DETAILED ACTION
	Claims 1-20 are presented on 01/15/2021 for examination on merits.  Claims 1, 9, and 17 are independent base claims.  

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Examiner's Instructions for filing Response to this Office Action
When the Applicant submits amendments regarding to the claims in response the Office Action, the Examiner would prefer that Applicant submit two sets of claims: 
Set #1 that includes indicators for the status of claim and all marked amendments to the claims; and 
Set #2 comprising a clean version of the claims with all the markups removed for entry, as an appendix to the Applicant Arguments/Remarks or a section following the Remarks.

Information Disclosure Statement
The information disclosure statement(s) (IDS) submitted for examination on merits is/are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement(s) is/are being considered by the examiner. See the annotated 1449 documents.

Claim Objections
Claims 2, 8, and 16 are objected to because of the following informalities: 
Claim 2 has an extra period at the end of claim.
Claim 16 contains a misspelled word “viding” which appears to be “providing” for the clause “when [pro]viding the overall security score for presentation to a user.”
Claims 8 and 16 each recite the limitation “when [pro]viding the overall security score for presentation to a user.”  Because “a user” has been defined in the independent claims 1 and 9, respectively, this limitation should have been “when [pro]viding the overall security score for presentation to the user.”
Appropriate correction is required.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.


In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Bajaj (US 20200097869 A1) in view of Hoffman (US 20030074206 A1).

As per claim 1, Bajaj teaches a method, comprising: 
determining, by one or more computing devices, weights for techniques of a cyber security framework based on based on historical industry impact (Bajaj, par. 0099 and 0118: assigned risk weight values 908 to calculate risk; For example, recommended weights may be created by cross-factoring a particular customer and its required parts, relevant groups to that customer, the product sector of that customer, … historical data within a predetermined timeframe (such as one year)); 
obtaining, by the one or more computing devices, customer risk data for the enterprise network (Bajaj, par. 0107-0109: risk attribute module may be collected from the network via customers and suppliers); 
normalizing, by the one or more computing devices, the customer risk data to form normalized risk scores (Bajaj, par. 0099: Next, scores for each assembly for a customer are added up and then divided by the number of assemblies to determine a risk attribute score for the customer. FIG. 9 shows that six attributes are weighted by a weighting algorithm at 36%, 19%, 9%, 19%, 19%, and 0%, respectively, … for calculation of the risk attribute score; par. 0100-0101); 
mapping, by the one or more computing devices, the customer risk data to corresponding techniques in the cyber security framework (Bajaj, par. 0104: the SCM platform 307 to generate a heat map to visualize risk attribute scores and their impact; par. 0116: a mapping of what attributes of the supply chain); 
generating, by the one or more computing devices, technique scores based on the mapping and the normalized risk scores (Bajaj, par. 0114-0116: each category may be scored, as may be each attribute within each category to contribute to the category score, and these scores may be weighted, such as in relation to the stated goals and objectives of a user; Thereby, using the disclosed attribute-based risk, a user may be provided with a mapping of what attributes of the supply chain are causing different aspects of a risk score and/or a total risk score; see also par. 0105: the heat map may color code boxes to reflect risk attribute scores; Note that Bajaj’s category scores are mapped to the technique scores as they are directed to the category of the parts having the impact on demand of the parts; par. 0114 and 0147-0148); 
generating, by the one or more computing devices, weighted technique scores using some of the weights selected based on the industry identifier (Bajaj, FIG. 10 shows how to generate category scores, which are mapped to the weighted technique scores; par. 0114: [generating] … the category score, and these scores may be weighted such as in relation to the stated goals and objectives of a user); 
calculating, by the one or more computing devices, an overall security score for the enterprise network based on the weighted technique scores (Bajaj, par. 0122: determining … the overall risk score, the risk score per category; par. 0139-0140: weighting assigned to category scores for determining overall scores); 
identifying a corrective recommendation for the overall security score (Bajaj, par. 0122: making of recommendations for optimization, as discussed throughout. More specifically, within each attribute particular part or parts may be scored against the overall risk model. Thereby, sensitivity to a particular part or parts of the risk model may be assessed); and 
providing, by the one or more computing devices, the overall security score and the corrective recommendation for presentation to a user (Bajaj, FIG. 16A shows informational items or scores, such as an actual data score for that attribute in relation to a supply chain aspect, such as a risk score that may be indicative of the risk imparted to the overall product by the risk stemming from that aspect, and/or such as a weighting given to that attribute in an overall risk profile. par. 0139-0140).
However, Bajaj does not explicitly disclose that an enterprise network is associated with an industry identifier.  This aspect of the claim is identified as a difference.
In a related art, Hoffman discloses:
associating, by the one or more computing devices, an enterprise network with an industry identifier (Hoffman, par. 0567: Each of the stores, distributors and suppliers is assigned an identifier in operation 5734. When a request (which includes an identifier); par. 0806: Each of the supply chain participants is assigned with an identifier in operation 7134); 
Bajaj and Hoffman are analogous art, because they are in a similar field of endeavor in improving management of security risks.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to modify Bajaj’s system with Hoffman’s teaching on industry identifiers assigned to an enterprise network. For this combination, the motivation would have been to improve the traceability the goods and parts of Bajaj’s system.

As per claim 2, the references as combined above teach the method of claim 1, wherein the mapping includes associating the customer risk data with multiple attack techniques in the cyber security framework (Bajaj, par. 0104-0105: generate a heat map to visualize risk attribute scores and their impact). [[.]]

As per claim 3, the references as combined above teach the method of claim 1, further comprising: 
calculating category security scores from the weighted technique scores (Bajaj, par. Par. 0115-0117: analyzing/determining … the risk score per category with weighting; 0099: After multiplying a score in each category by the associated weight, scores for each part on an end product or assembly may be added up and divided by the number of parts to determine a risk attribute score for each assembly).

As per claim 4, the references as combined above teach the method of claim 1, further comprising: 
storing, in a memory, a generic mapping of customer risk data to the cyber security framework (Bajaj, par. 0116: attribute-based risk, a user may be provided with a mapping of what attributes of the supply chain are causing different aspects of a risk score and/or a total risk score. Thereby, those particular attributes may be addressed, remedial action taken by the user.  Bajaj discloses the framework on which a risk attribute value is based for [analysis of] various different risk categories of the supply chain); and 
storing, prior to obtaining the customer risk data, the weights associated with different industry [identifiers] (Bajaj, par. 0099: each category by the associated weight; par. 0115: categories, attributes, or the like [are associated with] risk profiles of competitors, presence in a particular industry).
However, Bajaj does not explicitly disclose an industry identifier.  
In the combination discussed above, Hoffman discloses an industry identifier (Hoffman, par. 0567: Each of the stores, distributors and suppliers is assigned an identifier in operation 5734. When a request (which includes an identifier); par. 0806: Each of the supply chain participants is assigned with an identifier in operation 7134); 
Hoffman is combined with Bajaj for the same rationale as that for claim 1.

As per claim 5, the references as combined above teach the method of claim 1, wherein normalizing the customer risk data comprises: 
storing settings for converting individual vendor security ratings to a uniform numerical scale (Bajaj, par. 0118: risk rating of other sources or competitors…may be cross-factoring and comparable suggesting in a uniform numerical scale); 
receiving multiple security ratings for the enterprise network, wherein the multiple security ratings include a rating based on an outside-in data view and a rating based on an inside- out data view (Bajaj, par. 0118: [the risk rating/modeling] uses historical data …internal and external to the supply chain… within a predetermined timeframe (such as one year), assessed impact of events external to the supply chain to typical users of the same or similar parts, and the like. This accumulated information may then be employed to create an ever-changing comparative rule set within the rules engine 1707 that blends experiential knowledge and statistical analysis with performance feedback of the level of correctness of prior outputs.); and 
matching each of the multiple security ratings to a uniform numerical scale (Bajaj, par. 0152: risk attribute score standard deviation … for uniform score matching).

As per claim 6, the references as combined above teach the method of claim 1, wherein determining the weights for the techniques of the cyber security framework comprises: 
evaluating historical contributions of different industry environments to successful attack techniques (Bajaj, par. 0067: analysis of extended historical data of similar or related supply chains); and 
assigning industry weight values, based on the historical contributions, to each of the techniques of the cyber security framework (Bajaj, par. 0118: recommended weights may be created by cross-factoring a particular customer … with historical data within a predetermined timeframe (such as one year)).

As per claim 7, the references as combined above teach the method of claim 1, wherein mapping the customer risk data further comprises: 
matching, prior to receiving the customer risk data for the enterprise network, general features of the customer risk data to the corresponding techniques in the cyber security framework (Bajaj, par. 0092 certain features and processes described herein are based on a “plan-do-check-act” (PDCA) methodology, which means that risks are evaluated prior to receiving the customer risk data; par. 0145: the four summary risk features presented in FIG. 21, suggesting that they are the general features of the customer risk data to the corresponding techniques).

As per claim 8, the references as combined above teach the method of claim 1, wherein providing the overall security score for presentation to a user further comprises: providing category sub-scores for the overall security score (Bajaj, par. 0121-0123: each attribute particular part or parts may be scored against the overall risk model. Thereby, sensitivity to a particular part or parts of the risk model may be assessed. Upon assessment of this sensitivity to a particular part or parts, recommendations may be provided to the user as to how to lower the overall risk score, the risk score per category, or the risk score per attribute; par. 0153: FIG. 32 illustrates a risk attribute part detail report … in connection with FIG. 11, providing] part detail analytics (e.g., site, part, part description, commodity), commercial analytics (e.g., spend leverage) component analytics (e.g., alternative sourcing, lead time, part change risk, part manufacturing risk), supplier performance (e.g., defects per million, inventory performance), and a total risk attribute score. See par. 0064 and 0104-0106 for the display of multiple variables, such as revenues and risk).

As per claim 9, it is directed to one or more computing devices, comprising one or more processors configured to perform the same steps as those of claim 1.  For the same reasons as discussed above in claim 1, claim 9 is rejected.

As per claim 10, the references as combined above teach the one or more computing devices of claim 9, wherein, providing the overall security score, the one or more processors are further configured to: 
generate a graphical user interface that includes a presentation of the overall security score (Bajaj, par. 0140: in the case of FIG. 16A, [displayed] is a risk score of 4.2 on a 1 to 5 scale, which is the overall risk score; par. 0122).

As per claim 11, the references as combined above teach the one or more computing devices of claim 9, wherein the one or more processors are further configured to: 
calculate category security scores from the weighted technique scores (Bajaj, par. Par. 0115-0117: analyzing/determining … the risk score per category with weighting; 0099: After multiplying a score in each category by the associated weight, scores for each part on an end product or assembly may be added up and divided by the number of parts to determine a risk attribute score for each assembly).

As per claim 12, the references as combined above teach the one or more computing devices of claim 9, wherein the one or more processors are further configured to: 
store, in a memory, multiple different weights for techniques in the cyber security framework (Bajaj, par. 0143: having preassigned weights by the rules engine, which means storing multiple different weights for each category of techniques. The storing of weights is inherent in computer art); and 
select, from the different weights, the some of the weights based on the industry identifier (Bajaj, par. 0099: FIG. 9 illustrates … assigned risk weight values 908 to calculate risk; multiplying a score in each category by the associated weight; see also par. 0118: recommended weights may be created).  Hoffman as discussed above discloses the aspect of using industry identifier and therefore combined with Bajaj for the teaching for the same rationale discussed above in claim 1.

As per claim 13, the references as combined above teach the one or more computing devices of claim 9, wherein, normalizing the customer risk data, the one or more processors are further configured to: 
receive multiple security ratings for the enterprise network, wherein the multiple security ratings include a rating based on an outside-in data view and a rating based on an inside-out data view (Bajaj, par. 0102: configure the system to enable or suggest other manufacturers as suppliers which will lower the risk attribute score by diversifying the supply base. Bajaj also discloses the risk score calculation from the perspective of the user/enterprise, which is mapped to the inside-out data view; par. 0099-0101).

As per claim 14, the references as combined above teach the one or more computing devices of claim 13, wherein the multiple security ratings include a rating based on culture and processes associated with the enterprise network (Bajaj, par. 0135-0136: the user may request that the analytics engine provide to the user a list of part providers that are capable of hitting the modified service level (as a desire), such that the design risk score may be modified to that desired by the user.  Here the customer’s desire for a certain modification is interpreted as culture-and-process-based needs).

As per claim 15, the references as combined above teach the one or more computing devices of claim 9, wherein, when mapping the customer risk data, the one or more processors are further configured to: 
generate, prior to receiving the customer risk data for the enterprise network, a table matching general features of the customer risk data to the corresponding techniques in the cyber security framework (Bajaj, FIG. 10 shows a table generated as a report that break[s] out each category score so that a user may see where, and to what extent, risk exists, and potential courses of action that may be taken to lessen the risk, which is prior to receiving the customer risk data; par. 0102-0103).

As per claim 16, the references as combined above teach the one or more computing devices of claim 9, wherein, when [pro]viding the overall security score for presentation to a user, the one or more processors are further configured to: 
provide category sub-scores of the overall security score (Bajaj, par. 0121-0123: each attribute particular part or parts may be scored …[based on] the risk score per attribute; par. 0153: FIG. 32 illustrates a risk attribute part detail report … in connection with FIG. 11, providing] part details on category risk scores as sub-scores of the overall security score).

As per claim 17, it is directed to a non-transitory computer-readable medium containing instructions executable by at least one processor, the computer-readable medium comprising one or more instructions to cause the at least one processor to perform the same steps as those of claim 1.  Therefore, claim 17 is rejected for the same reasons as discussed above in claim 1.

As per claim 18, the references as combined above teach the non-transitory computer-readable medium of claim 17, wherein the instructions to providing the overall security score further comprise instructions to cause the at least one processor to: 
generate a graphical user interface that includes a presentation of the overall security score (Bajaj, par. 0140: in the case of FIG. 16A, [displayed] is a risk score of 4.2 on a 1 to 5 scale, which is the overall risk score; par. 0122).

As per claim 19, the references as combined above teach the non-transitory computer-readable medium of claim 17, further comprising instructions to cause the at least one processor to: 
calculate category security scores from the weighted technique scores (Bajaj, par. Par. 0115-0117: analyzing/determining … the risk score per category with weighting; 0099: After multiplying a score in each category by the associated weight, scores for each part on an end product or assembly may be added up and divided by the number of parts to determine a risk attribute score for each assembly).

As per claim 20, the references as combined above teach the non-transitory computer-readable medium of claim 17, further comprising instructions to cause the at least one processor to: 
store the weights (Bajaj, par. 0099: each category by the associated weight; par. 0115: categories [associated with] risk profiles of competitors. It is noted that the storing of weights is inherent in computer art); and 
select, from the weights, the some of the weights based on the industry identifier (Bajaj, par. 0099: FIG. 9 illustrates … assigned risk weight values 908 to calculate risk; multiplying a score in each category by the associated weight, which is selected; see also par. 0118: recommended weights may be created).  Hoffman further discloses the industry identifier (par. 0567 and 0806) which is combined with Bajaj for the same rationale as that for claim 1.




Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure as the prior art additionally discloses certain parts of the claim features (See “PTO-892 Notice of Reference Cited”).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DON ZHAO whose telephone number is (571)272.9953.  The examiner can normally be reached on Monday to Friday, 7:30 A.M to 5:00 P.M EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl G Colin can be reached on 571.272.3862.  The fax phone number for the organization where this application or proceeding is assigned is 571.273.8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866.217.9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800.786.9199 (IN USA OR CANADA) or 571.272.1000.


/Don G Zhao/Primary Examiner, Art Unit 2493                                                                                                                                                                                                        07/29/2022