DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 8/31/2022 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Continuation
This application is a continuation application of US 16/539,075 (filed on Aug. 13, 2019 – now US Patent No. 10,963,572), which is a continuation application of US 15/820,786 (filed on Nov. 22, 2017 – now US Patent No. 10,387,657). The prosecution history and references cited in the above application have been fully considered.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 2-21 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Independent claim 2 recites “an entity” twice. It is unclear if the claim is directed to multiple distinct entities or was intended to refer to a single entity (e.g. “an entity” that deploys “cybersecurity controls” as recited in the preamble). Independent claim 12 also recites “an entity” twice. The remaining claims are similarly rejected as their respective parent claims.
    
        
            
                                
            
        
    

The following is a quotation of 35 U.S.C. 112(d):
(d) REFERENCE IN DEPENDENT FORMS.—Subject to subsection (e), a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.

The following is a quotation of pre-AIA  35 U.S.C. 112, fourth paragraph:
Subject to the following paragraph [i.e., the fifth paragraph of pre-AIA  35 U.S.C. 112], a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.

Claims 16-18 are rejected under 35 U.S.C. 112(d) or pre-AIA  35 U.S.C. 112, 4th paragraph, as being of improper dependent form for failing to further limit the subject matter of the claim upon which it depends, or for failing to include all the limitations of the claim upon which it depends. Claim 16 is dependent on the system of claim 12. Claim 12 is not directed to a system. Claims 17 and 18 are dependent on claim 16 and are similarly rejected. Applicant may cancel the claims, amend the claims to place the claims in proper dependent form, rewrite the claims in independent form, or present a sufficient showing that the dependent claims complies with the statutory requirements.

Allowable Subject Matter
Claims 2-21 would be allowable if rewritten or amended to overcome the rejections under 35 U.S.C. 112(b) and 35 U.S.C. 112(d) set forth in this Office action.
	The claimed invention is directed evaluating cybersecurity controls deployed by an entity (e.g. an organization, an enterprise, etc.) to protect assets of a technological infrastructure. This is accomplished by a series of steps including developing a threat profile and evaluating each technology asset of the infrastructure based on the threat profile.
	The most relevant prior art is US 2013/0253979, which is directed to determining an organizational impact score from an aggregate of scenario impact scores. The key business capabilities of a company include an inventory of components corresponding to each capability (a combination of assets and process). These capabilities are assessed against a risk/threat scenario developed upon one or more vulnerabilities of the component under consideration to calculate an impact score. See [0037], [0047]; Fig. 1. However, US 2013/0253979 does not delve into detail regarding the “infrastructure data”, the development of the “threat profile”, and the evaluation of the “performance level of a control environment” from “technology assets” based on the “infrastructure data” as recited in independent claims 2 and 12.
As presented in the following section, there are prior arts that generally disclose various features of the claimed invention, such as risk assessment of an organization’s assets and/or generating threat scenario or risk profiles. However, the prior arts of record fail to disclose, teach, or suggest each and every element of the claimed invention as a whole.
US 10,181,039: Discloses performing a risk assessment of the likelihood of one or more computing performance and/or computing security failures within an organization, an expected residual risk to the organization given a current computing security configurations and/or potential computing security configuration.
US 2017/0346846: Discloses providing a threat-risk assessment to assets of a user within one of more security domains. The assessment including an in-depth analysis of an organization’s current stats and profiles such as an organization profile, a target/asset profile, and a threat scenario profile.
US 2010/0114634: Discloses a method for information technology and information asset risk assessment of a business relationship between a client and a third party. A relationship risk score is generated from evaluation of a subset of relationship risk factor.
US 2013/0227697: Discloses cyber-attack risk assessment by collecting global cyber-attack data and comparing said data with organizational profile data to obtain a risk score. Improvements to one or more computer defenses are provided to determine their effects on the risk score.
US 2014/0137257: Discloses assessing the risk of one or more assets within an operational technology infrastructure. A process is described to identify and analyze cyber critical assets, cyber vulnerabilities, and cyber threats at the interaction points between information technology and operational technology systems.
US 2014/0173739: Discloses collecting a set of attributes of a particular asset in a computing environment to determine a criticality rating. The criticality rating is used as a criterion to perform certain security activities.
US 2015/0356477: Discloses a collaborative framework to assess and manage an enterprise’s technology risk and controls for mitigating against such risk. Technology risk and control data for a plurality of business assets utilized by an enterprise are used to perform technology risk management and identify control gaps for minimizing risks.
US 2018/0270265:  Discloses a method and a system for identifying a plurality of risk categories, evaluate the respective risks, and then provide a qualification of those risks. Data is collected from a wide number of enterprises to identify and assess cybersecurity risk and compared to a benchmark to provide risk assessment analysis.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ROBERT B LEUNG whose telephone number is (571)270-1453. The examiner can normally be reached Mon - Thurs: 10am-7pm ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, JUNG KIM can be reached on 571-272-3804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/ROBERT B LEUNG/Primary Examiner, Art Unit 2494                                                                                                                                                                                                        9-22-2022