Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
	The response of 04/20/22 was received and considered. 	
Claims 1-20 are presented for examination.

Response to Arguments
In view of Applicant’s arguments and amendments, filed 4/20/22, with respect to claims 4, 13 and 17-20, have been fully considered and are persuasive.  The rejection of claims 4, 13 and 17-20 has been withdrawn. 
As per claims 1 and 14, Applicant's arguments filed 4/20/22 have been fully considered but they are not persuasive.   Applicant argues Ross lacks or doesn’t not expressly disclose the limitations of claim 14, in particular, the limitation of “send, through an interface, the selected configuration instructions to the IT components of the IT stack to configure the IT components of the IT stack with respective security controls corresponding to the selected configuration instructions.  The examiner respectfully disagrees.  Ross teaches, in Figure 4, paragraphs 0082-0085,  identifying the technology stacks at block 402, identifying technical security standards at block 404, wherein the technical security standards include configuration standards and technical guidance, also see paragraph 0070.  Figure 6 and paragraph 0094 teaches sending security policy updates, including addition or removal of the technology stacks 100 and prompting the customers to implement the updates at block 604.  

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1-3, 5-12 and 14-16 are rejected under 35 U.S.C. 102(a)(1)/(a)(2) as being anticipated by Ross et al., US 2018/0121658.

Regarding claim 1, Ross discloses a non-transitory machine-readable storage medium comprising instructions that upon execution cause a system to: 
receive input information relating to a security level for an information technology (IT) stack comprising a plurality of layers including a hardware layer and a software layer (Paragraph 0019: receiving, by a processor, data corresponding to one or more technology stacks), wherein the input information is technology and product agnostic (0066: The overall system may be technology agnostic); 
discover components of the plurality of layers of the IT stack (0011: identify a plurality of components for each of the technology stacks by utilizing functional point analysis); 
access a knowledge base that maps the security level and the discovered components to configuration instructions relating to security controls (Fig 3, 310: identify corresponding technical security standards.  0008: access one or more security standards in a data store connected to the processor, at least one of the security standards corresponding to at least one of the technology stacks; and determine a cyber risk score based on the data and the at least one of the security standards); and
configure the IT stack with the security controls using the configuration instructions (0011: categorize each of the components for each of the technology stacks into a plurality of severity categories.  0054: any suitable technical security standards may be employed, such as, for example, Security Technical Implementation Guides (STIGs).);  the configuring of the IT stack comprising sending the configuration instructions to the components of the IT stack (Figure 6 and paragraph 0094 teaches sending security policy updates, including addition or removal of the technology stacks 100 and prompting the customers to implement the updates at block 604.).Regarding claim 2, Ross discloses the non-transitory machine-readable storage medium of claim 1, wherein the security level associated with the input information comprises a user security specification (0050: a cyber insurance underwriter may first ask prospective clients to complete an information security assessment that covers all IT equipment as well as company IT policies and practices.). Regarding claim 3, Ross discloses the non-transitory machine-readable storage medium of claim 1, wherein the security level associated with the input information comprises a security service level agreement (SLA) (0079: an auditor 220 from audit management 218 reviews the audit checklist, and identifies a needed or desired level of audit at block 324, after which the auditor 220 contacts the customer 202 to set up and perform the audit at block 326 for customer data validation. Feedback from the audit may be further utilized for updating the cyber risk scores and hazard classes, if desired or necessary.). Regarding claim 5, Ross discloses the non-transitory machine-readable storage medium of claim 1, wherein the components of the plurality of layers of the IT stack comprise a hardware component, and the configuring of the IT stack comprises configuring the hardware component (0050: Basic forms of IT equipment may be what is herein referred to as technology stacks, which are a set of software and hardware that provides the infrastructure for a computer or computer-related equipment.). Regarding claim 6, Ross discloses the non-transitory machine-readable storage medium of claim 1, wherein the security controls are selected from among a login configuration, a password configuration, a cipher configuration, a security alert configuration, a peripheral device connection configuration, or a remote console session encryption configuration (fig. 3, Customer 202 is then prompted to log in to the clearing house 208 to complete a web questionnaire 210 at block 306). Regarding claim 7, Ross discloses the non-transitory machine-readable storage medium of claim 1, wherein the plurality of layers of the IT stack further comprise a firmware layer, and wherein the components comprise a firmware component of the firmware layer, and the configuring of the IT stack comprises configuring the firmware component (0097-0098: a computing device may be implemented via firmware (e.g. an application-specific integrated circuit), hardware, or a combination of software, firmware, and hardware.). Regarding claim 8, Ross discloses the non-transitory machine-readable storage medium of claim 1, wherein the input information further comprises information relating to compliance specifications for the IT stack, and wherein the knowledge base maps the security level, the information relating to the compliance specifications, and the discovered components to the configuration instructions relating to the security controls (0085: A comprehensible list of STIGs may be found in the Unified Compliance). Regarding claim 9, Ross discloses the non-transitory machine-readable storage medium of claim 1, wherein the input information further comprises information relating to an industry vertical of the IT stack, and wherein the knowledge base maps the security level, the information relating to the industry vertical of the IT stack, and the discovered components to the configuration instructions relating to the security controls (0054: STIGs are configuration standards for Department of Defense Information Assurance (DOD IA) and IA-enabled devices and systems, which are provided by the Defense Information Systems Agency (DISA). STIGs provide suitable technical standards for diminishing cyber risks of each technology stack, and may provide valuable information for generation of cyber risk scores. Cyber Security Technical Implementation Guides (CSTIGs) are modifications of the STIGs to better address non-DOD IA areas.). Regarding claim 10, Ross discloses the non-transitory machine-readable storage medium of claim 1, wherein the input information further comprises information relating to an asset sensitivity classification of the IT stack, and wherein the knowledge base maps the security level, the information relating to an asset sensitivity classification, and the discovered components to the configuration instructions relating to the security controls (0090: FPA is a structured technique of classifying components of a system, that is used to break systems into smaller components for better analysis and understanding. CATs may be determined from the aforementioned list of CSTIGs.). Regarding claim 11, Ross discloses the non-transitory machine-readable storage medium of claim 1, wherein the configuration instructions are to be provided through an interface to the components of the plurality of layers of the IT stack (FIG. 1, a hardware layer 108 on the client side 104 may include, for example, mobile devices and computers for enabling access to an interface layer 110, which may include applications and browsers, among other elements. For example, some layers for running elements in the interface layer 110 on the client side 104 may include a structure layer 112, a style layer 114, and a behavior layer 116.). Regarding claim 12, Ross discloses the non-transitory machine-readable storage medium of claim 1, wherein the instructions that upon execution cause the system to: update the knowledge base in response to information selected from among: information pertaining to support of a new or updated product, updated threat intelligence information, an updated vulnerability landscape, an updated security feature enhancement, or an updated compliance specification (0070:  connected to a suitable technical security standards database 214, which may include technical security standards for each corresponding technology stack 100, and which may be kept updated (e.g., continuously updated). These technical security standards may be employed for the generation of a cyber risk score and hazard classes.  FIG. 6 is a flow diagram of a cyber risk updating method, according to an embodiment.). Regarding claim 14, Ross discloses a system comprising: a processor; and a non-transitory storage medium storing instructions executable on the processor to: 
receive input information relating to a security level for an information technology (IT) stack (Paragraph 0019: receiving, by a processor, data corresponding to one or more technology stacks),  comprising a plurality of layers including a hardware layer and a software layer, wherein the input information is technology and product agnostic (0066: The overall system may be technology agnostic); discover IT components of the plurality of layers of the IT stack (0011: identify a plurality of components for each of the technology stacks by utilizing functional point analysis); 
search, based on the input information and the discovered IT components, a knowledge base that maps different security levels for respective IT components to configuration instructions relating to security controls ((Fig 3, 310: identify corresponding technical security standards.  0008: access one or more security standards in a data store connected to the processor, at least one of the security standards corresponding to at least one of the technology stacks; and determine a cyber risk score based on the data and the at least one of the security standards); 
wherein the search provides selected configuration instructions retrieved from the knowledge base ((0011: categorize each of the components for each of the technology stacks into a plurality of severity categories.  0054: any suitable technical security standards may be employed, such as, for example, Security Technical Implementation Guides (STIGs)); and 
send, through an interface, the selected configuration instructions to the components of the IT stack to configure the IT components of the IT stack with respective security controls corresponding to the selected configuration instructions (0070: The customer 202 may sign up for a cyber risk assessment offered by the cyber insurance agent 204, and the customer 202 may complete a clearing house web questionnaire 210 through a suitable computer interface 212 that is connected to internet 106, in order to determine applicable technology stacks 100 for the customer 202.   Figure 6 and paragraph 0094 teaches sending security policy updates, including addition or removal of the technology stacks 100 and prompting the customers to implement the updates at block 604.  ). Regarding claim 15, Ross discloses the system of claim 14, wherein the selected configuration instructions are sent through the interface to a hardware component and a software component (0100: FIG. 8A, the computing device 1500 may also include a storage device 1528, a removable media interface 1516, a network interface 1518, an input/output (I/O) controller 1523, one or more display devices 1530c, a keyboard 1530a and a pointing device 1530b, such as a mouse. The storage device 1528 may include, without limitation, storage for an operating system and software.). Regarding claim 16, Ross discloses the system of claim 15, wherein the IT stack further comprises a firmware layer, and wherein the selected configuration instructions are further sent through the interface to a firmware component (0097-0098: a computing device may be implemented via firmware (e.g. an application-specific integrated circuit), hardware, or a combination of software, firmware, and hardware.). 
Allowable Subject Matter
Claims 19 and 20 are allowed.
Claims 4, 13, 17 and 18 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
	
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US 2019/0363929 to Andreoli et al. teaches reconfiguring a consolidated information technology stack, in order to assured that the changes do not affect achieved levels of security, availability, and performances [0022].
WO 2013/019241 teaches service providers have implemented service management stacks based on the Information Technology Infrastructure Library (ITSL). Security management, service level agreements, configuration management capacity management, event management, and continuity management
Any inquiry concerning this communication or earlier communications from the examiner should be directed to AUBREY H WYSZYNSKI whose telephone number is (571)272-8155. The examiner can normally be reached M-F 9-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, KAMBIZ ZAND can be reached on 571-272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/AUBREY H WYSZYNSKI/Examiner, Art Unit 2434                                                                                                                                                                                                        /KAMBIZ ZAND/Supervisory Patent Examiner, Art Unit 2434