DETAILED ACTION

	Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

This Office Action is in response to the amendment filed on 9/1/2022.  This action is made FINAL.

Claims 1-20 are pending and they are presented for examinations.

Response to Arguments

Applicant's arguments filed regarding claim 1 (page 10), “Streete dscloses nothing regarding “generating, by the one or more computing devices, a requirement for a control to adhere to the update compliance data, wherein the requirement modifies or is used to generate the control based on whether the control exists to cover the updated compliance data,” nor does Streete discloses generating different requirements depending on whether such a control exists.”  
The examiner would like to point out to DiMaggio in view of Streete discloses the above limitation.  In particular, Streete discloses compliance policy builder tool that provides a result of compliance verification file that verifies compliance of each resource.  Compliance verification file is automatically updated/created based on resource(s) being added and/or removed to ensure if a control does not cover the requirement for compliance, it is automatically updated.
Therefore, argument is not persuasive.

Double Patenting

The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.

Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of U.S. Patent No. 10,789,103. Although the claims at issue are not identical, they are not patentably distinct from each other because claims 1-20 of U.S. Patent No. 10,789,103 anticipates the instant claims 1-20.  Claims 10-20 are system and non-transitory computer-readable medium claims corresponding to the method claims 1-4 and 6-9.  Therefore, rejected based on similar rationale.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.



Claim(s) 8 is/are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.

Claim 8 recites the limitation “the function”.  There is insufficient antecedent basis for this limitation in the claim.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claim(s) 1-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over DiMaggio et al. (Pub 20170249644) (hereafter DiMaggio) in view of Streete et al. (Pat 9854002) (hereafter Streete).

As per claim 1, DiMaggio teaches:
A computer-implemented method comprising: 
searching, by one or more computing devices, an external data source for updated compliance data different than compliance data currently used by a compliance application; 
extracting, by the one or more computing devices, the updated compliance data from the external data source; 
correlating, by the one or more computing devices, the updated compliance data to the compliance data currently used by the compliance application; ([Paragraph 36], In an aspect, scoring component 110 is configured to assign a set of scores to a set of assessment information comprising a set of client data and a set of compliance data, wherein the set of scores are assigned based on a comparison between the set of client data and the set of compliance data, and wherein the set of scores represent a current state of compliance.  [Paragraph 37], In an aspect, client compliance data 224 (also referred to as client data 224) and host data can be accessed from a client database 106 (also referred to as client compliance database 106) and a host database 104 (also referred to as host compliance database 104), wherein a set of first client compliance data represents a first set of information for compliance evaluation, and wherein the set of first host data represents a first set of compliance requirements.  [Paragraph 57], In an aspect, system 200 employs visualization component 130 to present various depictions of the compliance data based on compliance activities. For instance, the compliance data is dynamic in that it is continuously updated. The client data is continuously updated with new tasks, changes in existing tasks, and revisions to compliance plans. Also, host data is continuously updated to reflect new regulations, new controls, revisions to existing controls and regulations, as well as changes to best practices and other host compliance data.  [Paragraph 89], Accordingly, sorting component 140 can sort updated (e.g., using update component 150) data from updated databases and incorporate such new data, revised data, or removed data into the sorting, organizing, categorizing, and data mapping processes.  [Paragraph 98], This iterative process involves provider 114 updating (e.g., using update component 150) the client compliance database 106 during remediation with new client compliance data 224 to allow re-assessment by provider processor 102. )
However, DiMaggio does not explicitly disclose generating, by the one or more computing devices, a requirement for a control to adhere to the updated compliance data, wherein the requirement modifies or is used to generate the control based on whether the control exists to cover the updated compliance data and whether the control fails to adhere to the updated compliance data based on a difference between the updated compliance data and the data currently used by the compliance application; and 
outputting, by the one or more computing devices, the identified control and the requirement.
Streete teaches generating, by the one or more computing devices, a requirement for a control to adhere to the updated compliance data, wherein the requirement modifies or is used to generate the control based on whether the control exists to cover the updated compliance data and whether the control fails to adhere to the updated compliance data based on a difference between the updated compliance data and the data currently used by the compliance application; and 
outputting, by the one or more computing devices, the identified control and the requirement. ([Column 6 line 1-10], In one embodiment, the compliance policies builder tool 106 provides the resultant compliance verification file 120 (e.g., XCCDF file) to a compliance checking service 108 that verifies compliance of the configuration of each resource 112 used by the application 118.  [Column 6 line 20-37], will automatically update the Operations Management Application 104, which will create new Compliance Verification file 120 for all resources that either provide or consume services required…  For example, if an additional resource 112 has been allocated to a particular tier (e.g., for performance reasons) and the firewall policies were updated to allow access to that new resource, a compliance check against the firewall would not fail as the Compliance Verification file for the firewall is simultaneously updated. More importantly, when a resource in a particular tier is no longer needed and thus de-allocated, the Compliance Verification file for the firewall is automatically updated to reflect the de-allocation of that resource thus eliminating the possibility of an orphan (e.g., dangling) rule in the firewall that still passes a compliance check when in fact, should be flagged as non-compliant. [Column 9 line 58-67 and column 10 line 1-17], A compliance verification file generation module 316 generates a compliance verification file 120 according to one or more application-based compliance policies stored in the data source 110. In one embodiment, the application-based compliance policies may be independently specified for each tier of the multi-tier computing environment 116. The application-based compliance policies for each tier describe allowable configuration settings for each resource, such as the services that should be or should not be running on its respective resources, the ports that may or may not be open in the resource, the acceptable end-points for each network interface of the resource, and the affinity for each resource, the business continuity and disaster recovery (BCDR) policy for each data store attached to the resource, and an optional template for other compliance requirements (e.g., password policies, etc.).  [Column 11 line 6-10], In one embodiment, the compliance determination module 320 transmits the generated compliance verification file 120 to a compliance checking service 108 that verifies compliance of each resource, and receives a report indicating which policies for each resource that are non-compliant.)
It would have been obvious to a person with ordinary skill in the art, before the effective filing date of the invention, to combine the teachings of DiMaggio wherein updates to a compliance data compared to a current compliance data are searched, located, extracted and correlated to ensure compliance verification is done based on the updated compliance information, into teachings of Streete wherein a requirement for a control to adhere to the updated compliance data is generated to modify existing control to cover the updated compliance data and whether the control fails to adhere to the updated compliance data based on difference between updated compliance and data currently used by flagging as non-compliant, because this would enhance the teachings of DiMaggio wherein by generating an updated requirement for a control to adhere to the updated compliance data, compliance verification file can be automatically updated based on resources that are allocated and/or de-allocated to ensure the generated requirement verifies the compliance of the dynamic environment based on resource being added and/or removed.

As per claim 2, rejection of claim 1 is incorporated:
DiMaggio teaches wherein the correlating comprises: searching, by the one or more computing devices, the compliance data used by the compliance application, for an alphanumeric string of the updated compliance data. ([Paragraph 82], Furthermore, the sort routines can be based on linking mechanisms between the compliance data such that logical nodes are interlinked to allow for easy searching and sorting of compliance data that is related to other such compliance data. [Paragraph 104], For instance, a respective client can identify a number of times a particular data subset (e.g., representing a compliance task) has been changed, updated, revised (e.g., in light of new or altered regulations), and undergone any other such change. Analysis component 210 can make use of log info such as various data entries, log entries, log ID's, aggregated records to facilitate search, retrieval and analysis of various compliance and remediation items.)

As per claim 3, rejection of claim 1 is incorporated:
DiMaggio teaches wherein the compliance application is configured to verify an entity's compliance based on the compliance data. ([Paragraph 9], In accordance with an aspect, a system is disclosed comprising a scoring component, a remediation component, a visualization component, a sorting component, and an update component. In an aspect, a scoring component is configured to assign a set of scores to a set of assessment information comprising a set of client data and a set of compliance data, wherein the set of scores are assigned based on a comparison between the set of client data and the set of compliance data, and wherein the set of scores represent a current state of compliance.)
Streete also teaches ([Column 1 line 45-51], The tool may then determine whether the resource meets each application-based compliance policy, and when the resource does not meet the application-based compliance policy, generate an alarm that includes information associated with the one unmet application-based compliance policy.)

As per claim 4, rejection of claim 3 is incorporated:
Streete teaches wherein the control governs an action executed by the compliance application based on the compliance data. ([Column 6 line 1-10], In one embodiment, the compliance policies builder tool 106 provides the resultant compliance verification file 120 (e.g., XCCDF file) to a compliance checking service 108 that verifies compliance of the configuration of each resource 112 used by the application 118.  [Column 6 line 20-25], will automatically update the Operations Management Application 104, which will create new Compliance Verification file 120 for all resources that either provide or consume services required…  [Column 9 line 58-61 and column 10 line 12-16], A compliance verification file generation module 316 generates a compliance verification file 120 according to one or more application-based compliance policies stored in the data source 110…  The compliance verification file generation module 316 combines the shared resource compliance policies with the other compliance policies to generate the compliance verification file 120 that is stored in the data source 110.  [Column 11 line 6-10], In one embodiment, the compliance determination module 320 transmits the generated compliance verification file 120 to a compliance checking service 108 that verifies compliance of each resource, and receives a report indicating which policies for each resource that are non-compliant.)

As per claim 5, rejection of claim 1 is incorporated:
DiMaggio teaches further comprising outputting, by the one or more computing devices, the requirement to a user device. ([Paragraph 10], Also, in an aspect, a remediation component is configured to generate a set of remediation information in response to the state of compliance, wherein the set of remediation information corresponds to a set of remediation items capable of adjusting a subset of scores of the set of scores to represent an adjusted state of compliance that achieves an increased state of compliance as compared to the current state of compliance. Furthermore, in an aspect, a visualization component is configured to display, using a portal executing on a user device, the set of assessment information and the set of remediation information by a set of graphical depictions, a set of numerical depictions and a set of textual depictions based on the current state of compliance;)

As per claim 6, rejection of claim 1 is incorporated:
wherein the searching comprises: searching, by the one or more computing devices, for specified alphanumeric text associated with the compliance data currently used by the compliance application, on an external web site; 
identifying, by the one or more computing devices, the updated compliance data on the external website based on the difference between the updated compliance data and the compliance data currently used by the compliance application; and 
extracting, by the one or more computing devices, the updated compliance data from the external website. ([Paragraph 10], Also, in an aspect, a remediation component is configured to generate a set of remediation information in response to the state of compliance, wherein the set of remediation information corresponds to a set of remediation items capable of adjusting a subset of scores of the set of scores to represent an adjusted state of compliance that achieves an increased state of compliance as compared to the current state of compliance. Furthermore, in an aspect, a visualization component is configured to display, using a portal executing on a user device, the set of assessment information and the set of remediation information by a set of graphical depictions, a set of numerical depictions and a set of textual depictions based on the current state of compliance; [Paragraph 40], The host compliance database 104 and the client compliance database 106 can each respectively comprise data assorted by categories, sub categories, meta data, contextual data, content data (e.g., associated with a report), portal data (e.g., associated with a report) and other such data classifications. In a non-limiting instance, scores can be assigned (e.g., using scoring component 110) to a first set of client data (e.g., client data representing security protocols, procedures, policies, etc.) or the client compliance data 224 as compared to pertinent host data (e.g., HIPAA policies, rules, regulations, and processes). [Paragraph 54], The customizable portals function as private websites to view and publish data associated with compliance plans and remediation plans (e.g., using visualization component 130) [Paragraph 36], In an aspect, scoring component 110 is configured to assign a set of scores to a set of assessment information comprising a set of client data and a set of compliance data, wherein the set of scores are assigned based on a comparison between the set of client data and the set of compliance data, and wherein the set of scores represent a current state of compliance.  [Paragraph 37], In an aspect, client compliance data 224 (also referred to as client data 224) and host data can be accessed from a client database 106 (also referred to as client compliance database 106) and a host database 104 (also referred to as host compliance database 104), wherein a set of first client compliance data represents a first set of information for compliance evaluation, and wherein the set of first host data represents a first set of compliance requirements.  [Paragraph 57], In an aspect, system 200 employs visualization component 130 to present various depictions of the compliance data based on compliance activities. For instance, the compliance data is dynamic in that it is continuously updated. The client data is continuously updated with new tasks, changes in existing tasks, and revisions to compliance plans. Also, host data is continuously updated to reflect new regulations, new controls, revisions to existing controls and regulations, as well as changes to best practices and other host compliance data.  [Paragraph 89], Accordingly, sorting component 140 can sort updated (e.g., using update component 150) data from updated databases and incorporate such new data, revised data, or removed data into the sorting, organizing, categorizing, and data mapping processes.  [Paragraph 98], This iterative process involves provider 114 updating (e.g., using update component 150) the client compliance database 106 during remediation with new client compliance data 224 to allow re-assessment by provider processor 102.)

As per claim 7, rejection of claim 1 is incorporated:
Streete teaches further comprising assigning, by the one or more computing devices, in response to determining that execution of a function requires more than a threshold amount of computing resources, one or more computing cores identified from available computing cores of a plurality of computing cores. ([Column 4 line 62-67], Other example compliance policies may include verification of a quantity and/or performance level of any processors, an amount of memory allocated to the resource, what other resources that may communicate with the subject resource (e.g., service chains), load balancing rules, redundant memory locations, and the like.  [Column 3 line 23-39], resources can appear and disappear, often in very short time periods, based on workload, service level agreement (SLA) requirements, and other performance criteria specified for the application. For example, in a multi-tier application, certain policies may require that a web server tier, an application server tier, and a database tier all reside on different demilitarized zone (DMZ) networks with firewalls between the networks, that a service chain requires that the web server tier and the database tier are only connected through the application server tier, and that the firewalls between the DMZ networks lock down all ports available to the Internet protocol (IP) addresses on the server(s) in each tier except those necessary for operation of the application. Adding a new resource to the web server tier to meet a particular SLA would also require the firewall policies to be updated to enable that machine to communicate with upstream and downstream devices.)

As per claim 8, rejection of claim 1 is incorporated:
DiMaggio teaches further comprising: receiving, by the one or more computing devices, the updated compliance data from the function asynchronously while a function is being executed; 
storing, by the one or more computing devices, the updated compliance data as the updated compliance data is received in a list data structure, wherein the list data structure maintains a desired order of the output data, converting, by the one or more computing devices, the list data structure into a data frame data structure based on the desired order and priority of the updated compliance data; and 
outputting, by the one or more computing devices, the data frame data structure. ([Paragraph 36], In an aspect, scoring component 110 is configured to assign a set of scores to a set of assessment information comprising a set of client data and a set of compliance data, wherein the set of scores are assigned based on a comparison between the set of client data and the set of compliance data, and wherein the set of scores represent a current state of compliance.  [Paragraph 37], In an aspect, client compliance data 224 (also referred to as client data 224) and host data can be accessed from a client database 106 (also referred to as client compliance database 106) and a host database 104 (also referred to as host compliance database 104), wherein a set of first client compliance data represents a first set of information for compliance evaluation, and wherein the set of first host data represents a first set of compliance requirements.  [Paragraph 57], In an aspect, system 200 employs visualization component 130 to present various depictions of the compliance data based on compliance activities. For instance, the compliance data is dynamic in that it is continuously updated. The client data is continuously updated with new tasks, changes in existing tasks, and revisions to compliance plans. Also, host data is continuously updated to reflect new regulations, new controls, revisions to existing controls and regulations, as well as changes to best practices and other host compliance data.  [Paragraph 89], Accordingly, sorting component 140 can sort updated (e.g., using update component 150) data from updated databases and incorporate such new data, revised data, or removed data into the sorting, organizing, categorizing, and data mapping processes.  [Paragraph 98], This iterative process involves provider 114 updating (e.g., using update component 150) the client compliance database 106 during remediation with new client compliance data 224 to allow re-assessment by provider processor 102.  [Paragraph 53],  The list of recommendations to improve compliancy can be displayed in a prioritized manner. For instance, the list may enumerate items based on those items that pose the highest risk of security or privacy breaches. Furthermore, in an aspect, the remediation plan may also include target completion dates for compliance items or remediation steps. The target completion dates can be prioritized based on client resource availability, urgency of the item, resource (e.g., cost, time, manpower, etc.) allocation required to comply with the item, and other such prioritization factors.  [Paragraph 76], Furthermore, the tasks can be prioritized and depicted in chart format as to the priority of the task (e.g., on a scale of 1 to 100) and the number of high priority tasks, moderate priority tasks, and/or low priority task)

As per claim 9, rejection of claim 1 is incorporated:
DiMaggio teaches wherein the searching is executed by a function using one or more computing cores dedicated to executing the searching. ([Fig. 1-6A][Paragraph 142], discloses dedicate data processing center which also does searching…  [Paragraph 82], …Furthermore, the sort routines can be based on linking mechanisms between the compliance data such that logical nodes are interlinked to allow for easy searching and sorting of compliance data that is related to other such compliance data.  [Paragraph 100], Furthermore, analysis component 210 can analyze, organize, perform computations on, perform look-ups or searches on, quantify, correlate sections of, make references based on, correlate sections of, filter, parse, classify (e.g., in connection with sorting component 140) the initial data and initial information. )

As per claims 10-17, these are system claims corresponding to the method claims 1-4 and 6-9.  Therefore, rejected based on similar rationale.

As per claims 18-20, these are non-transitory computer-readable medium claims corresponding to the method claims 1, 6 and 7.  Therefore, rejected based on similar rationale. 


Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DONG U KIM whose telephone number is (571)270-1313. The examiner can normally be reached 9:00am - 5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Emerson Puente can be reached on 5712723652. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/DONG U KIM/Primary Examiner, Art Unit 2196