DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) was submitted on 9/3/2020. The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1-20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Joy et al. (US 20190116200 Al, hereinafter Joy).

Regarding claim 1, Joy discloses a method for placing a workload on one or more resources based on security requirements of the workload, a declared security policy, and security capabilities of the resources, the method comprising: 
determining the security requirements of the workload and the declared security policy (paras. [0017], lines 9-28, workload may include a virtual machine or a software container… controller 105 may receive the provision request 110 over a network connection. A host data retriever 120 is configured to analyze the provision request 110 and identify data within that identifies information about the workload, resources required by the workload and associated parameters of the workload. The provision request 110 may specify a level of security required for the workload or information about the type of service the workload will provide… the level of security required for the workload is predicted based upon a combination of one or more factors such as the type of service the workload will provide, a location or identity of the entity computer 115, or other information included in the provision request 110…); [0018], lines 10-14, Policies that are either specified in the provision request 110 or predicted based upon the level of security required or the type of service of the workload may also be included in the criteria 125. The policies represent hard requirements of the client for hosting the workload; [0021], line 8, security policy of the system; [0023], lines 4-17,  government vulnerability bank 165 may include the Common Vulnerabilities and Exposures (CVE) system maintained by the National Cybersecurity Federally Funded Research and Development Center (FFRDC), the National Vulnerability Database, or any other similar source identifying vulnerabilities. The government vulnerability bank 165 analyzes one or more databases of documented vulnerabilities and generates an update 170 of vulnerabilities for the vulnerability data structure 155. For example, the update 170 may specify which vulnerabilities were documented after a last update request from the vulnerability data structure 155, or which vulnerabilities are determined to not be listed in the vulnerability data structure 155…); 
searching for and finding a resource that meets the security requirements of the workload and the declared security policy (para. [0018], lines 15-26, the policies specify geographical limits to where the workload may be hosted... the criteria 125 specifies "NATO members" as acceptable geographical locations within which the workload is to be hosted, in accordance with a need of the client to keep the workload within an area determined to be outside the reach of adversaries. Alternatively, the policies may specify legal requirements to which the workload is to adhere… the criteria 125 specifies that communications sent by the host of the workload are required to meet certain standards, and that the host of the workload is to reject communication with one or more designated entities…; [0019], lines 1-6, The criteria 125 is used to analyze a data center map data structure 130 in order to identify hosts to be considered for the provision request 110. The controller 105 uses the data center map data structure 130 to generate an update request 135 for information about hosts in a data center 140.; [0023], lines 4-17); and 
deploying the workload onto the resource (para. [0028], lines 1-5, controller 105 generates provision instructions 190 to provide to the data center 140. The provision instructions 190 cause the workload to be provisioned (placed) to the host in the data center 140 selected by the host data analyzer 185.).

Regarding claim 2, Joy discloses the method of claim 1, further comprising: 
upon a lapsing of a timer, re-evaluating the declared security policy and the security requirements against the security capabilities of the resource to determine whether the workload is to continue to run on the resource (paras. [0023], lines 4-17; [0039], lines 1-4 and 28-32, At 230, after a selected time period after the placement of the workload, the selected host (the first host 141) is reanalyzed to calculate the updated threat score, for example at day-2… a determination is made that the first host 141 runs the workload which is determined to have a new vulnerability, in addition to the second workload with software from the product of the first vendor determined to have the first vulnerability…; [0040], lines 1-6, one or more actions performed by the workload are monitored. The reanalyzing the selected host (the first host 141) is performed in response to determining that at least one of the actions are associated with a likelihood of increasing vulnerability, or in response to detecting an anomaly…; [0041], lines 1-8, At 235, in response to determining that the updated threat score of the selected host (the first host 141) exceeds the threshold threat score (e.g., meaning that the first host no longer meets the acceptable minimum security requirements), the workload itself or one or more other workloads are moved from the selected host (the first host 141) to another host from the plurality of hosts that meets the requirements...).

Regarding claim 3, Joy discloses the method of claim 1, further comprising: 
after deploying the workload onto the resource, discovering that the resource does not meet the security requirements of the workload and the declared security policy due to a change in the security requirements of the workload, the declared security policy, or the security capabilities of the resource (paras. [0023], lines 4-17; [0041], lines 1-5); 
determining that a new environment has a resource having security capabilities that meet the security requirements of the workload and the declared security policy (paras. [0023], lines 4-17; [0024], lines 1-4, the government vulnerability bank 165 is selected (for use as described herein) from a set of candidate vulnerability banks based upon the policies or a geographical location associated with the workload…; [0041], lines 1-8); and 
deploying the workload onto the resource in the new environment (paras. [0024], lines 5-9, the government vulnerability bank 165 is selected if a detem1ination is made that the workload is to serve users in the United States, while a European Union government vulnerability bank is selected if a determination is made that the workload is to serve users in Italy…; [0041], lines 18-22, The moving of the workload from the first host 141 to the third host 143 may include sending move instructions that are a variation of the provision instructions 190 to the data center 140, directly to the first host 141, or directly to the third host 143.).

Regarding claim 4, Joy discloses the method of claim 3, wherein the new environment is determined to have the resource having security capabilities that meet the security requirements of the workload and the declared security policy by: 
selecting an environment among a set of available environments (paras. paras. [0024], lines 1-4; [0030], lines 1-5, FIG. 2 illustrates one embodiment of a computer implemented method 200 associated with selecting a host for a workload, such as a virtual machine or a software container, and placing the workload on the selected host, where a plurality of hosts are available for hosting; [0041], lines 1-8); 
evaluating the declared security policy and security requirements of the workload against the security capabilities of resources in the selected environment (paras. [0023], lines 4-17; [0024], lines 1-4; [0041], lines 1-8); and 
making the selected environment become the new environment if the evaluation succeeds (paras. [0023], lines 4-17; [0024], lines 5-9; [0041], lines 18-22).

Regarding claim 5, Joy discloses the method of claim 1, wherein the security requirements of the declared security policy override the security requirements of the workload (paras. [0021], line 8, security policy of the system; [0023], lines 4-17; [0039], lines 1-4 and 28-32, selected time period; [0040], lines 1-6; [0041], lines 1-8).

Regarding claim 6, Joy discloses the method of claim 5, wherein the security requirements of the declared security policy are more restrictive than the security requirements of the workload (paras. [0023], lines 4-17; [0039], lines 1-4 and 28-32; [0040], lines 1-6; [0041], lines 1-8).

Regarding claim 7, Joy discloses the method of claim 5, wherein the security requirements of the declared security policy are fewer in number than a number of the security requirements of the workload ([0017], lines 19-28, the level of security required for the workload is predicted based upon a combination of one or more factors such as the type of service the workload will provide, a location or identity of the entity computer 115, or other information included in the provision request 110. For example, a workload hosting a proxy server requires a first level of security, a workload hosting a derivative server requires a second level of security, and a workload hosting a service that processes sensitive information, such as credit card data, requires a third level of security…; [0023], lines 4-17).

Claims 8-1 3and 15-20 incorporates substantively all the limitations of claims 1-6 in system (810, 815, Fig. 8; para. [0030], lines 8-9, processor and memory) and non-transitory computer-readable medium forms rather than method form and are rejected under the same rationale.

Claim 14 incorporates substantively all the limitations of claim 7 in system form rather than method form and is rejected under the same rationale.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
See PTO-892 Notice of References Cited.


	
Any inquiry concerning this communication or earlier communications from the examiner should be directed to THORNE E WAUGH whose telephone number is (571)270-0434. The examiner can normally be reached Monday-Friday 9AM-5:30PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, ARIO ETIENNE can be reached on (571)272-4001. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/THORNE E WAUGH/Examiner, Art Unit 2457                                                                                                                                                                                                        
/ARIO ETIENNE/Supervisory Patent Examiner, Art Unit 2457