Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This office action is in response to communication filed 4/3/2020. Claims 1-20 are currently pending and claims 1, 13, and 19 are the independent claims.

Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that use the word “means,” and are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.  Such claim limitation(s) is/are: “…means for producing management priority data…”, “…means for producing technical assessment data…”, and “…means for evaluating the management priority data and the technical assessment data to produce...” in claim 19, and “…means for automatically performing the at least one recommended configuration change…” in claim 20.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 17 is are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
As per claim 17, it recites “…including wedges showing relative levels of implementation for each MIL level in the domain.” Examiner is unclear as to what is meant by “relative” levels, as “relative” levels is a relative term which renders the claim indefinite. Examiner would also like to point out that the acronym “MIL” is used without previously defining what “MIL” stands for. For the purpose of examination, the examiner will consider these limitations to be “…including wedges showing levels of implementation for each level of maturity in the domain.”


Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1, 3-7, 10, 12-13, and 15-19 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. 
As per independent claim 1, it recites “A method comprising: with a computer: producing management priority data indicating a respective prescribed maturity level for a plurality of enumerated domains in a computing environment; producing technical assessment data indicating an expected maturity level for each of the plurality of domains in the computing environment; and evaluating the management priority data and the technical assessment data to produce at least one recommended configuration change to modify the computing environment, the recommended configuration change being selected to reduce susceptibility of the computing environment to at least one vulnerability.”
The limitations “producing management priority data indicating a respective prescribed maturity level for a plurality of enumerated domains in a computing environment; producing technical assessment data indicating an expected maturity level for each of the plurality of domains in the computing environment; and evaluating the management priority data and the technical assessment data to produce at least one recommended configuration change to modify the computing environment, the recommended configuration change being selected to reduce susceptibility of the computing environment to at least one vulnerability” is a process that, under its broadest reasonable interpretation, covers performance of the limitations in the mind but for the recitation of generic computer components. That is, other than reciting “with a computer,” nothing in the claim element precludes the step from practically being performed in the mind. For example, but for the “by a computer“ language, a user/human may manually/with pen and paper/mentally/etc. determine/produce/receive/obtain/observe/etc. a maturity level/data indicating a prescribed maturity level for domains in a computing environment, decide/determine an expected/desired/etc. maturity level/obtain/receive/etc. data indicating an expected/desired/decided/etc. maturity level/etc., and evaluate/analyze/judge/etc. the received/obtained/produced/observed/etc. data to determine/decide/recommend/etc. configuration changes/modifications/etc. to the computing environment that are intended to reduce susceptibility to vulnerabilities. If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind/with pen and paper/etc. but for the recitation of generic computer components, then it falls within the “Mental Processes” grouping of abstract ideas. Accordingly, the claim recites an abstract idea.
This judicial exception is not integrated into a practical application. In particular, the claim recites the additional limitation of “with a computer” specifying that a generic/high level computer component is used to perform the abstract idea/mental process, and as such it amounts no more than mere instructions to apply the exception using a generic computer component. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claim is directed to an abstract idea.
The claim(s) does/do not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional element of “with a computer” clarifying that a computer is used to perform the abstract idea/mental process amounts to no more than mere instructions to apply the exception using a generic computer component. Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept. The claim is not patent eligible.
As per claim 3, in incorporates the deficiencies of claim 1 upon which it depends, and further recites “…producing management priority data indicating a respective anticipated maturity level for a plurality of enumerated domains in a computing environment”, which, conceptually, provides further clarification as to the data being produced/observed/obtained/etc. and analyzed/judged/evaluated/etc. during the performance of the abstract idea/mental process, and as such fails to correct the deficiencies of claim 1. Therefore claim 3 is rejected for the same reasoning as claim 1, above. 
As per claim 4, in incorporates the deficiencies of claim 1 upon which it depends, and further recites “…with the computer, providing a user interface to display a representation of at least one of the enumerated domains and a user interface control to receive user input selecting a respective prescribed maturity level for a corresponding enumerated domain” which, conceptually, provides further clarification as to outputting the result/recommendation/etc. of the abstract idea/mental process, and as such is an extra solution activity to the mental process/abstract idea, and therefore fails to correct the deficiencies of claim 1. Therefore claim 3 is rejected for the same reasoning as claim 1, above.
As per claim 5, in incorporates the deficiencies of claim 1 upon which it depends, and further recites “…with a user interface, displaying an indicator of maturity level for each of the plurality of domains”, which, conceptually is an extra activity to the mental process/abstract idea clarifying that the produced/observed/obtained/etc. data is output/displayed/etc., and therefore fails to correct the deficiencies of claim 1. Therefore claim 5 is rejected for the same reasoning as claim 1, above.
As per claim 6, in incorporates the deficiencies of claim 1 upon which it depends, and further recites “…with a user interface, displaying an indicator of maturity level for each of the plurality of domains, at least one of the displayed indicators including a display of two or more maturity criteria for its respective expected maturity level” which, conceptually is an extra activity to the mental process/abstract idea clarifying that the produced/observed/obtained/etc. data is output/displayed/etc., and therefore fails to correct the deficiencies of claim 1. Therefore claim 6 is rejected for the same reasoning as claim 1, above.
As per claim 7, in incorporates the deficiencies of claim 1 upon which it depends, and further recites “…with the computer, providing a user interface to display a representation of at least one of the enumerated domains and to display an indicator of a remediation operation selected based on a respective expected maturity level for a corresponding enumerated domain” which, conceptually provides further clarification as to outputting the result/recommendation/etc. of the abstract idea/mental process, and as such is an extra solution activity to the mental process/abstract idea, and therefore fails to correct the deficiencies of claim 1. Therefore claim 7 is rejected for the same reasoning as claim 1, above.
As per claim 10, in incorporates the deficiencies of claim 1 upon which it depends, and further recites “…wherein: the plurality of enumerated domains comprises at least two of: a background and foundation domain specifying development criteria for at least one of: developer training, developer certification, requirements gathering, vendor security, or development tools; a design domain specifying development criteria for at least one of: security, computer language selection, testability, maintainability, software and/or firmware design, failure mode analysis, human factors, hardware design, or system design; a build domain specifying development criteria for at least one of: hardware build, software and/or firmware build, supply change, or change control; a test domain specifying development criteria for at least one of: hardware unit test or software unit test; an integration domain specifying development criteria for computing and/or software modules comprising at least one of: integration; test; factory acceptance testing; factory configuration, or transmission of computer-executable instructions; a deployment domain specifying development criteria for at least one of: end-user configuration, documentation, site acceptance testing, or end-user training; or a lifecycle domain specifying development criteria for at least one of: operations, maintenance, or disposal” which, conceptually, provides further clarification as to the data being produced/observed/obtained/etc. and analyzed/judged/evaluated/etc. during the performance of the abstract idea/mental process, and as such fails to correct the deficiencies of claim 1. Therefore claim 10 is rejected for the same reasoning as claim 1, above.
	As per claim 12, it recites one or more computer-readable storage devices having similar limitations to claim 1, and is therefore rejected for the same reasoning as claim 1, above. 
	As per claims 13 and 15, they recite apparatus’ having similar limitations to claims 1 and 4, respectively, and are therefore rejected for the same reasoning as claims 1 and 4, above. 
As per claim 16, it incorporates the deficiencies of claim 13 upon which it depends, and further recites “…wherein the computer-readable storage devices or memory further comprise instructions that cause the processor to provide a user interface using the display, the user interface comprising: a table representation of the enumerated domains and prescribed levels of maturity associated with the enumerated domains; wherein for each pair of the enumerated domains and the prescribed levels of maturity, a graphic indicator indicating the actual level of maturity associated with the respective pair”, which, conceptually, is an extra activity to the mental process/abstract idea clarifying that the produced/observed/obtained/etc. data is output/displayed/etc., and therefore fails to correct the deficiencies of claim 13. Therefore claim 16 is rejected for the same reasoning as claim 13, above.
As per claim 17, it incorporates the deficiencies of claim 13 upon which it depends, and further recites “…wherein the graphic indicator is a pie graph including a numerical display of actual levels of maturity and a sum of the actual levels of maturity for the respective pair” which, conceptually, is an extra activity to the mental process/abstract idea clarifying the display/output/etc. of the produced/observed/obtained/etc. data, and therefore fails to correct the deficiencies of claim 13. Therefore claim 17 is rejected for the same reasoning as claim 13, above.
As per claim 18, it incorporates the deficiencies of claim 13 upon which it depends, and further recites “…where the graphic indicator further comprises a pie summary display including maturity levels for plural domains, including wedges showing relative levels of implementation for each MIL level in the domain” which, conceptually, is an extra activity to the mental process/abstract idea clarifying the display/output/etc. of the produced/observed/obtained/etc. data, and therefore fails to correct the deficiencies of claim 13. Therefore claim 18 is rejected for the same reasoning as claim 13, above.
As per claim 19, it recites a computer system having similar limitations to claim 1 and is therefore rejected for the same reasoning as claim 1. 

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1-10, 12-16, and 19-20 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Sweeney et al. (herein called Sweeney) (US Patent 11,212,316 B2).

As per claim 1, Sweeney anticipates: a method comprising: with a computer:
	producing management priority data indicating a respective prescribed maturity level for a plurality of enumerated domains in a computing environment (col. 4 lines 50-55, col. 12 lines 10-15, col. 23 lines 4-8, col. 25 lines 40-46, environment comprises a plurality of assets associated with plurality of network domains and maturity score/compliance score/security score/etc. is calculated (produce management data indicating prescribed maturity level) for each security control for each network domain/asset from a plurality of network domains configured for the IT environment,  (maturity level/maturity score/management priority data indicating prescribed maturity level/etc. is produced/calculated/etc. for plurality of enumerated domains/assets/etc. in computing environment/plurality of network domains/assets in IT environment).); 
producing technical assessment data indicating an expected maturity level for each of the plurality of domains in the computing environment (col. 32 line 40-col. 33 line 40, maturity assessment is monitored for changes in maturity score/maturity level on overall maturity or domain level/specific domain/organizational unit specific/etc. maturity (each of the plurality of domains in the computing environment), and alert/notification/etc. is generated when maturity/control maturity/etc. falls below predetermined threshold (expected maturity level) and is sent to users that recommends changes to improve maturity assessment/level/score. As the alert/notification notifies user that maturity level falls below predetermined threshold level/expected maturity level, and the maturity level is calculated/monitored/etc. on an overall or domain specific level, the alert/notification/etc. is technical assessment data that indicates an expected maturity level/threshold maturity level/etc. for each of the plurality of domains in the computing/IT environment.); and 
evaluating the management priority data and the technical assessment data to produce at least one recommended configuration change to modify the computing environment (col. 10 lines 55-col. 11 line 5, col. 32 line 40-col. 33 line 55, maturity assessment/level/management priority data indicating maturity level/etc. is monitored for changes in maturity score/maturity level on overall maturity or domain level/specific domain/organizational unit specific/etc. maturity, alert/notification/etc. is generated when maturity/control maturity/etc. falls below predetermined threshold, and in response to alert/notification being generated/sent//etc. when the maturity level falls below threshold/expected level security configuration is analyzed in relation to compliance and maturity requirements and recommendations of changes to existing security/addition of new security infrastructure/etc. to decrease risk/improve security resilience/improve maturity assessment/etc. are made which may include reconfiguring/changing firewall, adding security infrastructure, changing security policy, enhancing/adding controls, etc., and changes are initiated based on the calculated maturity, the generated alert, the generated recommendation, etc.,  As the recommendations include changes to existing security infrastructure/adding new security infrastructure/reconfiguring firewalls/enhancing/adding controls/changing security policy/etc., the recommended changes are configuration changes to modify the computing environment/IT environment; and as the changes are recommended in response to the alert/notification being generated and sent to user when monitored maturity level of domains falls below threshold and the changes are initiated based on the calculated maturity/the generated alert/the generated recommendation/etc., the recommended changes are produced as a result of evaluating/determining/monitoring/in response to/based on/etc. the management priority data/calculated maturity level/maturity score/etc. and the technical assessment data/threshold score/alert/notification that maturity level is below threshold/expected level/etc.), 
the recommended configuration change being selected to reduce susceptibility of the computing environment to at least one vulnerability (col. 6 lines 60-67, col. 8 lines 30-40, col. 9 lines 1-25, col. 10 lines 55-col. 33 lines 20-40, IT environment security prevent network intrusion/as anti-virus protection, scans for vulnerabilities, authenticates users/etc. (prevents/reduces susceptibility of IT environment/computing environment to vulnerabilities), and changes/recommendations/etc. are initiated/implemented (select recommended configuration) to decrease risk and improve security resilience of IT environment (reduce susceptibility of computing environment to at least one vulnerability/risk/etc.).).

As per claim 2, Sweeney further anticipates: performing an operation in the computing environment to implement the recommended configuration change (col. 6 lines 30-35, col. 33 lines 5-50, actions are initiated to change IT/computer environment (perform an operation in computing environment) based on generated recommendation such as reconfiguring security policy/firewall/settings/etc. (to implement recommended configuration change).).

As per claim 3, Sweeney further anticipates: producing management priority data indicating a respective anticipated maturity level for a plurality of enumerated domains in a computing environment (col. 32 line 40-col. 33 line 40, alert/notification/etc. is generated when maturity/control maturity/etc. of specific domains/overall level/etc. falls below predetermined threshold (anticipated maturity level) and is sent to users that recommends changes to improve maturity assessment/level/score. As a threshold/predetermined/etc. maturity level is specified and is used to determine when to send alert/notification/etc., the threshold/predetermined maturity level is an anticipated/expected/required/etc. maturity level, and as the alert/notification is generated/sent to user when maturity level of domains/overall maturity level/etc. falls below predetermined threshold level/anticipated/expected/required maturity level, it is management priority data/data/notification/etc. that indicates an anticipated/required/expected/etc. maturity level/threshold maturity level/etc. for each of the plurality of domains in the computing/IT environment.).

As per claim 4, Sweeney further anticipates: with the computer, providing a user interface to display a representation of at least one of the enumerated domains and a user interface control to receive user input selecting a respective prescribed maturity level for a corresponding enumerated domain. (col. 4 lines 50-55, col. 6 lines 3-20, col. 9 lines 55-60, col. 10 lines 60-67, col. 30 lines 35-col 31 line 60, col. 33 lines 55-col. 34 line 25, assets of IT environment are network domains (enumerated domains) and graphic user interface/GUI may display reports, maturity matrix, etc. and cells in maturity matrix may correspond to assets/enumerated domains (display representation of at least one of the enumerated domains), cells in maturity matrix indicate status/maturity level/etc. of the cell/asset/domain, and user may provide input/select cell/etc. causing GUI to display plurality of statuses corresponding to security controls mapped to that cell/network asset/domain/etc. (user interface control to receives user input selecting prescribed maturity level/cell in maturity matric indicating status/maturity level for corresponding enumerated domain/asset/domain/etc.) 

As per claim 5, Sweeney further anticipates: with a user interface, displaying an indicator of maturity level for each of the plurality of domains (col. 6 lines 3-20, col. 10 lines 50-col. 11 line 5, col. 30 lines 35-67, col. 31 lines 50-col. 32 lines 25, col 33 lines 55-col. 34 line 25, maturity reports/maturity matrix/etc. provides indication of maturity of assets/domains/each of plurality of domains and are displayed/rendered on GUI (display indicator of maturity level for domains).).

As per claim 6, Sweeney further anticipates: with a user interface, displaying an indicator of maturity level for each of the plurality of domains (col. 6 lines 3-20, col. 10 lines 50-col. 11 line 5, col. 30 lines 35-67, col. 31 lines 50-col. 32 lines 25, col 33 lines 55-col. 34 line 25, maturity reports/maturity matrix/etc. provides indication of maturity of assets/domains/each of plurality of domains and are displayed/rendered on GUI (display indicator of maturity level for domains).)., 
at least one of the displayed indicators including a display of two or more maturity criteria for its respective expected maturity level. (col. 31 lines 15-col. 32 line 30, col. 33 line 55-col. 34 line 25, maturity matric displayed in GUI displays indication of status/maturity level/etc. of asset/domain, and cells of maturity matrix includes statuses of a plurality of security controls classified to the asset/domain which are shown/displayed when user selects the cell/asset (display includes display of two or more/plurality of/etc. maturity criteria/security controls/etc. for its respective maturity level/indicated status of asset/domain/etc.).).

As per claim 7, Sweeney further anticipates: with the computer, providing a user interface to display a representation of at least one of the enumerated domains and to display an indicator of a remediation operation selected based on a respective expected maturity level for a corresponding enumerated domain (col. 6 lines 3-20, col. 30 lines 35-67, col. 32 lines 60-col 34 line 35, user interface/graphical user interface/GUI/etc. is rendered/provided that provides/displays reports, notifications/alerts, recommendation, etc. to user, and reports/notifications/alerts/etc. include maturity matrix providing status/maturity level of assets/domains, alert/notification that maturity level of domain/asset/etc. is below threshold/required/level, and recommendations include changes to existing infrastructure/policies/etc. which are initiated/selected/etc. to improve maturity assessment/decrease risk/increase security resilience/etc. (user interface/GUI/etc. rendered/provided/etc. to display a representation of at least one of the enumerated domains/assets/maturity level of domain/asset/etc., and to display an indicator of a remediation operation/recommended changes/etc. selected based on a respective expected maturity level for a corresponding enumerated domain/imitated to improve maturity level of domain that is below threshold maturity level/etc.).

As per claim 8, Sweeney further anticipates: performing the indicated remediation operation for at least one computing resource object (col. 6 lines 30-35, col. 33 lines 5-50, actions are initiated to change IT/computer environment based on generated recommendation such as reconfiguring security policy/firewall/settings/etc. (perform/initiate remediation operation/action to implement recommended configuration change on IT environment/for at least one computing resource object).).

As per claim 9, Sweeney further anticipates: after the performing the indicated remediation operation: repeating the operations of producing management priority data, producing technical assessment data, and evaluating the management priority data; and performing an additional operation in the computing environment to implement a recommended configuration change produced by repeating the operation of evaluating the management priority data. (col. 31 lines 10-20, 55-61, col. 32 line 20-col. 33 line 55, maturity assessment reports are generated at scheduled intervals, ex: every hour, every fifteen minutes, every day, etc., and when monitored/reported/etc. maturity level drops below threshold value recommended changes to IT domains/infrastructure/etc. of environment/computing environment are determined and initiated/operation to implement recommended configuration change is performed/etc. As the reporting/assessing of maturity occurs at scheduled intervals, ex: every 15 min., every day, every hour, etc., the operations/process is repeated at scheduled intervals, and as such would be/is repeated/performed again/etc. after recommended changes are initiated/performing the remediation operation, and as such the operations of producing management priority data, producing technical assessment data, and evaluating the management priority data; and performing an additional operation in the computing environment are repeated at regular intervals after performing the indicated remediation operation to implement a recommended configuration change produced by repeating the operation of evaluating the management priority data.).

As per claim 10, Sweeney further anticipates: wherein: the plurality of enumerated domains comprises at least two of: 
a background and foundation domain specifying development criteria for at least one of: developer training, developer certification, requirements gathering, vendor security, or development tools; 
a design domain specifying development criteria for at least one of: security, computer language selection, testability, maintainability, software and/or firmware design, failure mode analysis, human factors, hardware design, or system design (col. 8 lines 40-65, IT environment includes multiple assets (domains) including network components firewalls, security components, etc. and implement security policy/specify security controls/etc. (domain/asset specifying criteria for security).); 
a build domain specifying development criteria for at least one of: hardware build, software and/or firmware build, supply change, or change control (col. 40-60, IT environment includes assets (domains) including hardware and software such as computers/servers/storage devices/etc., and productivity applications/customer relationship management/enterprise resource planning/business specific applications/etc. (domain specifying criteria for hardware build/software/etc.).); 
a test domain specifying development criteria for at least one of: hardware unit test or software unit test; 
an integration domain specifying development criteria for computing and/or software modules comprising at least one of: integration; test; factory acceptance testing; factory configuration, or transmission of computer-executable instructions; 
a deployment domain specifying development criteria for at least one of: end-user configuration, documentation, site acceptance testing, or end-user training; or 
a lifecycle domain specifying development criteria for at least one of: operations, maintenance, or disposal.

As per claim 12, it recites one or more computer-readable storage devices or memory having similar limitations to the method of claim 1, and as such is rejected for the same reasoning as claim 1, above.

As per claim 13, Sweeney anticipates: an apparatus comprising: memory; 
at least one processor; and one or more computer-readable storage devices or memory storing computer-executable instructions that when executed by the computer, cause the computer to automatically produce an indication of a configuration change to mitigate a potential vulnerability in a computing environment, the instructions comprising: 
instructions that cause the processor to produce priority data indicating a selected prescribed maturity level for a set of enumerated domains in the computing environment (col. 32 line 40-col. 33 line 40, maturity assessment is monitored for changes in maturity score/maturity level on overall maturity or domain/asset level/specific domain/organizational unit specific/etc. maturity (set of enumerated domains in the computing environment), and alert/notification/etc. is generated when maturity/control maturity/etc. falls below predetermined threshold (selected prescribed/predetermined/threshold/etc. maturity level) and is sent to users that recommends changes to improve maturity assessment/level/score. As the alert/notification notifies user that maturity level falls below predetermined threshold level/selected prescribed maturity level, and the maturity level is calculated/monitored/etc. on an overall or domain specific level, the alert/notification/etc. is priority data that indicates an selected prescribed maturity level/predetermined threshold maturity level/etc. for each of/a set of domains in the computing/IT environment.); 
instructions that cause the processor to produce expected maturity level data indicating actual levels of maturity for computing resources in the computing environment for the set of enumerated domains (col. 4 lines 50-55, col. 12 lines 10-15, col. 23 lines 4-8, col. 25 lines 40-46, environment comprises a plurality of assets associated with plurality of network domains and maturity score/compliance score/security score/etc. is calculated (produce actual maturity level/expected maturity level data indicating actual levels of maturity/etc.) for each security control for each network domain/asset from a plurality of network domains configured for the IT environment (for computing resources in environment for domains).); and 
instructions that cause the processor to produce the indication of the configuration change to mitigate the potential vulnerability by mapping the selected prescribed maturity level to the expected maturity level data and selecting a configuration change that is not currently implemented in the computing environment (col. 10 lines 55-col. 11 line 5, col. 32 line 40-col. 33 line 55, maturity assessment/actual maturity level/expected maturity level data indicating actual levels of maturity/etc. is monitored for changes in maturity score/actual maturity level/etc. on overall maturity or domain level/specific domain/organizational unit specific/etc., alert/notification/etc. is generated when actual maturity level/control maturity/etc. falls below predetermined threshold/selected prescribed maturity level/predetermined maturity level/etc., and in response to alert/notification being generated/sent/etc. when the actual maturity level falls below threshold/selected prescribed level security configuration is analyzed in relation to compliance and maturity requirements and recommendations of changes to existing security/addition of new security infrastructure/etc. to decrease risk/improve security resilience/improve maturity assessment/etc. are made, which may include reconfiguring/changing firewall, adding security infrastructure, changing security policy, enhancing/adding controls, etc. (indication of configuration change to mitigate the potential vulnerability), and changes are initiated based on the calculated maturity, the generated alert, the generated recommendation, etc.. As the recommendations include changes to existing security infrastructure/adding new security infrastructure/reconfiguring firewalls/enhancing/adding controls/changing security policy/etc. which are initiated/implemented/selected to improve maturity level/decrease risk/etc., the recommended changes are indication of the configuration change to mitigate the potential vulnerability that are selected/implemented/initiated/etc. to change the configuration of the domain/assets/IT environment to improve maturity level/decrease risk/etc. and as such is selected configuration change that is not currently implemented in the computing environment. And as the recommendations are made/generated/initiated/etc. in response to alert/notification being generated/sent/etc. when the actual maturity level falls below threshold/selected prescribed level security, the selected prescribed maturity level/actual maturity level is mapped/compared/etc. to the expected maturity level/actual maturity level to determine if the expected/actual maturity level is below the selected prescribed/predetermined threshold maturity level.).

As per claim 14 and 15, they recite apparatus’ having similar limitations to the methods of claims 2 and 4, respectively, and are therefore rejected for the same reasoning as claims 2 and 4, respectively, above. 

As per claim 16, Sweeney further anticipats: wherein the computer-readable storage devices or memory further comprise instructions that cause the processor to provide a user interface using the display, the user interface comprising: a table representation of the enumerated domains and prescribed levels of maturity associated with the enumerated domains; wherein for each pair of the enumerated domains and the prescribed levels of maturity, a graphic indicator indicating the actual level of maturity associated with the respective pair. (col. 6 lines 3-20, col. 31 lines 40-50, maturity is provide to user by displaying a matrix (table) of assets/domains (table representation of enumerated domains) where each cell in the matrix/table has security controls which may be required (prescribed level of maturity/predetermined threshold level/etc. indicates that security control is required) mapped to the asset/domain and a graphical indication is displayed within each cell indicating maturity of the security controls corresponding to the cell/asset/domain/etc. (table representation of enumerated domains is matrix with cells corresponding to domains/assets that each include levels of maturity associated with the enumerated domains), and cells in matrix may have colors assigned to them indicating the status/maturity level, ex: if security control mapped to cell/asset/domain is required (prescribed level/predetermined threshold indicates that it is required/etc.) and not deployed/not active (actual level of maturity associated with the respective par/domain and prescribed level/asset and security control required/etc. indicates that asset/domain does not meet threshold/prescribed level/does not have control active/etc.), then cell is colored red and if security control mapped to cell/asset/domain is active then cell is green (color is graphic indicator for each pair/domain and prescribed/threshold level/asset and indication that control is required/etc. indicates actual level of maturity/status of the pair).).

As per claims 19 and 20, they recite systems having similar limitations to the methods of claims 1 and 2, respectively, and are therefore rejected for the same reasoning as claims 1 and 2, respectively, above. 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim 11 is rejected under 35 U.S.C. 103 as being unpatentable over Sweeney et al. (herein called Sweeney) (US Patent 11,212,316 B2) and Dimaggio et al. (herein called Dimaggio) (US PG Pub. 2017/0330197 A1).

As per claim 11, Sweeney further teaches: identifying and resolving cybersecurity weaknesses by performing prioritized vulnerability mitigation analysis based on logical constructs and multitiered mathematical filters using a preselected quantitative rank-based criteria methodology (col. 33 lines 5-50, existing security configuration is analyzed in relation to maturity/compliance requirements and rank-ordered recommendations of changes to existing security/additions of new security infrastructure/etc. to improve maturity level/decrease risk/improve security resilience/etc. is provided, and changes/actions/etc. are initiated that make changes to IT environment based on the generated recommendation. As the recommendations are identified based on analysis of existing security configuration and actions are initiated to make changes based on/implementing/etc. the recommendations to decrease risk/improve security resilience/etc., the recommending and making changes is identifying and resolving cybersecurity weaknesses by performing vulnerability mitigation analysis based on logical constructs/existing security configuration, and as the recommendations/changes are rank-ordered recommendations it is obvious that the mitigation analysis is prioritized and based on multitiered mathematical filters using a preselected quantitative rank-based criteria methodology/recommendations output from analysis are rank-ordered/prioritized/based on multitiered mathematical filters using quantitative rank-based criteria/etc. in order to determine the ranking/ordering/etc. of the recommendations/changes/etc. resulting from the analysis.).
Sweeney does not explicitly state, however DiMaggio teaches:
the preselected quantitative rank-based criteria methodology comprising combining multi-criteria dimension analysis techniques with rank-weight methods (pars. [0068], [0072], remediation plan includes a list of recommendations for improved security (recommendations/changes/etc. from Sweeney), may be based on risk, impact, cost, feasibility, and resources (multi-criteria dimension analysis techniques) and list of improved recommendations is prioritized based on items posing the highest risk of security breach (rank-weight/priority methods).).
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to add the preselected quantitative rank-based criteria methodology comprising combining multi-criteria dimension analysis techniques with rank-weight methods, as conceptually taught by Dimaggio, into that of Sweeney, because these modifications allow for the recommendations to be determined based on multiple criteria thereby helping to ensure that the recommendations are useful/desirable/etc., and for the recommendations to be ranked/prioritized/etc. based on how much risk/security vulnerability/etc. they mitigate/which recommendations mitigate the most risk/etc., thereby helping to ensure that recommendations implemented mitigate the most risk/improve security the most/have the most impact on security/maturity/etc..

Claims 17 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Sweeney et al. (herein called Sweeney) (US Patent 11,212,316 B2) and Bennet et al. (herein called Bennet 1) (US Patent 8,516,594 B2) in further view of Bennet et al. (herein called Bennet 2) (US PG Pub. 2010/0095235 A1). 

As per claim 17, while Sweeney teaches a graphic indicator displaying a maturity level, as seen above, it does not explicitly state, however Bennet 1 teaches:
wherein the graphic indicator is including a numerical display of actual levels of maturity and a sum of the actual levels of maturity for the respective pair (figs. 10 items 1004 and 1006, and col. 16 lines 5-35, col. 17 lines 10-50, col. 18 lines 39-50, col. 22 lines 50-col. 23 line 10, baseline/actual risk score/maturity level is calculated for asset/domain/business unit/etc. and interface/computer screen/etc. displays actual value/numerical value of risk/maturity level and overall risk/average risk/etc. (sum of actual levels of maturity).)
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Sweeney such that the graphic indicator is including a numerical display of actual levels of maturity and a sum of the actual levels of maturity for the respective pair, as conceptually taught by Bennet, because these modifications allow for an effective method of presenting/outputting/displaying the maturity level information to a user in a manner/format/etc. that is easily understood thereby increasing the usability of the maturity/risk/etc. level information to users, making it more desirable to users. 
While Bennet 1 teaches displaying graphics/table/etc. in graphs/charts/etc. of interfaces (ex: figs. 9-16) that provide/show/display/etc. risk scores/maturity level/etc. information, it does not explicitly state that the information may be displayed in a pie graph, and as such does not explicitly state, however Bennet 2 teaches:
wherein the graphic indicator is a pie graph (fig. 8, pars. [0011], [0098], [0100]-[0105], [0151], [0155], charts/graphs may be pie charts/graphs/wheel charts/graphs/etc. providing security/risk/etc. information that users click on to see more information (graphic indicator is pie graph).).
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Sweeney and Bennet 1 such that the graphic indicator is a pie graph, as conceptually taught by Bennet 2, because these modifications allow for the maturity level/risk score/security information/etc. of the domains/assets/etc. to be presented to users in an easily understandable format, increasing the usability of the information to users. 

As per claim 18, Sweeney further teaches: where the graphic indicator further comprises a display including maturity levels for plural domains (col. 6 lines 3-20, col. 31 lines 40-50, maturity is provide to user by displaying a matrix of assets (display plural domains/assets) where each cell in the matrix/table has security controls mapped to the asset/domain and a graphical indication is displayed within each cell indicating maturity of the security controls corresponding to the cell/asset/domain/etc. (display including maturity levels for plural domains).).
While Sweeney teaches a graphic indicator displaying a maturity level for plural domains, as seen above, it does not explicitly state, however Bennet 1 teaches:
summary display including maturity levels for plural domains, including showing relative levels of implementation for each MIL level in the domain (figs. 10 items 1004 and 1006, and col. 16 lines 5-35, col. 17 lines 10-50, col. 18 lines 39-50, col. 22 lines 50-col. 23 line 10, baseline/actual risk score/maturity level is calculated for asset/domain/business unit/etc. and interface/computer screen/etc. displays actual value/numerical value of risk/maturity level for assets/domains/business units and average impact and average likelihood for the asset/domain/business unit (display maturity level/risk score for plural domains/assets/business units, including showing levels of implementation for each maturity level/average impact and average liklihood) and overall risk/average risk/etc..)
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to add summary display including maturity levels for plural domains, including showing relative levels of implementation for each MIL level in the domain, as conceptually taught by Bennet, into that of Sweeney because these modifications allow for additional information/summary information/etc. about the risk/maturity level to be presented/output/displayed/provided to user in an easily understood format, thereby providing a user with more information about the risk/maturity level of the environment, making the information more usable to users.
While Bennet 1 teaches displaying graphics/table/etc. in graphs/charts/etc. of interfaces (ex: figs. 9-16) that provide/show/display/etc. risk scores/maturity level/etc. information, it does not explicitly state that the information may be displayed in a pie graph, and as such does not explicitly state, however Bennet 2 teaches:
where the graphic indicator further comprises a pie summary, including wedges showing relative levels of implementation for each MIL level in the domain (fig. 8, pars. [0011], [0098], [0100]-[0105], [0139], [0151], [0155], charts/graphs may be pie charts/graphs/wheel charts/graphs/etc. providing security/risk/etc. information that users click on to see more information and pie/wheel graph/chart includes set of wedges for domains/subdomains/etc.. As Bennet 1 teaches that summary information is displayed for domains that includes levels of implementation for each risk/security/maturity level in the domain, and as Bennet 2 teaches that risk/maturity/security information may be presented to users in a pie/wheel chart/graph that includes wedges for domains, it is obvious that the graphic indicator may be a pie summary having wedges showing relative levels of implementation for each MIL level in the domain.).
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Sweeney and Bennet 1 such that the graphic indicator further comprises a pie summary, including wedges showing relative levels of implementation for each MIL level in the domain, as conceptually taught by Bennet 2, because these modifications allow for the maturity level/risk score/security information/etc. of the domains/assets/etc. to be presented to users in an easily understandable format, increasing the usability of the information to users.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DOUGLAS M SLACHTA whose telephone number is (571)270-0653. The examiner can normally be reached Monday-Friday 6:30am-4pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Chat Do can be reached on 571-272-3721. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/DOUGLAS M SLACHTA/           Examiner, Art Unit 2193