DETAILED ACTION

Acknowledgement


This action is in response to the request for continued examination (RCE) filed on 09/12/2022.


Status of Claims


Claims 1-2, 4-5, 8-9, 11, 14-15, and 18 have been amended. 
Claims 1-2, 4-6, 8-9, 11-12,  14-15 and 17-19 are now pending.



Continued Examination Under 37 CFR 1.114


A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 09/12/2022 has been entered.




Response to Arguments

Applicant's arguments filed on 09/12/2022 regarding the 35 U.S.C. 101 and 103 rejections of claims have been fully considered. The Applicant argues the following.
         As per the 101 rejection, the Applicant argues that the claims are not directed to an abstract idea because the claims are directed to improvements in computer functionality or other technology. Specifically, embodiments provide a distributed compliance engine architecture to achieve multi-site auto-enforcement of the audit and legal compliances for data protection across multiple regions using a plurality of ideal profiles. The plurality of ideal profiles reduces the processing and bandwidth required to ensure compliance by a centralized entity. Further, in embodiments, backup administrators are relieved from the concern for maintaining compliance for distinct locations.
The Examiner respectfully disagrees. The Examiner maintains the position that the claims are directed to an abstract idea of Mental Processes because the claims describe a process of compliance analysis (e.g. comparing data file to ideal profile, identifying mismatches, etc.) and notification.  As per the October 2019 PEG, mental processes include claims directed to collecting information, analyzing it, and displaying certain results of the collection and analysis even if they are claimed as being performed on a computer. The improvements cited above by the Applicant are produced by the ideal profiles, which are considered abstract. As per MPEP 2106.07, the improvement to the functioning of a computer or another technology must be provided by the additional elements (i.e. non-abstract elements) recited in the claims. The Examiner submits that the additional elements recited in the amended claims do not improve the functioning of the computer itself or another technological field, but are mere instructions to apply or implement the abstract idea of compliance analysis and notification on a computer. Applying an abstract idea on a computer does not integrate a judicial exception into a practical application or provide an inventive concept (see MPEP 2106.05(f)). Therefore, the 35 U.S.C. 101 rejection is maintained.
         As per the 103 rejection, the Applicant argues that the combination of Maung and Nicodemus fails to disclose or suggest at least the limitations of amended independent claims 1, 8, and 14. Maung is completely silent with respect to “a plurality of ideal profiles” and Nicodemus also fails to disclose or suggest “a plurality of ideal profiles”.
The Examiner respectfully disagrees. Maung in view of Nicodemus teach all of the limitations of amended claims 1, 8, and 14. Specifically, Maung teaches a plurality of regulations 1071-5 as in Fig. 1B that determine compliance or non-compliance of acts. These plurality of regulations are analogous to the plurality of ideal profiles. Therefore, the 35 U.S.C. 103 rejection is maintained.


Notice of Pre-AIA  or AIA  Status

The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement

The information disclosure statement (IDS) submitted on 09/12/2022 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 101

35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-2, 4-6, 8-9, 11-12, 14-15, and 17-19 are rejected under 35 U.S.C. 101 because the claimed invention, “Method and System for Multisite Legal Profiling for Backup Data”, is directed to an abstract idea, specifically Mental Processes, without significantly more. The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements individually or in combination provide mere instructions to implement the abstract idea on a computer.
Step 1:  Claims 1-2, 4-6, 8-9, 11-12, 14-15, and 17-19 are directed to a statutory category, namely a process (claims 1-2 and 4-6), a manufacture (claims 8-9 and 11-12) and a machine (claims 14-15 and 17-19).
Step 2A (1): Independent claims 1, 8, and 14 are directed to an abstract idea of Mental Processes, based on the following claim limitations: “obtaining, a data profile of a data object; comparing the data file to a first ideal profile of a plurality of ideal profiles, the first ideal profile corresponding to the data profile, the plurality of ideal profiles being stored, wherein the plurality of ideal profiles were generated based on at least one rule; identifying mismatches between the data profile and the first ideal profile based on the comparison; generating an alert based on the identified mismatches; and transmitting an alert; receiving, in response to transmitting the alert, an update to the first ideal profile, wherein the update specifies a modification to the compliance requirement; modifying the first ideal profile based on update to obtain an first updated ideal profile; and transmitting the first updated ideal profile” (claims 1 and 14); obtaining a data profile of a data object; comparing the data file to a first ideal profile of a plurality of ideal profiles, the first ideal profile corresponding to the data profile, the plurality of ideal profiles being stored, wherein the plurality of ideal profiles were generated based on at least one rule; identifying mismatches between the data profile and the first ideal profile based on the comparison; generating an alert based on the identified mismatches; and transmitting the alert (claim 8).  The claims describe a process of analyzing and comparing data to identify mismatches, providing an alert of the results, and receiving and implementing updates. Dependent claims 2, 4-6, 9, 11-12, 15, and 17-19 further define the analysis, comparison, alerting, and updating process. These limitations, under the broadest reasonable interpretation, fall within the abstract grouping of “Mental Processes” which includes observations, evaluations, judgments, and opinions and thus recite an abstract idea. Per the October 2019 Subject Eligibility Guidance pg. 7, claims that recite mental processes include limitations of “collecting information, analyzing it, and displaying certain results of the collection and analysis” even if they are claimed as being performed on a computer. Therefore, claims 1-2, 4-6, 8-9, 11-12, 14-15, and 17-19 are directed to an abstract idea and are not patent eligible.
Step 2A (2): This judicial exception is not integrated into a practical application. In particular, claims 1, 5-6, 8, 11-12, 14, and 18-19 recite additional elements of backup systems, a local compliance engine, data object is stored on a production host, a user system, a centralized compliance system, send a notification to a centralized compliance system, a compliance rule repository, a non-transitory computer readable medium comprising computer readable program code, and system comprising a processor and memory comprising instructions. These additional elements do not integrate the abstract idea into a practical application because the claims do not recite (a) an improvement to another technology or technical field and (b) an improvement to the functioning of the computer itself and (c) implementing the abstract idea with or by use of a particular machine, (d) effecting a particular transformation or reduction of an article, or (e) applying the judicial exception in some other meaningful way beyond generally linking the use of an abstract idea to a particular technological environment. These additional elements are viewed as computing devices that are used to perform the data analysis, comparison, and alerting process. Limitations that recite mere instructions to implement an abstract idea on a computer or merely uses a computer as a tool to perform an abstract idea are not indicative of integration into a practical application (see MPEP 2106.05(f)). Therefore, claims 1-2, 4-6, 8-9, 11-12, 14-15, and 17-19 do not integrate the judicial exception into a practical application and thus are not patent eligible. 
Step 2B: The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception. Claims 1, 5-6, 8, 11-12, 14, and 18-19 recite additional elements of backup systems, a local compliance engine, data object is stored on a production host, a user system, a centralized compliance system, send a notification to a centralized compliance system, a compliance rule repository, a non-transitory computer readable medium comprising computer readable program code, and system comprising a processor and memory comprising instructions. As per the Applicant’s Specification the backup system, local compliance engine, production host, user system, and centralized compliance system are implemented as a computing device such as a laptop computer, desktop computer, a server, a distributed computing system, or a cloud resource ([0029], [0039], [0041], [0043], and [0048]); the compliance rule repository is interpreted as storage/database; a notification/alert is sent via email, API, or via any other communication mechanism [0056]; non-transitory computer readable medium  may be persistent storage (e.g. disk drives, solid state drives, etc.) [0029]; processors may be an integrated circuit, one cores or micro-cores [0062]; and memory include random access memory [0029]. These additional elements are viewed as mere instructions to apply or implement the abstract idea on a computer. Applying an abstract idea on a computer does not integrate a judicial exception into a practical application or provide an inventive concept (see MPEP 2106.05(f)). Therefore, claims 1-2, 4-6, 8-9, 11-12, 14-15, and 17-19 do not include additional elements that are sufficient to amount to significantly more than the judicial exception and thus are not patent eligible.


Claim Rejections - 35 USC § 103

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-2, 4-6, 8-9, 11-12, 14-15, and 17-19 are rejected under 35 U.S.C. 103 as being unpatentable over Maung (US 2018/0285887 A1) in view of Nicodemus et al. (US 2017/0201545 A1).
As per claim 1 (Currently Amended), Maung teaches a method for verifying compliance of data objects in backup systems, the method comprising (Maung e.g. Figs. 1B, 2, 4, and 12A; Systems, methods, and computer program products that embody computerized techniques for implementing regulatory control compliance monitoring, and auditing capabilities. The centralized cloud solution verifies that actions and/or operations performed by subscribers are being performed in accordance with a set of regulatory compliance rules [0009].): 
Maung in view of Nicodemus teach obtaining, by a local compliance engine, a data profile of a data object, wherein the data object is stored on a production host in a region; 
Maung teaches obtaining, by a compliance engine, a data profile of a data object wherein the data object is stored on a production host in a region (Maung e.g. Fig. 1B, Maung teaches a hub-and-spoke configuration of multiple cloud computing platforms (e.g. 102 and 104) as interconnected for heterogeneous regulatory control compliance monitoring and auditing (Fig. 1A and [0035]). The master cloud computing platform 102 (i.e. hub) implements a compliance engine that federates data formats and communication techniques as used for auditing compliance/non-compliance of acts performed on the platform and serves to manage logging, auditing and reporting with respect to heterogeneous regulatory compliance ([0038] and [0041]). The master cloud computing platform is configured to handle compliance data of various types [0051]. Compliance data is received from different platforms, converted into a common format and then stored ([0052]-[0054]).  The events or occurrences of actions and/or operations performed by subscribers (i.e. users) are captured in messages that are sent to the centralized cloud solution [0009]. When a message or compliance data is received from a particular source, the source itself might be used to determine the provenance of the sent message or sent compliance data. Additionally, using the mapping table 602, the underlying nature or purpose of the compliance data can be characterized (i.e. data profile) (Fig. 6 and [0089]).); 
Maung does not explicitly teach, however,  Nicodemus a local compliance engine (Nicodemus e.g. Nicodemus teaches methods and systems for flexibly monitoring, evaluating, and initiating actions to enforce security compliance policies [0086]. Fig. 1 policy management system 106 include a compliance analysis engine 106C as well as various policy information stored within storage system 106B [0100]. The functions incorporated and described with respect to policy management system 106 may be contained within endpoint system 104 (i.e. local system) and within host system. For example, FIG. 5 wherein a compliance analysis engine 106C is shown in each of endpoint systems 104 (engine 106C') (i.e. local compliance engine) and host system 102 (engine 106C") [0102].)
The Examiner submits that before the effective filing date, it would have been obvious to one of ordinary skill in the art to modify Maung’s compliance monitoring system to include local compliance engines in each cloud computing platforms (i.e. local systems) as taught by Nicodemus in order to leverage the compliance analysis feature/functionality of the policy management system (i.e. central system) (Nicodemus e.g. [0102]).
Maung teaches comparing the data profile to a first ideal profile of a plurality of ideal profiles, the first ideal profile corresponding to the data profile (Maung e.g. Maung teaches systems for centralized processing of regulatory control events. A method embodiment applies regulatory compliance rules against regulatory control events that occur at a plurality of heterogeneous remote cloud-based systems (Abstract). Data regulation requirements (i.e. ideal profile) can be based on a data type and a geographic location associated with the data [0040]. Fig. 1B compliance engine include regulations 1071-5 (i.e. plurality of ideal profiles) and associated controls [0042]. Some jurisdictions or regions might have jurisdiction- and/or region- specific regulations. For example, data of certain types might be regulated under international trafficking in arms regulations (ITAR), and as such the movement of data might be restricted under such ITAR controls [0095]. A first service provider might perform a process in a manner that is prescribed and/or documented as per ISO 9001 requirements (i.e. ideal profile), whereas a different service provider might perform the same (or intended to be the same) process in a manner that is contrary to the process that is prescribed and/or documented in ISO 9001 (i.e. data profile) [0078].), Maung in view of Nicodemus teach the plurality of ideal profiles being stored on the local compliance engine, wherein the plurality of ideal profiles were each generated by a centralized compliance system based on at least one rule stored in a compliance rule repository; 
Maung teaches the plurality of ideal profiles being stored on a centralized compliance engine, wherein the plurality of ideal profiles were each generated by a centralized compliance system based on at least one rule stored in a compliance rule repository (Maung e.g. Fig. 1B depicts a centralized cloud-based compliance engine as used in a heterogenous regulatory control compliance monitoring and auditing environment [0039]. Fig. 1B compliance engine is associated with a series of regulations 1071-5 (i.e. ideal profiles) and respective sets of controls 1091-5, each of which regulations and/or controls may be codified in heterogeneous formats [0042]. Data regulation requirements (i.e. ideal profiles) can be based on a data type and a geographic location associated with the data [0040]. Some jurisdictions or regions might have jurisdiction- and/or region- specific regulations, any of which jurisdiction- and/or region- specific regulations might be stored in or referenced by an instance of the compliance rulebase 410 (i.e. repository) of FIG. 4 [0095]. Any aspect or aspects of communication and/or formatting, and/or detection of events, and/or determination of actions to take can be derived from the mapping rules 414 of the compliance rulebase 410 [0076].)
Maung does not explicitly teach, however, Nicodemus teaches a local compliance engine (Nicodemus e.g. Nicodemus teaches methods and systems for flexibly monitoring, evaluating, and initiating actions to enforce security compliance policies [0086]. Fig. 1 policy management system 106 include a compliance analysis engine 106C as well as various policy information stored within storage system 106B [0100]. The functions incorporated and described with respect to policy management system 106 may be contained within endpoint system 104 (i.e. local system) and within host system. For example, FIG. 5 wherein a compliance analysis engine 106C is shown in each of endpoint systems 104 (engine 106C') (i.e. local compliance engine) and host system 102 (engine 106C") [0102].)
The Examiner submits that before the effective filing date, it would have been obvious to one of ordinary skill in the art to modify Maung’s compliance monitoring system to include local compliance engines in each cloud computing platforms (i.e. local systems) as taught by Nicodemus in order to leverage the compliance analysis feature/functionality of the policy management system (i.e. central system) (Nicodemus e.g. [0102]).
Maung teaches identifying mismatches between the data profile and the first ideal profile based on the comparison; (Maung e.g. A first service provider might perform a process in a manner that is prescribed and/or documented as per ISO 9001 requirements (i.e. ideal profile), whereas a different service provider might perform the same (or intended to be the same) process in a manner that is contrary to the process that is prescribed and/or documented in ISO 9001 (i.e. data profile). Variations in processing between the two service providers (i.e. ideal profile vs. data profile above) can be detected by comparing the two sets of occurrence indications that are stored in a common sequencing format [0078].)
Maung teaches generating an alert based on the identified mismatches; Maung e.g. If a difference is detected, the occurrence of the detected difference can be logged and/or reported [0078].)
Maung teaches transmitting the alert to a user system and the centralized compliance system, (Maung e.g. The disclosed technology prohibits non-compliant business operations, and report such non-compliant business operations to data security and/or data protection teams and managers of the enterprise [0040]. Figs. 3B and 4 systems provides an audit portal 302 [0064].  Audit portal 302 includes a reporting tool to permit an auditor to review (e.g. in real time), aspects of compliance with respect to any one or more of the international and national standards (i.e. user system). In the event that the reporting tool determines that the business operations of the enterprise are not compliant with the international or national standards, the reporting tool can raise an alert and/or provide one or more corrective actions [0066]. In other scenarios, upon detection of an event, a report can be produced contemporaneously with logging the detected event in the evidence log 412 of the centralized compliance system ([0073], [0076], and [0097]).)
Maung teaches receiving, in response to transmitting the alert, an update to the first ideal profile from the user system, wherein the update specifies a modification to the compliance requirement; (Maung e.g. In the event that the reporting tool determines that the business operations of the enterprise are not compliant with the international or national standards, the reporting tool can raise an alert (e.g., a non-compliance alert, or a non-compliance threshold alert) and/or provide one or more corrective actions with the goal of remediating the situation so as to bring the business practices into compliance with the international or national standards and/or into compliance with an enterprise's own internal compliance standards [0066]. Corrective actions might be implemented by changes in the underlying processes (e.g., process1, process2) (i.e. compliance requirement) [0067]-[0068].)
Maung teaches modifying the first ideal profile based on update to obtain an first updated ideal profile; and (Maung e.g. Based on national or international standards, an enterprise might be prohibited from sharing IP addresses that lie outside a certain geographical territory. Configurations and/or settings pertaining to the enterprise’s implementation of its respective processes (i.e. ideal profile) can reflect such a regulation. If the enterprise acquires a new company that is located outside of the aforementioned certain geographical territory, then the processes (i.e. ideal profile) might need to be modified. Thus, the corrective action in this scenario might be to implement a modification of the underlying processes (i.e. ideal profile) [0068].)
Maung teaches transmitting the first updated ideal profile to the centralized compliance system. (Maung e.g. Figs. 1B, 3B, and 5;  Control layers are provided in and by the master cloud computing platform (i.e. centralized compliance system). Corrective actions and/or changes to the underlying processes are implemented by the master cloud computing platform (Fig. 3B and [0067]). One or more layers between each regulated service provider 105 and a compliance engine 103 also serves for updating data structures and/or code that corresponds to new controls. New controls might be ones that apply to a previously codified regulation, or the new controls might correspond to a new corpus of regulations. When a new control 518 is identified, aspects of the new control and/or its configuration can be relayed (by message 520) from the compliance engine to a target control layer (Fig. 1B, Fig. 5, and [0083]).)
As per claim 8 (Currently Amended), Maung teaches a non-transitory computer readable medium comprising computer readable program code, which when executed by a computer processor enables the computer processor to perform a method for verifying compliance of data objects in backup systems, the method comprising (Maung e.g. Figs. 1B, 2, 4, and 12A; Systems, methods, and computer program products that embody computerized techniques for implementing regulatory control compliance monitoring, and auditing capabilities. The centralized cloud solution verifies that actions and/or operations performed by subscribers are being performed in accordance with a set of regulatory compliance rules [0009]. Embodiments of the present disclosure is implemented on Fig. 12A computer system that includes data processor 1207 executing one or more sequences of one or more program code instructions contained in memory. Program instructions 1202 is contained in a storage location or memory from any computer readable/usable storage medium such as a static storage device or a disk drive, or other non-transitory computer readable medium ([0126] and [0131]).): 
Maung in view of Nicodemus teach obtaining, by a local compliance engine, a data profile of a data object, wherein the data object is stored on a production host in a region; (See claim 1a for response.)
Maung in view of Nicodemus teach comparing the data profile to a first ideal profile of a plurality of ideal profiles, the first ideal profile corresponding to the data profile, the plurality of ideal profiles being stored on the local compliance engine, wherein the plurality of ideal profiles were each generated by a centralized compliance system based on at least one rule stored in a compliance rule repository; (See claim 1b for response.)
Maung teaches identifying mismatches between the data profile and the first ideal profile based on the comparison; (See claim 1c for response.)
Maung teaches generating an alert based on the identified mismatches; and (See claim 1d for response.)
Maung teaches transmitting the alert to a user system and the centralized compliance system. (See claim 1e for response.)
As per claim 14 (Currently Amended), Maung teaches a system, comprising: a processor; and memory comprising instructions, which when executed by the processor, perform a method, the method comprising (Maung e.g. Fig. 12A Computer system 12A00 implements the embodiment of the present disclosure and include data processor 1207 and memory 1208, 1209, and 1210 [0125]. Computer system 12A00 performs specific operations by data processor 1207 executing one or more sequences of one or more program code instructions contained in a memory [0126].): 
Maung in view of Nicodemus teach obtaining, by a local compliance engine, a data profile of a data object, wherein the data object is stored on a production host in a region; (See claim 1a for response.)
Maung in view of Nicodemus teach comparing the data profile to a first ideal profile of a plurality of ideal profiles, the first ideal profile corresponding to the data profile, the plurality of ideal profiles being stored on the local compliance engine, wherein the plurality of ideal profiles were each generated by a centralized compliance system based on at least one rule stored in a compliance rule repository; (See claim 1b for response.)
Maung teaches identifying mismatches between the data profile and the first ideal profile based on the comparison; (See claim 1c for response.)
Maung teaches generating an alert based on the identified mismatches; and (See claim 1d for response.) 4Application No.: 16/925,938Docket No.: 170360-059300US 
Maung teaches transmitting the alert to a user system and the centralized compliance system; (See claim 1e for response.)
Maung teaches receiving, in response to transmitting the alert, an update to the first ideal profile from the user system, wherein the update specifies a modification to the compliance requirement; (See claim 1f for response.)
Maung teaches modifying the first ideal profile based on update to obtain an first updated ideal profile; and (See claim 1g for response.)
Maung teaches transmitting the first updated ideal profile to a centralized compliance system. (See claim 1h for response.)
As per claims 2, 9, and 15 (Currently Amended), Maung in view of Nicodemus teach the method of claim 1, non-transitory computer readable medium of claim 8, and system of claim 14, wherein comparing the data profile to the first ideal profile further comprises: 
Maung teaches selecting a compliance requirement from the first ideal profile; (Maung e.g. The centralized cloud solution is able to apply regulatory compliance rules against aspects of any event or message raised by any subscriber [0009]. Data regulation requirements (i.e. ideal profiles) can be based on a data type and a geographic location associated with the data [0040]. Knowing the source and some characteristic of the nature or purpose of the received compliance data, the mapping table 602 can be used to determine which compliance regulations and/or respective controls might apply and/or what compliance actions are to be carried out with respect to the received compliance data and/or performance of any of the controls (i.e. ideal profile) [0089]. The mapping table is one example of codifying compliance regulation rules [0092].)
Maung teaches obtain a corresponding compliance characteristic from the data profile; and (Maung e.g. When a message or compliance data is received from a particular source, the source itself (i.e. characteristic) might be used to determine the provenance of the sent message or sent compliance data. Additionally, using the mapping table 602, the underlying nature or purpose of the compliance data can be characterized (e.g. in a column of the mapping table (Fig. 6 and [0089]). For example, an uploaded data item path to the destination pertaining to the upload activity and the destination URL of the data item is determined from a portion of payload of an incoming message [0095].)
Maung teaches comparing the compliance requirement from the first ideal profile to the corresponding compliance characteristic from the data profile. (Maung e.g. Data regulation requirements (i.e. ideal profiles) can be based on a data type and a geographic location associated with the data [0040]. Some jurisdictions or regions might have jurisdiction- and/or region-specific regulations, any of which jurisdiction-and/or region-specific regulations might be stored in or referenced by an instance of the compliance rulebase 410 (i.e. repository) of FIG. 4. For example, in a particular upload scenario, data of certain types might be regulated under international trafficking in arms regulations (ITAR), and as such the movement of data might be restricted under such ITAR controls [0095].)
As per claims 4 and 17 (Currently Amended), Maung in view of Nicodemus teach the method of claim 1 and system of claim 14, Maung teaches wherein the update comprises an indication to apply the modification to the compliance requirement to a second ideal profile of the plurality of ideal profiles (Maung e.g. The system deploys a centralized cloud solution that serves as a centralized point in a cloud-oriented ecosystem comprising multiple cloud-based service providers that subscribe to the centralized cloud solution (Fig. 4 and [0009]). Fig. 1B compliance engine is associated with a series of regulations 1071-5 (i.e. ideal profiles) and respective sets of controls 1091-5, each of which regulations and/or controls may be codified in heterogeneous formats [0042]. One or more layers between each regulated service provider 105 and a compliance engine 103 also serves for updating data structures and/or code that corresponds to new controls. New controls might be ones that apply to a previously codified regulation, or the new controls might correspond to a new corpus of regulations. When a new control 518 is identified, aspects of the new control and/or its configuration can be relayed (by message 520) from the compliance engine to a target control layer (Fig. 5 and [0083]). Certain regulations (e.g., new regulations) can be configured so as to be implemented immediately and configured in the system to continue into the future [0121]. The Examiner submits that the configured/codified regulations are the ideal profiles.) .
As per claims 5, 11, and 18 (Currently Amended), Maung in view of Nicodemus teach the method of claim 4, non-transitory medium of claim 8, and system of claim 17,  further comprising: 
Maung in view of Nicodemus teach updating, by the local compliance engine, the second ideal profile to obtain a second updated ideal profile; and 
Maung teaches updating, by the compliance engine, the second ideal profile to obtain a second updated ideal profile (Maung e.g. Control layers are provided in and by the master cloud computing platform (Fig. 1B, Fig. 3B, and  [0067]). One or more layers between each regulated service provider 105  and a compliance engine 103 also serves for updating data structures and/or code that corresponds to new controls. New controls might be ones that apply to a previously codified regulation, or the new controls might correspond to a new corpus of regulations.  When a new control 518 is identified, aspects of the new control and/or its configuration can be relayed (by message 520) from the compliance engine to a target control layer (Fig. 1B, Fig. 5, and [0083]).) 
Maung does not explicitly teach, however, Nicodemus teaches a local compliance engine (Nicodemus e.g. Nicodemus teaches methods and systems for flexibly monitoring, evaluating, and initiating actions to enforce security compliance policies [0086]. Fig. 1 policy management system 106 include a compliance analysis engine 106C as well as various policy information stored within storage system 106B [0100]. The functions incorporated and described with respect to policy management system 106 may be contained within endpoint system 104 (i.e. local system) and within host system. For example, FIG. 5 wherein a compliance analysis engine 106C is shown in each of endpoint systems 104 (engine 106C') (i.e. local compliance engine) and host system 102 (engine 106C") [0102].)
The Examiner submits that before the effective filing date, it would have been obvious to one of ordinary skill in the art to modify Maung’s compliance monitoring system to include local compliance engines in each cloud computing platforms (i.e. local systems) as taught by Nicodemus in order to leverage the compliance analysis feature/functionality of the policy management system (i.e. central system) (Nicodemus e.g. [0102]).
Maung teaches sending a notification to the centralized compliance system, wherein the notification specifies that first ideal profile was modified to obtain the first updated ideal profile and that the second ideal profile was modified to obtain the second updated ideal profile (Maung e.g. Fig. 1B compliance engine is associated with a series of regulations 1071-5 (i.e. ideal profiles) and respective sets of controls 1091-5, each of which regulations and/or controls may be codified in heterogeneous formats [0042]. Control layers are provided in and by the master cloud computing platform (i.e. centralized compliance system). Corrective actions and/or changes to the underlying processes are implemented by the master cloud computing platform (Fig. 3B and [0067]). When a new control 518 is identified, aspects of the new control and/or its configuration can be relayed (by message 520) from the compliance engine 103 to a target control layer (Fig. 5 and [0083]). Certain regulations (e.g., new regulations) can be configured so as to be implemented immediately and configured in the system to continue into the future [0121]. The Examiner submits that the configured/codified regulations are the ideal profiles.).
As per claims 6, 12, and 19 (Previously Presented),  Maung in view of Nicodemus teach the method of claim 1, non-transitory medium of claim 8, and system of claim 14, Maung teaches wherein the compliance requirement comprises a region specific legal requirement associated with the region in which the production host is located (Maung e.g. The data regulation requirements (i.e. ideal profiles) can be based on a data type and a geographic location associated with the data [0040]. Some jurisdictions or regions might have jurisdiction- and/or region - specific regulations, any of which jurisdiction - and/or region-specific regulations might be stored in or referenced by an instance of the compliance rulebase 410 of FIG. 4. For example, data of certain types might be regulated under international trafficking in arms regulations (ITAR), and as such the movement of data might be restricted under such ITAR controls [0095].).

Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to Ayanna Minor whose telephone number is (571)272-3605. The examiner can normally be reached M-F 9am-5 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jerry O'Connor can be reached on 571-272-6787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/A.M./Examiner, Art Unit 3624                                                                                                                                                                                                        



/MEHMET YESILDAG/Primary Examiner, Art Unit 3624