Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
Response to Arguments
In communications filed on 12/08/2021, claims 1, 2, 4-13, and 15-21 are presented for examination. Claims 1, 12, 15, and 20 are independent.
Amended claim(s): 1, 2, 4-13, and 15-21.
Canceled claim(s): 4 and 13.
New claim: 21.
Applicants’ arguments, see Applicant Arguments/Remarks filed 12/8/21, with respect to claim(s) rejected under prior art have been fully considered but are unpersuasive. Contrary to Applicant’s assertion, Baudin explicitly discloses:  using the determined integrated result to: generate a corrective action plan that includes one or more remediation activities; (Baudoin: Figs. 2-4, Table-1, ¶5-¶7, ¶17-¶22, i.e., performing assessment on security policies and practices including assets such as software and generating risks and maturity index and based on risk and maturity level, generating a rating level and generating a corrective action plan and executing it) invoke the remediation activities; and (Baudoin: Figs. 2-4, Table-1, ¶5-¶7, ¶17-¶22, i.e., performing assessment on security policies and practices including assets such as software and generating risks and maturity index and based on risk and maturity level, generating a rating level and generating a corrective action plan and executing it) monitor the remediation activities, changes to a current risk management level of cybersecurity program, and changes to a current maturity level the cybersecurity program. (Baudoin: Figs. 2-4, Table-1, ¶5-¶7, ¶17-¶22, ¶30-¶36, i.e., performing assessment on security policies and practices including assets such as software and generating risks and maturity index and based on risk and maturity level, generating a rating level and generating a corrective action plan and executing it and continuously monitoring risk and maturity level to update the plan)

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claim 10 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claim 10 recites the limitation "the method of claim 1".  There is insufficient antecedent basis for this limitation in the claim.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claim(s) 1, 2, 4-6, 9-13, 15-17, and 20 is/are rejected under 35 U.S.C. 102(a)(1) as being anticipated by US 20040010709 A1 (hereinafter ‘Baudoin’).

claim 1, Baudoin (US 20040010709 A1) discloses: A computing device comprising: a memory; and a processor coupled to the memory, wherein the processor is configured with processor executable software instructions to perform operations (Baudoin: ¶15-¶16, i.e., method, system and software for implementing the steps) comprising: determining a cybersecurity and privacy (CS&P) framework profile for a cybersecurity program implemented by an organization; (Baudoin: Figs. 2-4, Table-1, ¶5-¶7, ¶18-¶22, i.e., performing assessment on security policies and practices including assets such as software and generating risks and maturity index and based on risk and maturity level, generating a rating level)
determining a CS&P maturity level for the cybersecurity program; and (Baudoin: Figs. 2-4, Table-1, ¶5-¶7, ¶18-¶22, i.e., performing assessment on security policies and practices including assets such as software and generating risks and maturity index and based on risk and maturity level, generating a rating level)
determining an integrated result for the cybersecurity program based on a combination of the CS&P framework profile and the determined CS&P maturity level; and (Baudoin: Figs. 2-4, Table-1, ¶5-¶7, ¶17-¶22, i.e., performing assessment on security policies and practices including assets such as 
and using the determined integrated result to: generate a corrective action plan that includes one or more remediation activities; (Baudoin: Figs. 2-4, Table-1, ¶5-¶7, ¶17-¶22, i.e., performing assessment on security policies and practices including assets such as software and generating risks and maturity index and based on risk and maturity level, generating a rating level and generating a corrective action plan and executing it) invoke the remediation activities; and (Baudoin: Figs. 2-4, Table-1, ¶5-¶7, ¶17-¶22, i.e., performing assessment on security policies and practices including assets such as software and generating risks and maturity index and based on risk and maturity level, generating a rating level and generating a corrective action plan and executing it) monitor the remediation activities, changes to a current risk management level of cybersecurity program, and changes to a current maturity level the cybersecurity program. (Baudoin: Figs. 2-4, Table-1, ¶5-¶7, ¶17-¶22, ¶30-¶36, i.e., performing assessment on security policies and practices including assets such as software and generating risks and maturity index and based on risk and maturity level, generating a rating level and generating a corrective action plan and executing it and continuously monitoring risk and maturity level to update the plan)

Claims 12 and 20 recite substantially the same features recited in claim 1 above and are rejected based on the aforementioned rationale discussed in the rejection.

As regards claim 2, Baudoin discloses the computing device of claim 1, wherein the processor is configured to perform operations such that: determining the CS&P framework profile for the cybersecurity program implemented by the organization comprise: determining the current risk management level for the cybersecurity program and determining a target risk management level for the cybersecurity program; and (Baudoin: Figs. 2-4, Table-1, ¶5-¶7, ¶18-¶22, i.e., performing assessment on security policies and practices including assets such as software and generating risks and maturity index and based on risk and maturity level, generating a rating level and ¶26-¶27, i.e., defining a goal level for risks and maturity level for a given asset)
wherein the processor is configured to perform operations such that determining the CS&P maturity level for the cybersecurity program determining the current maturity level for the cybersecurity program; and determining a target maturity level for the cybersecurity program. (Baudoin: Figs. 2-4, Table-1, ¶5-¶7, ¶18-¶22, i.e., performing assessment on security policies and practices including assets such as software and generating risks and maturity index and based on risk and maturity level, 

As regards claim 4, Baudoin discloses the computing device of claim 1, wherein the processor is configured to perform operations such that: determining the CS&P framework profile for the cybersecurity program implemented by the organization comprises determining the current risk management level and target risk management level within each of a plurality of core areas, wherein each core area includes an identify core area information structure, a protect core area information structure, a detect core area information structure, a respond core area information structure, and a recover core area information structure; (Baudoin: Figs. 2-4, Table-1, ¶5-¶7, ¶17-¶22, ¶32, risk and maturity levels are calculated for various functional assets within multiple categories and sub categories)
and determining the CS&P maturity level for the cybersecurity program comprises determining the current maturity level and a maturity level within each of the plurality of core areas. (Baudoin: Figs. 2-

As regards claim 5, Baudoin discloses the computing device of claim 1, wherein the processor is configured to perform operations further comprising: using the integrated result to generate recommendations for improvements to the cybersecurity program. (Baudoin: Figs. 2-4, Table-1, ¶5-¶7, ¶17-¶22, ¶32-¶35)

As regards claim 6, Baudoin discloses the computing device of claim 1, wherein the processor is configured to perform operations such that determining the CS&P framework profile for the cybersecurity program implemented by the organization comprises: identifying applicable criteria within each of a plurality of subcategories, wherein the subcategories comprise criteria relevant to risk management; and (Baudoin: Figs. 2-4, Table-1, ¶5-¶7, ¶17-¶22, ¶32, risk and maturity levels are calculated for various functional assets within multiple categories and sub categories) assigning a weight to the identified criteria under the plurality of subcategories. (Baudoin: Figs. 2-4, Table-1, ¶5-¶7, ¶17-¶22, ¶32, risk and maturity levels are calculated for various functional assets within multiple categories and sub categories and assigning a level i.e., weight)

Claims 13-17 recite the same features recited respectively in claims 2-6 above and are rejected based on the aforementioned rationale discussed in the rejection.

As regards claim 9, Baudoin discloses the computing device of claim 1, wherein the processor is configured to perform operations such that determining the CS&P maturity level for the cybersecurity program implemented by the organization comprises: identifying applicable criteria within each of a plurality of subcategories, wherein the plurality of subcategories comprise criteria relevant to maturity of the cybersecurity program, and wherein the subcategories are divided among a plurality of categories. (Baudoin: Figs. 2-4, Table-1, ¶5-¶7, ¶17-¶22, ¶32, risk and maturity levels are calculated for various functional assets within multiple categories and sub categories)

As regards claim 10, Baudoin discloses the method of claim 1, wherein the processor is configured to perform operations further comprising receiving data input from the organization, and the processor is configured to perform operations such that determining the CS&P framework profile for the cybersecurity program implemented by the organization comprises using the received data input from the organization to determine the CS&P framework profile; and determining the CS&P maturity level for the cybersecurity comprises using the received data input from the organization to determine the CS&P maturity level for the cybersecurity. (Baudoin: Figs. 2-4, Table-1, ¶5-¶7, ¶17-¶22, ¶32, ¶34, risk and maturity levels are calculated for various functional 

As regards claim 11, Baudoin discloses the computing device of claim 10, wherein the processor is configured to perform operations such that the received data input includes information comprising at least one of cybersecurity documentation, technical vulnerability assessment results, blue team assessment, red team assessment, penetration testing team results, operational environmental constraints, or targeted interview responses by personnel of the organization. (Baudoin: Figs. 2-4, Table-1, ¶5-¶7, ¶17-¶22, ¶32, ¶34, risk and maturity levels are calculated for various functional assets within multiple categories and sub categories wherein the calculation includes input)

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claim 7-8, 18-19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Baudoin in view of US 20060247957 A1 (hereinafter ‘Gopfert’).

As regards claim 7, Baudoin discloses the computing device of claim 6, wherein the processor is configured to perform operations such that the subcategories are divided among a plurality of categories, (Baudoin: Figs. 2-4, Table-1, ¶5-¶7, ¶17-¶22, ¶32, risk and maturity levels are calculated for various functional assets within multiple categories and sub categories)
Although Baudoin does not but in analogous art, Gopfert (US 20060247957 A1) wherein a sum of the weights assigned to the subcategories within each category equals 1. (Gopfert: Figs. 2B, 4B, ¶69-¶70, i.e., sum of weights assigned to subcategories within category of risk is 1 for an application)
Before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to modiy Baudoin risk analysis method and system to include applying weights to the categories of risk such that the sum of weights assigned to the subcategories equals 1 as taught by Gopfert with the motivation to perform risk analysis.

As regards claim 8, Baudoin discloses the computing device of claim 7, wherein the processor is configured to perform operations such that determing the CS&P framework profile for the cybersecurity program implemented by the organization comprises: determing a risk management level for each category 
Before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to modiy Baudoin risk analysis method and system to include applying weights to the categories of risk such that the sum of weights assigned to the subcategories equals 1 as taught by Gopfert with the motivation to perform risk analysis.

Claims 18-19 recite the same features recited respectively in claims 7-8 above and are rejected based on the aforementioned rationale discussed in the rejection.

Claim Objections
Claim 21 is objected.  Claim recites allowable subject matter: “monitoring technical activities of the organization to collect technical activity information; generating feature vector information structures based on the collected technical activity information; applying the generated feature vector information structures to machine learning models to generate analysis results; and using the generated analysis results to assign risk management level scores in one or more domains, wherein each domain includes: a core area comprising a plurality of categories, a category comprising a plurality of subcategories, and a subcategory” not taught by prior art taken alone or in combination. Claim would be allowable if rewritten in independent form including all of the limitations of the respective base claims and any intervening claims.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SYED A ZAIDI whose telephone number is (571)270-5995. The examiner can normally be reached Monday-Thursday: 5:30AM-5:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Nickerson can be reached on (469) 295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/SYED A ZAIDI/Primary Examiner, Art Unit 2432