Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
Claims 1-20 are presented for examination.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1-6, 11-20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Garrett et al. US Patent Application Publication Number 2021/0194929, hereinafter Garrett.
Referring to claim 1, Garrett disclose a system (figure 1) for conducting automatic security assessments to determine security compliance for one or more applications (abstract), the system comprising: 
one or more processors (figure 5, processors 512) configured to: 
receive one or more security requirements from at least one Security Technical Implementation Guide (STIG) (page 7 [0053] step 410, security rule/requirement can be obtained from STIG); 
identify one or more applications to undergo a security assessment to determine compliance with the one or more security requirements received (page 5 [0040], software applications are identified for compliance evaluations); 
generate a script based on the one or more security requirements and the one or more applications identified, wherein the script comprises commands for conducting an automatic security assessment of the one or more applications (page 5 [0039], scripts are generated from STIG that includes commands for compliance evaluation); 
automatically conduct the security assessment on the one or more applications identified utilizing the script generated (page 5 [0039], assessment are conducted in order to generate report indicating the whether the configurations for the applications 122a-c comply with STIG); 
determine whether the one or more applications satisfy the one or more security requirements received (page 1 [0011], page 5 [0039], assessment are conducted to generate report indicating the whether the configurations for the applications 122a-c comply with STIG); and 
generate a report indicating whether the one or more applications assessed satisfy the one or more security requirements received (page 1 [0011], page 5 [0039], compliance report are generated).
Referring to claim 2, Garrett disclose the system of claim 1, wherein the report generated comprises evidence that the one or more applications satisfied the one or more security requirements received (page 1 [0011], page 5 [0039], page 7 [0056], indication of evaluation result in report is viewed as evidence that the one or more applications satisfied the one or more security requirements received).
Referring to claim 3, Garrett disclose the system of claim 1, wherein the report generated comprises evidence that one or more applications did not satisfy the one or more security requirements received (page 1 [0011], page 5 [0039], report indicating the whether the configurations comply with STIG).
Referring to claim 4, Garrett disclose the system of claim 3, wherein the system generates a resolution to remediate the one or more applications that do not satisfy the one or more security requirements (page 7 [0058], configuration settings of system components determined to be out of compliance can be updated to comply with STIG standards directed to the system components is viewed as a resolution to remediate the one or more applications that do not satisfy the one or more security requirements).
Referring to claim 5, Garrett disclose the system of claim 4, wherein the system conducts at least one additional security assessment to determine whether the resolution resulted in the one or more applications satisfying the one or more security requirements (page 7 [0058], configurations implementation package to update configuration for compliance is viewed as conducts at least one additional security assessment to determine whether the resolution resulted in the one or more applications satisfying the one or more security requirements).
Referring to claim 6, Garrett disclose the system of claim 1, wherein the at least one STIG comprises security requirements mandated by a Defense Information Security Agency (DISA) (page 2 [0017], DISA).
Referring to claim 11, Garrett disclose a method for conducting automatic security assessments to determine security compliance for one or more applications (abstract), the method comprising: 
receiving one or more security requirements from at least one Security Technical Implementation Guide (STIG) (page 7 [0053] step 410, security rule/requirement can be obtained from STIG); 
identifying one or more applications to undergo a security assessment to determine compliance with the one or more security requirements received (page 5 [0040], software applications are identified for compliance evaluations);
generating a script based on the one or more security requirements and the one or more applications identified, wherein the script comprises commands for conducting an automatic security assessment of the one or more applications (page 5 [0039], scripts are generated from STIG that includes commands for compliance evaluation);
automatically conducting the security assessment on the one or more applications identified utilizing the script generated (page 5 [0039], assessment are conducted in order to generate report indicating the whether the configurations for the applications 122a-c comply with STIG);
determining whether the one or more applications satisfy the one or more security requirements received (page 1 [0011], page 5 [0039], assessment are conducted to generate report indicating the whether the configurations for the applications 122a-c comply with STIG); and 
generating a report indicating whether the one or more applications assessed satisfy the one or more security requirements received (page 1 [0011], page 5 [0039], compliance report are generated).
Referring to claim 12, Garrett disclose the method of claim 11, wherein the report is generated in a government approved file format (page 2 [0018], various formats discloses could be a government approved file format).
Referring to claim 13, Garrett disclose the method of claim 11, further comprising storing the report generated in a database (page 6 [044], report back to server 130).
Referring to claim 14, Garrett disclose the method of claim 11, wherein the report generated includes one or more files that provide evidence that the one or more applications satisfied the one or more security requirements received (page 1 [0011], page 5 [0039], page 7 [0056]).
Referring to claim 15, Garrett disclose the method of claim 11, wherein the report generated includes one or more files that provide evidence that the one or more applications is not compliant with the one or more security requirements received (page 1 [0011], page 5 [0039]).
Referring to claim 16, Garrett disclose the method of claim 15, further comprising remediating one or more problems that resulted in non-compliance with the one or more security requirements received (page 7 [0058], configuration settings of system components determined to be out of compliance can be updated to comply with STIG standards directed to the system components is viewed as a resolution to remediate the one or more applications that do not satisfy the one or more security requirements).
Referring to claims 17-20, the claims encompass the same scope of the invention as that of the claims 1-4.   Therefore, claims 17-20 are rejected on the same ground as the claims 1-4.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Garrett in view of Turner, US Patent Number 8,764,454, hereinafter Turner.
Referring to claim 7, Garrett discloses the system of claim, Garrett does not explicitly disclose further conduct manual assessments of one or more applications.
Turner discloses additional activity of manual assessment can be used after automated assessment using artificial intelligence (Col 12 lines 42-49).
It would have been obvious to a person with ordinary skill in the art before the effective filing date of the invention to incorporate the idea of manual assessment after automated assessment of Turner into Garrett, because Garrett disclose a computing system that performs a automatic assessment on computer data and Turner suggests additional manual assessment for computer data can be included.
A person with ordinary skill in the art would have been motivated to make the modification to Garrett to enhance and improve assessment result by providing flexible means for assessment activities.  
Claims 8-10 are rejected under 35 U.S.C. 103 as being unpatentable over Garrett in view of Olson et al., US Patent Publication Number 2015/0244734, hereinafter Olson.
Referring to claim 8, Garrett discloses the system of claim 1, Garrett discloses the report is transmitted back to the STIG compliance service associated with DISA for review (page 2 [0017], page 6 [0044]). Garrett does not explicitly disclose the report is generated in XML.
Olson discloses a security system include reports that include vulnerability identifiers (page 5 [0052]), and wherein the report generated is a XML data file (page 5 [0051])   
It would have been obvious to a person with ordinary skill in the art before the effective filing date of the invention to incorporate the XML report including vulnerability identifiers of Olson into Garrett because Garrett discloses a system to generate a security compliance report in order to reduce vulnerability and Olson suggests an report in XML to identified detected vulnerability.   
A person with ordinary skill in the art would have been motivated to make the modification to Garrett to enhance the report and data management as suggested by Olson.  
Referring to claims 9 and 10, Garrett discloses the system of claim 1, Garrett does not explicitly disclose identification of one or more vulnerabilities within the one or more applications identified, wherein each of the one or more vulnerabilities identified undergoes the security assessment, and wherein the one or more vulnerabilities identified within the one or more applications identified for the security assessment is assigned a vulnerability ID.
Olson discloses a security system include reports that include vulnerability identifiers (page 5 [0052]), and wherein the report generated is a XML data file (page 5 [0051])   
It would have been obvious to a person with ordinary skill in the art before the effective filing date of the invention to incorporate the XML report including vulnerability identifiers of Olson into Garrett because Garrett discloses a system to generate a security compliance report in order to reduce vulnerability and Olson suggests an report in XML to identified detected vulnerability.   
A person with ordinary skill in the art would have been motivated to make the modification to Garrett to enhance the report and data management as suggested by Olson.  

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.  Applicant is reminded that in amending in response to a rejection of claims, the patentable novelty must be clearly shown in view of the state of the art disclosed by the references cited and the objection made.  Applicant must show how the amendments avoid such references and objections.  See 37 CFR 1.111(c).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to LIANGCHE A WANG whose telephone number is (571)272-3992.  The examiner can normally be reached on M-F 10:00am to 6:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joon H Hwang can be reached on 571-272-4036.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





Liang-che Alex Wang 
May 11, 2022

/LIANG CHE A WANG/Primary Examiner, Art Unit 2447