DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 03/10/2022 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Objections
Claims 7 and 22 contain a minor typo of " the least one evaluation rating metric", which should read " the at least one evaluation rating metric ", appropriate correction is required.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claims 12 rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
Regarding claim 12, lines 5-6, 9, 12-13, 16-17, 20-21 and 24-25 each recites the limitation “at least one evaluation rating metric”. The claim 1 previously introduces “at least one evaluation rating metric” in line 13 and as a result, lacks proper antecedent basis.
Claim 13 is further rejected because the term “an evaluation viewpoint of the at least one evaluation viewpoint” and “an evaluation perspective of the least one evaluation perspective” each is recited twice which cause unclarity as to what element the limitation was making reference to.
Claim 27 and 28 are rejected for the same reasons discussed in claim 12-13 above.


Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –


(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

Claim 1-6, 14-21 and 29-30 are rejected under 35 U.S.C. 102 (a)(1) as being anticipated by Bennett et al. (Pub. No.: US 2010/0275263, hereinafter Bennett).
Regarding claim 1: Bennett discloses A method comprises:
determining, by an analysis system that includes one or more computing entities, a system aspect of an enterprise system for a protection evaluation (Bennett - [0087]: In the controls analysis step the user selects any number of security assessments (i.e., assessment projects) from the assessment module to include in the risk analysis);
determining, by the analysis system, at least one evaluation perspective for use in performing the protection evaluation on the system aspect (Bennett - [0088]: This control analysis step establishes the scope of the risk analysis); determining, by the analysis system, at least one evaluation viewpoint for use in performing the protection evaluation on the system aspect (Bennett - [0088]: the relationship between the assets involved, the involved assets' classification, and the assessment control scores related to the involved assets);
obtaining, by the analysis system, protection data regarding the system aspect in accordance with the at least one evaluation perspective and the at least one evaluation viewpoint (Bennett - [0089]: In the vulnerability analysis step, the user selects a set of technical scans from a list of technical scans. In a specific implementation, the system displays the technical scans associated with the involved or selected assets); and
calculating, by the analysis system, a protection rating as a measure of protection maturity for the system aspect based on the protection data, the at least one evaluation perspective, the at least one evaluation viewpoint, and at least one evaluation rating metric (Bennett - [0092]: in the likelihood determination step, the system maps the assessment results (e.g., assessment of controls based on CoBIT or other standards) against the severity of the technical scans (e.g., Qualys vulnerabilities) to determine a likelihood score or measurement. [0091]: Likelihood is defined as the probability of an event or occurrence (e.g., the probability of an adverse event)). 
Regarding claim 2: Bennett discloses wherein the determining the system aspect comprises:
determining at least one system element of the enterprise system (Bennett - [0079]: Input or collection of asset information);
determining at least one system criteria of the enterprise system (Bennett - [0125]: parameters than can be edited include … regulatory requirements, threats, activities, and the like);
determining at least one system mode of the enterprise system (Bennett - [0086]: For example, the user can select any number of specific business units, subnets, assets, or combinations of these to include in a risk analysis); and
determining the system aspect based on the at least one system element, the at least one system criteria, and the at least one system mode (Bennett - [0086]: The user can select a subset of information from the asset module to include in the risk analysis. For example, the user can select any number of specific business units, subnets, assets, or combinations of these to include in a risk analysis).
Regarding claim 3: Bennett discloses further comprises:
a system element of the at least one system element includes an enterprise identifier, an organization identifier, a division identifier, a department identifier, a group identifier, a sub-group identifier, a device identifier, a software identifier, or an internet protocol address identifier (Bennett - [0075]: an asset is defined by identifying its host name, IP address, location (e.g., geographical location), asset type, business unit);
a system criteria of the at least one system criteria being system guidelines, system requirements, system design, system build, or resulting system (Bennett - [0125]: parameters than can be edited include … regulatory requirements, threats, activities, and the like); and
a system mode of the at least one system mode being assets, system functions, or security functions (Bennett - [0086]: For example, the user can select any number of specific business units, subnets, assets, or combinations of these to include in a risk analysis).
Regarding claim 4: Bennett discloses further comprises:
an evaluation perspective of the at least one evaluation perspective being an understanding perspective, an implementation perspective, an operation perspective, or a self-analysis perspective (Bennett - [0088]: This control analysis step establishes the scope of the risk analysis).
Regarding claim 5: Bennett discloses further comprises:
an evaluation viewpoint of the at least one evaluation viewpoint being a disclosed viewpoint, a discovered viewpoint, or a desired viewpoint (Bennett - [0088]: the relationship between the assets involved, the involved assets' classification, and the assessment control scores related to the involved assets).
Regarding claim 6: Bennett discloses further comprises:
an evaluation rating metric of the at least one evaluation rating metric being a process rating metric, a policy rating metric, a procedure rating metric, a certification rating, a documentation rating metric, or an automation rating metric (Bennett - [0100]: Metrics includes tools to gather the business metrics (e.g., cost, time spent) and security metrics (e.g., number of vulnerabilities, risk calculations) from the asset. See also [0101]).
Regarding claim 14: Bennett discloses further comprises at least one of:
determining, by the analysis system, a system criteria deficiency of the system aspect based on the protection rating and the protection data;
determining, by the analysis system, a system mode deficiency of the system aspect based on the protection rating and the protection data;
determining, by the analysis system, an evaluation perspective deficiency of the system aspect based on the protection rating and the protection data; and
determining, by the analysis system, an evaluation viewpoint deficiency of the system aspect based on the protection rating and the protection data (Bennett - [0119]: the likelihood is determined based on a vulnerability scan. The vulnerability scan is used to detect potential vulnerabilities of the server).
Regarding claims 16-21 and 29: Claims are directed to computer readable medium claims and do not teach or further define over the limitations recited in claims 1-6 and 14. Therefore, claims 16-21 and 29 are also rejected for similar reasons set forth in claims 1-6 and 14. 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 15 and 30 are rejected under 35 U.S.C. 103 as being unpatentable over Bennett et al. (Pub. No.: US 2010/0275263, hereinafter Bennett) in view of Ramasamy et al. (Pub. No.: US 2021/0173935).
Regarding claim 1: Bennett discloses further comprises:
determining, by the analysis system, a deficiency of the system aspect based on the protection rating and the protection data (Bennett - [0098]: In the risk determination step, the system determines the risk score per asset and averages them by business unit for an overall risk ranking The risk score is calculated by multiplying the likelihood and impact scores (i.e., risk=impact×likelihood). Thus, risk is measured with respect to the impact of an event and the likelihood of the event);
However Bennett doesn’t explicitly teach, but Ramasamy discloses:
determining, by the analysis system, whether the deficiency is auto-correctable (Ramasamy - [0036]: the auto correction engine 102 may analyze scan results 116 for a container image 111 and update the image 111 based on the scan results 116); and
when the deficiency is auto-correctable, auto-correcting, by the analysis system, the deficiency (Ramasamy - [0036]: That initial container 113 may be modified to rectify security vulnerabilities 112 identified in the scan results 116).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Bennett with Ramasamy so that security vulnerabilities is auto-corrected when the result is analyzed. The modification would have allowed the system to enhance security. 

Allowable Subject Matter
Claims 7-13 and 22-28 are objected to as being dependent upon a rejected base claim, but would be allowable if the 112b rejection, set forth in this Office action, are overcome and if rewritten in independent form including all of the limitations of the base claim and any intervening claims. 

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Park et al. (Pub. No.: US 2017/0331839) - CYBER-SECURITY PRESENCE MONITORING AND ASSESSMENT
Norrman et al. (Patent No.: US 10,592,938) - System And Methods For Vulnerability Assessment And Provisioning Of Related Services And Products For Efficient Risk Suppression
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MENG LI whose telephone number is (571)272-8729.  The examiner can normally be reached on M-F 8:30-5:30.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s acting supervisor, Kristine Kincaid can be reached on (571) 272-4063.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8729.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MENG LI/
Primary Examiner, Art Unit 2437