Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
1.       This Office Action is in response to the communication filed on September 14, 2020, which paper has been placed of record in the file.
2.           Claims 1-20 are pending in this application. 



Information Disclosure Statement
3.        The information disclosure statements (IDS) submitted on February 3, 2021 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.



Claim Interpretation
4.         The following is a quotation of 35 U.S.C. 112(f):

(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

5.         This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitations are: “an interface component, a monitoring component, an alert component, a display component”, recited in claims 1-19.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.



Claim Rejections - 35 USC § 112
6.      The following is a quotation of 35 U.S.C. 112(b):

(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

7.       Claim limitations, “an interface component, a monitoring component, an alert component, a display component”, recited in claims 1-19 invoke 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. However, the written description fails to disclose the corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to the function. The disclosure is devoid of any structure that performs the function in the claim. Therefore, the claim is indefinite and is rejected under 35 U.S.C. 112(b) or pre-AIA  35 U.S.C. 112, second paragraph.
Applicant may:
(a)     Amend the claim so that the claim limitation will no longer be interpreted as a limitation under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph; 
(b)     Amend the written description of the specification such that it expressly recites what structure, material, or acts perform the entire claimed function, without introducing any new matter (35 U.S.C. 132(a)); or 
(c)     Amend the written description of the specification such that it clearly links the structure, material, or acts disclosed therein to the function recited in the claim, without introducing any new matter (35 U.S.C. 132(a)).
If applicant is of the opinion that the written description of the specification already implicitly or inherently discloses the corresponding structure, material, or acts and clearly links them to the function so that one of ordinary skill in the art would recognize what structure, material, or acts perform the claimed function, applicant should clarify the record by either: 
(a)      Amending the written description of the specification such that it expressly recites the corresponding structure, material, or acts for performing the claimed function and clearly links or associates the structure, material, or acts to the claimed function, without introducing any new matter (35 U.S.C. 132(a)); or 
(b)      Stating on the record what the corresponding structure, material, or acts, which are implicitly or inherently set forth in the written description of the specification, perform the claimed function. For more information, see 37 CFR 1.75(d) and MPEP §§ 608.01(o) and 2181.



Claim Rejections - 35 USC § 101
8.        35 U.S.C. 101 reads as follows: 
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


            Note: Examiner points Applicant to the 2019 Revised Patent Subject Matter Eligibility Guidance (2019 PEG).

9.      Claims 1-20 are rejected under 35 U.S.C. 101 because the claim invention is directed to a judicial exception (i.e., law of nature, natural phenomenon, or abstract idea) without significantly more.
             Independent claim 1, which is illustrative of the all independent claims and analyzing as the following:
         Step 1: Statutory Category? (is the claim(s) directed to a process, machine, manufacture or composition of matter?). Yes. The claim recites a system and, therefore, is a machine.
           Step 2A - Prong 1: Judicial Exception Recited? (is the claim(s) recited a judicial exception (an abstract idea enumerated in the 2019 PEG, a law of nature, or a natural phenomenon). Yes. The claim recites the following limitations: obtaining security status information from at least two software application components…, and receiving security status information from the at least two software application components and to determine a security status of the organizational entity based on the receive security status information, as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitations in the mind but for the recitation of generic computer components. That is, other than reciting “a computer”, nothing in the claim elements preclude the steps from practically being performed in the mind. The mere nominal recitation of a generic computing device does not take the claim limitation out of the mental processes grouping. Thus, if a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind, then it falls within the “Mental Processes” grouping of abstract ideas. Accordingly, the claim recites an abstract idea. 
             Step 2A - Prong 2: Integrated into a Practical Application? (is the claim(s) recited additional elements that integrate the exception into a practical application of the exception). No. This judicial exception is not integrated into a practical application. In particular, the claim recites the additional elements of a processor, a memory, and components (interface component, monitoring component), and using the processor and components to perform obtaining, receiving, and determining steps. The processor is recited at a high-level of generality (i.e., as a generic computing device performing a generic computer function of obtaining, receiving, and determining steps) such that it amounts no more than mere instructions to apply the exception using generic computer components. Each of the additional limitations is no more than mere instructions to apply the exception using generic computer components (the processor). The combination of these additional elements is no more than mere instructions to apply the exception using generic computer components. Each of the additional limitations is no more than mere instructions to apply the exception using a generic computer component (the processor). The combination of these additional elements is no more than mere instructions to apply the exception using a generic computer component. Accordingly, even in combination, these additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea. Accordingly, the claim is directed to an abstract idea. 
           The Berkheimer Memorandum mandates that an additional element (or combination of elements) is not well-understood, routine or conventional unless the examiner finds, and expressly supports a rejection in writing with, one or more of the following: 
           (1) a citation to an express statement in the specification or to a statement made by an applicant during prosecution that demonstrates the well-understood, routine, conventional nature of the additional element(s); 
           (2) a citation to one or more of the court decisions discussed in MPEP § 2106.05(d)(II) as noting the well-understood, routine, conventional nature of the additional element(s); 
           (3) a citation to a publication that demonstrates the well-understood, routine, conventional nature of the additional element(s); or 
           (4) a statement that the examiner is taking official notice of the well-understood, routine, conventional nature of the additional element(s), which satisfies the requirements set forth in MPEP § 2144.03. 
            In this case, the present Specification described in figure 12 and page 21 of using a general-purpose computer and available commercial products to perform the method. Thus, the applicant provides (1) a citation to an express statement in the specification or to a statement made by an applicant during prosecution that demonstrates the well-understood, routine, conventional nature of the additional elements. 
	Step 2B: Claim provides an Inventive Concept? (is the claim(s) recited additional elements that amount to an inventive concept (aka “significantly more”) than the recited judicial exception). No. As discussed with respect to Step 2A Prong Two, the additional elements in the claim amount to no more than mere instructions to apply the exception using a generic computer component. The same analysis applies here in 2B, i.e., mere instructions to apply an exception on a generic computer cannot integrate a judicial exception into a practical application at Step 2A or provide an inventive concept in Step 2B. For these reasons there is no inventive concept in the claim, and thus the claim is not patent eligible.
         The dependent claims do not add limitations that meaningfully limit the abstract idea. Claim 2 recites determining the security status comprises interpreting the security metric…; Claim 3 recites an alert component configured to alert an entity…; Claim 4 recites a display component configured to display…; Claim 6 recites updating the security score in real-time…; Claim 15 recites a mapping that identifies a relationship….; Therefore, the dependent claims do not impart patent eligibility to the abstract idea of the independent claim. The dependent claims rather further narrow the abstract idea and the narrower scope does not change the outcome of the two-part Mayo test. Narrowing the scope of the claims is not enough to impart eligibility as it is still interpreted as an abstract idea, a narrower abstract idea. Therefore, none of the dependent claims alone or as an ordered combination add limitations that qualify as significantly more than the abstract idea. 
          Regarding independent claim 20, Alice Corp. establishes that the same analysis should be used for all categories of claims. Therefore, independent claim 20 directed to a method, is also rejected as ineligible subject matter under 35 U.S.C. 101 for substantially the same reasons as independent method claim 1. 
          Accordingly, claims 1-20 are not draw to eligible subject matter as they are directed to an abstract idea without significantly more and are rejected under 35 USC § 101 as being directed to non-statutory subject matter.



Claim Rejections - 35 USC § 102
10. 	The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.


11.      Claims 1-20 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Chhabra et al. (hereinafter Chhabra, US 2021/0084057).
            Regarding to claim 1, Chhabra discloses a distributed computer system comprising:
            an interface component adapted to obtain security status information from at least two software application components, the at least two software application components being used by an organizational entity (para [0085], Risk management platform 100 can assess and manage security risks associated with third party systems, such as client system 130. Risk management platform 100 can provide an initial assessment and ongoing monitoring of information technology security of one or more client systems 130. Risk management platform 100 can perform the assessment and monitoring automatically based on a flexible, dynamic and interactive process; para 0158], client systems may provide server 112 with a list of hardware, software and other technologies used or installed at the time of certification. Information risks obtained from various sources may be matched against these technologies and a risk level may be determined once a security threat is learned); and
            a monitoring component adapted to receive the security status information from the at least two software application components and to determine a security status of the organizational entity based on the received security status information (para [0085], Risk management platform 100 can associate client system 130 with a security status (e.g. certification-related status) based on the assigned score. Risk management platform 100 can dynamically update the score and status of a client system 300 based on the ongoing assessment and monitoring).
           Regarding to claim 2, Chhabra discloses the distributed computer system according to claim 1, wherein: 
           the security status information comprises a security metric (para [0219], Ratings module 606 can manage client ratings or score. Ratings module 606 can generate an overall score for a client system 130 using different metrics and weightings); and 
           determining the security status comprises interpreting the security metric based on a predetermined formula for the organizational entity (para [0095], User portal 116 can allow a user to engage with risk management system 110 to customize parameters related to information security scoring, including algorithms, protocols, weighting, processes, and/or questions that can be used in assessing and/or monitoring the security of one or more client systems 130; para [0148], The certification status can be based on the responses provided so far, other data regarding computing hardware and software used by client system 130, and/or one or more scoring algorithms or instructions for computation used by scoring unit 230). 
            Regarding to claim 3, Chhabra discloses the distributed computer system according to claim 1, further comprising an alert component configured to alert an entity responsive to a change in security status information (para [0132],  Alert unit 240 can generate one or more alerts or data for transmission to one or more client systems 130 based on security data and data about the client system 130. The security data can be received from one or more security news wires via data I/O unit 210 and/or from storage in one or more databases 260… alert unit 240 can generate and send an alert that a certain internet browser has a security flaw exposing connected systems to possible security breaches to each of the client systems 130 that have that internet browser installed on associated computers).
            Regarding to claim 4, Chhabra discloses the distributed computer system according to claim 1, further comprising a display component configured to display, to a user, the obtained security status information (para [0023], the risk management server can dynamically update an interface at the client portal to display the score, the alert, and the updated score in response to a control command received at the risk management server).
            Regarding to claim 5, Chhabra discloses the distributed computer system according to claim 1, wherein the security status information from the at least two software application components is used to determine a security score that indicates the security status of the organizational entity (para [0123], Scoring unit 230 can generate an assessor score for a client system 130 based on a discretionary input from a user engaged with risk management system 110 to provide a contextual assessment of the client system 130. In some embodiments, the assessor score generated for the client system 130 can be assigned a weight for computation of the score of the client system 130. The assessor score in some embodiments can be dominant and overwrite other types of components scores).
             Regarding to claim 6, Chhabra discloses the distributed computer system according to claim 5, further comprising updating the security score in real time responsive to real-time collection of the security status information from at least two software application components (para [0165], FIG. 5 is an example process 500 for assessing and updating a security score of a system according to some embodiments. At step 502, a computer processor of the risk management server 112 can receive electronic signals representing security data relating to a client system. At step 504, the computer processor can generate a score representing a security assessment of the client system using a plurality of rules to evaluate the security data. At step 506, the computer processor can generate a security threat relevant to the client system by processing real-time or near real-time data feeds). 
            Regarding to claim 7, Chhabra discloses the distributed computer system according to claim 5, wherein the security score is determined using respective weighting of the at least two software application components (para [0113], machine learning rules may be used, for example by AI unit 225, to determine or modulate the weighting of data used in computation of one or more scores).
            Regarding to claim 8, Chhabra discloses the distributed computer system according to claim 1, wherein the monitoring component is adapted to determine a security status of at least one of the at least two software application components based on the obtained security status information (para [0114], Risk management system 110 can receive data from a user engaged with risk management system 110 via an administrator portal 114 or a user portal 116. The user can specify how one or more scores corresponding to a client system 130 or group of client systems 130 are computed or generated. The user can modify, adjust, change, or select one or more rules, weights or instructions for computation that can apply to facilitate or direct score generation or data processing).
             Regarding to claim 9, Chhabra discloses the distributed computer system according to claim 8, wherein the at least one of the at least two software applications is provided by a vendor outside of the organizational entity and wherein the monitoring component is adapted to determine a security status of the vendor (para [0155], there may be two types of data feeds received by system 110: 1) structured data feed, which may be obtained from cyber security sources such as McAfee, Qualys, US Homeland Security; and 2) unstructured data feed: e.g. non-technical things that would apply to client systems. Unstructured data feed may include, for example, articles or news items that can be obtained by crawling the Internet. The articles or news items may not be directly related to cyber security, but still present one or more potential issues (e.g. data leak by a law firm located in the Caribbean region)).
            Regarding to claim 10, Chhabra discloses the distributed computer system according to claim 8, wherein the monitoring component is adapted to determine a security score that indicates a risk level associated with using the at least one of the at least two software applications provided by the vendor (para [0116], the certification status and the overall score may indicate how secure a firm's system is. As described herein, once assigned a certification, decision can be generated by server 112 with respect to whether to work with the firm, as well as what kind of service or data can be performed or stored by the firm). 
            Regarding to claim 11, Chhabra discloses the distributed computer system according to claim 8, wherein the monitoring component is adapted to determine an aggregated security score that indicates a risk level associated with using a plurality of software components provided by a plurality of vendors (para [0115], Scoring unit 230 can generate an overall score for a client system 130 as a function of a system score, assessor score, and responsive or monitoring score. The system score can relate to the overall security of the hardware and software features of a client system 130, which can also include data and information policies). 
            Regarding to claim 12, Chhabra discloses the distributed computer system according to claim 1, wherein the security status information is obtained from at least one of the group comprising: an API; a data log; and a data push (para [0145],  the risk management system 110 can implement a two factor authentication process for the login of client system 130, for example. This may be accompanied by an IAN. The IAN can log all notifications and requests at one place for audit purposes. Also, email notification could be disabled for security and efficiency and messages can be found at one place (in the app)).
            Regarding to claim 13, Chhabra discloses the distributed computer system according to claim 1, further comprising an interface component adapted to generate, within a user display, a dashboard display element comprising a plurality of monitored categories of software application components being used by the organizational entity (para [0174], An example dashboard interface for an administrator portal 114 is shown in FIG. 10. The dashboard can include a statistics toolbar indicating the number of client systems 130 on boarded, in process, certified, or decertified. The example dashboard interface can include information relating to threats, severity or classification of threats, and statuses, for example. The example dashboard interface can also include a chart showing high-level analytics over time).
            Regarding to claim 14, Chhabra discloses the distributed computer system according to claim 13, wherein the plurality of monitored categories of software application components comprises: application components; network components; and organizational components (para [0092], Client system 130 can include software applications, hardware devices, client portals, servers, data storage, assets, network infrastructure, and so on. Client system 130 can connect to risk management system 110 via network 140. For example, client system 130 can refer to computing components of a particular organization or subset of an organization, such as a region or office of the organization).
            Regarding to claim 15, Chhabra discloses the distributed computer system according to claim 1, further comprising a mapping that identifies a relationship between a data element associated with security status information of at least one of the at least two software application components to a monitored element (para [0122],  A mapping table may be used to map one or more criteria to a component score. Both the database and the mapping table may be updated in real time or near real-time, or from time to time).
           Regarding to claim 16, Chhabra discloses the distributed computer system according to claim 15, further comprising a memory adapted to store the mapping as mapping information (para [0208], Client systems 130 can be identified using a unique identifier that can only be used to reveal the identity of the client system 130 using a mapping that is securely stored in risk management server 112. In this way, sites external to risk management server 112 anonymously and securely manage data from client systems 130).
            Regarding to claim 17, Chhabra discloses the distributed computer system according to claim 16, wherein the mapping information includes, for a vendor that provides one or more software components, a set of mapping elements that relate to a risk of use of the one or more provided software components by the organizational entity (para [0122],  A mapping table may be used to map one or more criteria to a component score. Both the database and the mapping table may be updated in real time or near real-time, or from time to time).
          Regarding to claim 18, Chhabra discloses the distributed computer system according to claim 16, wherein the memory is adapted to store parameter values of one or more monitored elements (para [0105], The AI unit 225 may be configured to apply contextual analysis and crawl the security data to look for the keywords, parameters and values in order to determine if the client system in question has a password setting that meets a minimum threshold, and how strong the password setting may be).
          Regarding to claim 19, Chhabra discloses the distributed computer system according to claim 18, wherein the memory is adapted to store combination logic, the combination logic being used by the monitoring component to determine a security status responsive to the stored parameter values (para [0110],  AI unit 225 may read a document and look for structured (such as password length, password expiration, disabling access after number of failed tries) and unstructured parameters (e.g. USB access, communication of policy, training). Initially unstructured parameters may, in some embodiments, be transmitted to an administrator for decisions and AI unit 225 may study the decisions and draw patterns, thereby generating or updating a decision matrix and learns what an administrator typically looks for in order to make a decision. AI unit 225 may be configured to incorporate past decisions into its rules in order to generate a decision. The structured parameters can have associated metatags to provide contextual data or descriptors or attributes).
             Regarding to claim 20, Chhabra discloses computerized method comprising: 
             obtaining, by an interface component, security status information from at least two software application components, the at least two software application components being used by an organizational entity (para [0085], Risk management platform 100 can assess and manage security risks associated with third party systems, such as client system 130. Risk management platform 100 can provide an initial assessment and ongoing monitoring of information technology security of one or more client systems 130. Risk management platform 100 can perform the assessment and monitoring automatically based on a flexible, dynamic and interactive process; para 0158], client systems may provide server 112 with a list of hardware, software and other technologies used or installed at the time of certification. Information risks obtained from various sources may be matched against these technologies and a risk level may be determined once a security threat is learned); and
             receiving, by a monitoring component, security status information from the at least two software application components and to determine a security status of the organizational entity based on the received security status information (para [0085], Risk management platform 100 can associate client system 130 with a security status (e.g. certification-related status) based on the assigned score. Risk management platform 100 can dynamically update the score and status of a client system 300 based on the ongoing assessment and monitoring).


          
                                                            Conclusion
12.         Claims 1-20 are rejected.
13.     The prior arts made of record and not relied upon are considered pertinent to applicant's disclosure:
            Purathepparambil et al. (US 2020/0021620) disclose a method and a system for contextually managing and executing a change in security behavior of a target user.
            Shenory, JR. et al. (US 2019/0098037) disclose a security system to receive activity data associated with a first source. The security system may scan the activity data to determine if there are one or more actions of interest associated with a first user account in the activity data. 
            Kirti et al. (US 2017/0251013) disclose a security management system discovers use of applications within a computing environment to manage access to applications for minimizing security threats and risks in a computing environment of the organization.  
            Iyer et al. (US 2016/0306965) disclose systems and methods for associating an entity with a risk score that may indicate a security threat associated with the entity's activity.
           Schwartz (US 2003/0037063) disclose a system and method for assessing risk, monitoring risk, and managing caseloads of individuals under risk assessment.
          
14.       Any inquiry concerning this communication or earlier communications from the examiner should be directed to examiner NGA B NGUYEN whose telephone number is (571) 272-6796.  The examiner can normally be reached on Monday-Friday 7AM-5PM.
          Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eric Stamber can be reached on (571) 272-6724.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
            Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/NGA B NGUYEN/Primary Examiner, Art Unit 3683                                                                                                                                                                                                        September 27, 2022