Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Applicant’s Response
	In Applicant’s Response, Applicant amended claims 1, 7-10, and 12, argued against all the rejections put forth in the Final Office Action dated 18 March 2022, and filed an Affidavit under 37 CFR 1.132.
Based on the amendments to the claims, the rejection of claims 7-10 under 35 U.S.C. 112(b) previously put forth has been withdrawn. 
Based on the amendments to the claims and the arguments presented in Applicant’s Remarks, the rejections of claims 1-13 under 35 U.S.C. 103 previously put forth have been withdrawn. 
The affidavit under 37 CFR 1.132 filed 10 June 2022 has been considered but is moot based upon the current rejection under 35 U.S.C. 112(a).

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claim 1-13 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claims contain subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. 

Regarding claim 1, claim 1 recites a computer driven method of managing Information Security Program maturity regarding a cybersecurity data collection, the method comprising: presenting a form aligned with industry standard frame works; addressing both technical and administrative controls which apply to a system, inclusive of all devices within the system; storing a plurality of stakeholder responses in a database; allowing the submission of new form elements; dynamically adjusting the maturity of client profiles and displaying the aggregated average comparatively to the user in real time for both technical and administrative controls holistically and also independently; establishing a maturity baseline for the client profile; aggregating a maturity score; consolidating cybersecurity maturity data in a graphical format to establish a threshold baseline for legal negligence; 2Appl. No. 16/396,954 - Reply to Office Action of March 18, 2022 limiting access to results created from storing said stakeholder responses and allowing said new form elements and adjusting said client profiles to a limited number of authorized viewers; providing anonymous aggregate data metrics visible to each user profile; ingesting data from an Exposure Engine (303) to calculate cybersecurity standard of care; displaying the standard of care in real time to at least one user of the predetermined set of viewing users.  
The specification [0007] discloses the principal object of the present invention is to provide a method of more effectively managing and displaying an Information Security Management System (ISMS), or Cybersecurity  Framework, by  an application  executing  on  a computer device for computing and displaying real time dynamic metrics and market comparison for the User. The method includes authenticated and authorized User to conduct security assessments based on industry accepted standards in order to establish a plurality of metric baselines dynamically and in real time. The method further includes authenticated and authorized Stakeholders to anonymously rank investments projects submitted by an authorized group of Users against organizational goals  and  simulate  the  impact  to   the  current  ISMS, or Cybersecurity Framework, baselines. The method further includes the ability to provide financial visibility into the financial exposure of a Security Breach, or Data exfiltration and other available financial metrics. The method further includes a platform by which companies may obtain Virtual CISO's services on a full-time, part-time, project, or consultative basis from a pool of experienced executive level resources in support of implementing a more effective ISMS, or Cybersecurity Framework. All client data is encrypted at rest and in motion utilizing industry accepted encryption implementations such as TLS for Data-In-Motion and TDE for Data-At-Rest.
The specification [0008] discloses another important objective of the present invention is to provide executive and board level communication regarding the organizations security posture through contextualizing the security baselines in a business context.
The specification [0009] discloses another significant aspect of the present invention is to provide organizations dynamic and real time visibility to security program utilizing real time market exchange data.  
The specification [0011] discloses another significant aspect of the present invention is to provide dynamic and real time simulation modeling of data requests for a particular organization against the organizational baselines and industry peers.
The specification [0012] discloses another significant aspect of the present invention is to address the executive level Cybersecurity skills shortage through the use of a virtual pool of experienced resources.
The specification [0027] discloses a system and method for dynamically presenting an ISMS for a particular organization and the potential exposure of a Security Breach, or Data Leakage, while comparing it to like organizations. A User 101 of the Context Platform 105 is exercising a common principle of due care and establishing maturity baseline for their respective organization. The7 Inventor: Jorge Conde-BerrocalAssignee: V3Cybersecurity, Inc.Atty.Doc. No. 5545t.001baseline input is generated using an anonymous questionnaire sent to the assigned stakeholders. The stakeholder input is then automatically scored utilizing an open industry standard for communicating baselines. For example, the CMMI scale could be used in the case of maturity. The results are then anonymously aggregated into a database which can be used to develop additional metrics for comparison with the organizations existing baseline. The maturity score will be displayed in a graph and made available for transfer to other communication formats (e.g. Microsoft PowerPoint) for Viewing Users. Users will also be able to submit new questions for consideration within the data request. If the question is viewed to be relevant, the Security Provider will publish the singular question to all the Users allowing the Users data request engine 301 to remain aligned with industry standards and peer organizations. The data request database 304 will continuously be updated as clients are onboarded and the organizational relative to peers will be updated dynamically in real time. The User will be able to identify if they are aligned with their peers in dynamically over time. Additional financial metrics will be provided in combination with the baseline information and the client profile data provided. For example, the budget to employee ratio which will also be compared against peer organizations, and so forth.

The specification [0028] discloses The User will also be able to utilize the roadmap function to organize and develop the most effective investment strategy for the particular organization. The implementation of the program management method will allow the User to gather input from all levels of the authorized organization and allow them to be submitted over the network. The submitted project will be evaluated by designated stakeholders against the organization's critical objectives. Once the projects are ranked, the order ranked projects that are within the organizations resource constraints can be further evaluated. These projects can then be submitted for review by the maturity stakeholders and submitted into the Data Request engine 301 to provide simulated maturity scores. This will allow the User to avoid stakeholder bias and better understand the impact analysis of the project on the organization as a whole. The simulation score will be displayed in a graph and made available for transfer to other communication formats (e.g. Microsoft PowerPoint) for Viewing Users. 
The specification [0029] discloses that the User will be able to utilize the Exposure Engine 303 and their company profile to, in real time and dynamically, view the average financial exposure that peer organizations that have experienced Security Breaches, or Data Leakage have endured. The exposure value along with the maturity and company profile will allow the User to obtain a baseline score for the organization allowing for better understanding of the organizations Security posture and that of the organization's peers. As more organizations are added and more breaches researched, the value of the information will continue to provide stronger insight into the Users organization security posture. Given the lack of skills at the executive level within the Security domain and the number of underserved organizations, there will also be a Virtual CISO Interface 202 in which organizations may view profiles of CISOs and match their need to the respective profiles. This will allow organizations to contract increments of time from vetted Security executives to assist with their Security Program, or to help apply the Context platform 105. 
The specification [0060] discloses that FIG. 7 is a flow diagram of a model process for setting up a client within the Security Provider 104 for services. The  user 101 described   in  7.a  is  a  company representative authorized to procure services from the Security Provider 104 on behalf of the purchasing organization. Upon receipt  of  purchase   the  Security  Provider  will   provide entitlement 7.b to the User organization and send the user 101 the Security Provider Entitlement Notification 7.d.         The Security Provider will complete client profile 7.e and submit the configuration through the client interface 200. Once entitlement is issued, the Security Provider will create the user and permissions 7.f.   The new user 101 and the Security Provider 104 will be notified of the new entitlement and user creation.  The user 101 will have access to maintain certain parameters within the Client Profile Database 203 and setup additional users 101, viewing users 101a, and stakeholder users 101b for the entitled account.
The specification appears to generally disclose a method of managing and displaying an ISMS, or Cybersecurity Framework, and “industry accepted standards” to “establish a plurality of metric baselines” and “simulate the impact to the current ISMS, or Cybersecurity Framework, baselines ([0007]).  The specification appears to generally disclose presenting a form aligned with industry standard frameworks, storing responses, allowing the submission of new form elements, establishing a maturity baseline, aggregating a maturity score, and a user “exercising a common principle of due care and establishing maturity baseline for their respective organization” and scoring stakeholder input “utilizing an open industry standard for communication”  ([0027]).  The specification appears to generally disclose adjusting profiles and displaying an aggregated average comparitvely to the user in real time (see [0029]).  The specification appears to generally disclose limiting access to results ([0060]). 
However, the specification does not disclose a computer driven method of managing Information Security Program maturity regarding a cybersecurity data collection, the method comprising: presenting a form aligned with industry standard frame works; addressing both technical and administrative controls which apply to a system, inclusive of all devices within the system; storing a plurality of stakeholder responses in a database; allowing the submission of new form elements; dynamically adjusting the maturity of client profiles and displaying the aggregated average comparatively to the user in real time for both technical and administrative controls holistically and also independently; establishing a maturity baseline for the client profile; aggregating a maturity score; consolidating cybersecurity maturity data in a graphical format to establish a threshold baseline for legal negligence; 2Appl. No. 16/396,954 - Reply to Office Action of March 18, 2022 limiting access to results created from storing said stakeholder responses and allowing said new form elements and adjusting said client profiles to a limited number of authorized viewers; providing anonymous aggregate data metrics visible to each user profile; ingesting data from an Exposure Engine (303) to calculate cybersecurity standard of care; displaying the standard of care in real time to at least one user of the predetermined set of viewing users.

Regarding claims 2-13, claims 2-13 are also rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as being dependent on parent claims failing to comply with the written description requirement.

Claims 1-13 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the enablement requirement.  The claim(s) contains subject matter which was not described in the specification in such a way as to enable one skilled in the art to which it pertains, or with which it is most nearly connected, to make and/or use the invention. 
As discussed above with respect to the written description requirements, the specification appears to generally disclose “industry accepted standards” to “establish a plurality of metric baselines” and “simulate the impact to the current ISMS, or Cybersecurity Framework, baselines ([0007]).  The specification appears to generally disclose a user “exercising a common principle of due care and establishing maturity baseline for their respective organization” and scoring stakeholder input “utilizing an open industry standard for communication” ([0027]).  However, the specification does not disclose every limitation of claim 1, specifically: addressing both technical and administrative controls which apply to a system, inclusive of all devices within the system; dynamically adjusting the maturity of client profiles and displaying the aggregated average comparatively to the user in real time for both technical and administrative controls holistically and also independently; consolidating cybersecurity maturity data in a graphical format to establish a threshold baseline for legal negligence; ingesting data from an Exposure Engine (303) to calculate cybersecurity standard of care; and displaying the standard of care in real time to at least one user of the predetermined set of viewing users (Claim 1).
There are many factors to be considered when determining whether there is sufficient evidence to support a determination that a disclosure does not satisfy the enablement requirement and whether any necessary experimentation is "undue" (see MPEP 2164.01(a)).  Examiner has considered each of these factors:
(A) The breadth of the claims - With respect to the breadth of a claim, the relevant concern is whether the scope of enablement provided to one skilled in the art by the disclosure is commensurate with the scope of protection sought by the claims.  Claim 1 comprises a computer driven method of managing Information Security Program maturity regarding a cybersecurity data collection, the method comprising: presenting a form aligned with industry standard frame works; addressing both technical and administrative controls which apply to a system, inclusive of all devices within the system; storing a plurality of stakeholder responses in a database; allowing the submission of new form elements; dynamically adjusting the maturity of client profiles and displaying the aggregated average comparatively to the user in real time for both technical and administrative controls holistically and also independently; establishing a maturity baseline for the client profile; aggregating a maturity score; consolidating cybersecurity maturity data in a graphical format to establish a threshold baseline for legal negligence; 2Appl. No. 16/396,954 - Reply to Office Action of March 18, 2022 limiting access to results created from storing said stakeholder responses and allowing said new form elements and adjusting said client profiles to a limited number of authorized viewers; providing anonymous aggregate data metrics visible to each user profile; ingesting data from an Exposure Engine (303) to calculate cybersecurity standard of care; displaying the standard of care in real time to at least one user of the predetermined set of viewing users.  As discussed above, the specification fails to disclose the claimed method in such a manner that one of ordinary skill in the art could make and use the entire scope of the claimed invention without undue experimentation (see MPEP 2164.08).
(B) The nature of the invention and (C) The state of the prior art - Whether the specification would have been enabling as of the filing date involves consideration of the nature of the invention, the state of the prior art, and the level of skill in the art.  Information published for the first time after the filing date generally cannot be used to show what was known at the time of filing.  A prior art search was performed and applicant’s state of the prior art considered (see instant specification [0002-0006]).  Based on the nature of the invention and the state of the prior art, the specification would not have been enabling as of the filing date (see MPEP 2164.05(a)).
(D) The level of one of ordinary skill – The specification must be enabling to persons skilled in the art.  The specification is enabling if it enables those skilled in the art, to carry out the aspect proper to their specialty.  As discussed above, the specification fails to disclose the claimed method in such a manner that one of ordinary skill in the art could make and use the entire scope of the claimed invention without undue experimentation (see MPEP 2164.05(b)).
(E) The level of predictability in the art and (F) The amount of direction provided by the inventor - The amount of guidance or direction needed to enable the invention is inversely related to the amount of knowledge in the state of the art as well as the predictability in the art.  The law requires an enabling disclosure for nascent technology because a person of ordinary skill in the art has little or no knowledge independent from the patentee’s instruction.  The "predictability or lack thereof" in the art refers to the ability of one skilled in the art to extrapolate the disclosed or known results to the claimed invention.  The specification does not provide guidance on how to perform the claimed method.  The amount of direction provided by the inventor and the level of predictability in the art are not such that one of ordinary skill in the art could make and use the entire scope of the claimed invention without undue experimentation (see MPEP 2164.03).
(G) The existence of working examples – Working examples were not provided in the specification.
(H) The quantity of experimentation needed to make or use the invention based on the content of the disclosure – Applicant has not provided a disclosure regarding a computer driven method of managing Information Security Program maturity regarding a cybersecurity data collection, the method comprising: presenting a form aligned with industry standard frame works; addressing both technical and administrative controls which apply to a system, inclusive of all devices within the system; storing a plurality of stakeholder responses in a database; allowing the submission of new form elements; dynamically adjusting the maturity of client profiles and displaying the aggregated average comparatively to the user in real time for both technical and administrative controls holistically and also independently; establishing a maturity baseline for the client profile; aggregating a maturity score; consolidating cybersecurity maturity data in a graphical format to establish a threshold baseline for legal negligence;  limiting access to results created from storing said stakeholder responses and allowing said new form elements and adjusting said client profiles to a limited number of authorized viewers; providing anonymous aggregate data metrics visible to each user profile; ingesting data from an Exposure Engine (303) to calculate cybersecurity standard of care; displaying the standard of care in real time to at least one user of the predetermined set of viewing users.  More than routine experimentation would be required of one skilled in the art to generate such a program.  The specification does not enable one of ordinary skill in the art to make and use the claimed invention without resorting to undue experimentation (see MPEP 2164.06)

Based on the evidence regarding each of the above factors, the specification, at the time the application was filed, would not have taught one skilled in the art how to make and/or use the full scope of the claimed invention without undue experimentation (see MPEP 2164.01(a)).  

Regarding claims 2-13, claims 2-13 are also rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as being dependent on parent claims as failing to comply with the enablement requirement. 

Response to Arguments
Applicant’s arguments have been considered but are moot in light of the current rejection under 35 U.S.C. 112(a).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. O’Reilly, Padraic, U.S. Patent Publication Number 2018/0167414 A1 discloses a method for scoring one or more cybersecurity controls using baseline scores to allow an organization to compare its system risk profile against other organization profiles in their or another sector (see Abstract, [0024]).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ASHLEY M. FORTINO whose telephone number is (571)272-7470. The examiner can normally be reached M-F 8a-5p.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jennifer Welch can be reached on (571)272-7212. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/Ashley M Fortino/               Examiner, Art Unit 2143                                                                                                                                                                                         
/JENNIFER N WELCH/               Supervisory Patent Examiner, Art Unit 2143