customer 202 may sign up for a cyber risk assessment offered by the cyber insurance agent 204, and the customer 202 may complete a clearing house web questionnaire 210 through a suitable computer interface 212 that is connected to internet 106, in order to determine applicable technology stacks 100 for the customer 202). Regarding claim 15, Ross discloses the system of claim 14, wherein the selected configuration instructions are sent through the interface to a hardware component and a software component (0100: FIG. 8A, the computing device 1500 may also include a storage device 1528, a removable media interface 1516, a network interface 1518, an input/output (I/O) controller 1523, one or more display devices 1530c, a keyboard 1530a and a pointing device 1530b, such as a mouse. The storage device 1528 may include, without limitation, storage for an operating system and software.). Regarding claim 16, Ross discloses the system of claim 15, wherein the IT stack further comprises a firmware layer, and wherein the selected configuration instructions are further sent through the interface to a firmware component (0097-0098: a computing device may be implemented via firmware 
Regarding claim 20, Ross discloses the method of claim 19, further comprising: updating the knowledge .

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US 2019/0363929 to Andreoli et al. teaches reconfiguring a consolidated information technology stack, in order to assured that the changes do not affect achieved levels of security, availability, and performances [0022].
WO 2013/019241 teaches service providers have implemented service management stacks based on the Information Technology Infrastructure Library (ITSL). Security management, service level agreements, configuration management capacity management, event management, and continuity management
Any inquiry concerning this communication or earlier communications from the examiner should be directed to AUBREY H WYSZYNSKI whose telephone number is (571)272-8155. The examiner can normally be reached M-F 9-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, KAMBIZ ZAND can be reached on 571-272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To 





/AUBREY H WYSZYNSKI/Examiner, Art Unit 2434                                                                                                                                                                                                        /KAMBIZ ZAND/Supervisory Patent Examiner, Art Unit 2434