Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1, 10, and 16 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1, 12, and 20 of U.S. Patent No. 11,159,557. Although the claims at issue are not identical, they are not patentably distinct from each other because each element of the above noted pending claims is fully anticipated by a corresponding element of a patented claim, with claim pending claim 1 corresponding to patented claim 1, pending claim 10 corresponding to patented claim 12, and pending claim 16 corresponding to patented claim 20.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1 – 3, 7, 10, 11 and 15 - 18 are rejected under 35 U.S.C. 103 as being unpatentable over Zettel (US-20190102560-A1) in view of Thakur (US-20140331326-A1).
	Regarding claim 1, Zettel shows a system comprising: 	one or more hardware processors (Fig. 2 item 202); and 	a non-transitory memory (Fig. 2 item 206) storing instructions that, when executed by the one or more hardware processors, causes the one or more hardware processors to perform actions comprising: 	storing an indication of a vulnerability group of a managed network, wherein the vulnerability group comprises one or more hardware or software components of the managed network, and wherein the vulnerability group identifies one or more vulnerabilities ([45-46]) of the one or more hardware or software components ([24-25]); 	receiving a request to generate a change request related to the vulnerability group, wherein the change request indicates (1) an addition of a new component to the one or more hardware or software components ([50,52,55]), a removal of at least one of the one or more hardware or software components, or a modification to at least one of the one or more hardware or software components, or any combination thereof	generating the change request in response to receiving the request ([55], see “trigger a change request”).	Zettel does not show an urgency level of the change request; and 	storing an association of the change request with vulnerabilities.	Thakur shows an urgency level of the change request (Fig. 7 item 728); and 	storing an association of the change request with vulnerabilities ([59]).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the vulnerability management techniques of Zettel with the prioritization and grouping techniques of Thakur in order to better ensure that work items properly associated with the vulnerabilities to which they relate and to further ensure the most urgent items are appropriately prioritized.
	Regarding claim 2, Zettel in view of Thakur further show wherein generating the change request comprises auto-populating (Zettel, [62-63]) one or more data fields of the change request (Thakur, [64]) with data from the vulnerability group (Thakur, Fig. 7, [65-68, 84]).
	Regarding claim 3, Zettel in view of Thakur further show wherein the one or more data fields comprise an identifier of the vulnerability group (Zettel, Fig. 5 item 502, [55]), a risk score of the vulnerability group, a target remediation time of the vulnerability group, or a description of the vulnerability group (Zettel, Fig. 5 items 516 and 518), or any combination thereof.
	Regarding claim 7, Zettel in view of Thakur further show wherein the actions comprise:
	receiving an indication of a state transition of the change request, wherein the state transition comprises a transition between two of a plurality of states of the change request, and wherein the plurality of states comprise a new state, an assessed state, an authorized state, a scheduled state, an implemented state, a reviewed state, a closed state, or a canceled state, or any combination thereof (Zettel, Fig. 7, [50,55,57]); and
	updating a corresponding state of the vulnerability group in response to receiving the indication of the state transition of the change request (Zettel, Fig. 7, [50,55,57]).	Regarding claims 10 and 16, the limitations of said claims are addressed in the analysis of claim 1.
	Regarding claims 11 and 17, the limitations of said claims are addressed in the analysis of claim 2.
	Regarding claim 15, the limitations of said claims are addressed in the analysis of claim 7.	Regarding claim 18, the limitations of said claims are addressed in the analysis of claim 3.

Claims 4 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Zettel in view of Thakur, as applied to claim 1 above, further in view of Wang (US-8572679-B1) and Banzhof (US-20060101517-A1)
	Regarding claim 4, Zettel in view of Thakur show requests to associate a particular existing change request of one or more existing change requests with a vulnerability group (Thakur, [59,76]) and storing the particular change request with the vulnerability group (Thakur, [59,76]).	Zettel in view of Thakur do not show providing a list of one or more existing change requests, wherein the change request is different from the one or more existing change requests.	Wang shows providing a list of one or more existing change requests, wherein the change request is different from the one or more existing change requests (col. 5 lines 13-20, col. 8 lines 6-17).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the vulnerability and change management techniques of Zettel in view of Thakur with the change request listing and management of Wang in order to simplify browsing, evaluation and management of the change requests.	Zettel in view of Thakur and Wang do not show storing an additional association of an existing change request in response to receiving a request to associate the particular existing change request with a group.	Banzhof shows storing an additional association of an existing change request in response to receiving a request to associate the particular existing change request with a group (Fig. 4, [36,38,100,116-117]).	It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the vulnerability and change management techniques of Zettel in view of Thakur and Wang with the change order management of Banzhof in order to simplify re-use of existing established change protocols, thus improving system efficiency.
Regarding claim 12, the limitations of said claims are addressed in the analysis of claim 4.

Claims 5, 6, 13, 14, 19, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Zettel in view of Thakur, as applied to claim 1 above, further in view of Krisher (US-8984643-B1) and Weiner (US-20190306236-A1).
	Regarding claim 5, Zettel in view of Thakur show vulnerability groupings (Zettel, [45-46,48]).	Zettel in view of Thakur do not show generating a first vulnerability group and a second vulnerability group in response to receiving a request and storing indications of the first vulnerability group and second vulnerability group.	Krisher shows generating a first vulnerability group and a second vulnerability group in response to receiving a request (col. 11 lines 41-54) and storing indications of the first vulnerability group and second vulnerability group (col. 6 lines 58-62, col. 9 line 61 – col. 10 line 15, and col. 10 line 65 – col. 11 line 3).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the vulnerability and change management techniques of Zettel in view of Thakur with the grouping techniques of Krisher in order to simplify management of the large number of computing assets common to both Zettel in view of Thakur and Krisher.
Zettel in view of Thakur and Krisher do not show receiving a request to split a group into a first and second group, wherein the first group comprises a first subset of the one or more components and wherein the second group comprises a second subset of the one or more components, wherein the first subset is different from the second subset.
Weiner shows receiving a request to split a group into a first and second group, wherein the first group comprises a first subset of the one or more components and wherein the second group comprises a second subset of the one or more components, wherein the first subset is different from the second subset (Fig. 7, [68-70]).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the vulnerability and change management techniques of Zettel in view of Thakur and Krisher with the asset management techniques of Weiner in order to enable more fine-grained, individualized and tailored control of the management assets via creation of more precisely demarcated asset groups (enabled by the group splitting, shown, e.g., in Weiner’s Fig. 7).
Regarding claim 6, Zettel in view of Thakur, Krisher, and Weiner show wherein the actions comprise:
	receiving a request to generate an additional change request related to only the first vulnerability group (Zettel, [47-53,55]);
	generating the additional change request in response to receiving the request to generate the additional change request related to only the first vulnerability group (Zettel, [47-53,55]); and
	storing an additional association of the additional change request with the first vulnerability group (Zettel, [47-53,55]).	Regarding claims 13 and 19, the limitations of said claims are addressed in the analysis of claim 5.
	Regarding claims 14 and 20, the limitations of said claims are addressed in the analysis of claim 6.

Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Zettel in view of Thakur, as applied to claim 1 above, further in view of Basavapatna (US-20130191919-A1).
	Regarding claim 8, Zettel in view of Thakur show obtaining one or more vulnerability definitions from a third-party database (Zettel, [42]), wherein the one or more vulnerability definitions comprise a first severity scale for the one or more vulnerabilities of the one or more hardware or software components (Thakur, Fig. 8 item 808 and [22]).	Zettel in view of Thakur do not show normalizing the one or more vulnerability definitions to generate one or more normalized definitions, wherein the one or more normalized definitions comprise a second severity scale for the one or more vulnerabilities that is different from the first severity scale;
	obtaining vulnerability data from a third-party vulnerability tool, wherein the vulnerability data comprises a first severity rating ranked on the first severity scale for each vulnerability of the one or more vulnerabilities;
	determining a second severity rating ranked on the second severity scale for each vulnerability of the one or more vulnerabilities based on the one or more normalized definitions;

	determining an importance of each component of the one or more hardware or software components; and
	generating a risk score for each component of the one or more hardware or software components of the managed network based on the second severity rating for each vulnerability of the one or more vulnerabilities and the importance of each component.	Basavapatna shows normalizing the one or more vulnerability definitions to generate one or more normalized definitions, wherein the one or more normalized definitions comprise a second severity scale for the one or more vulnerabilities that is different from the first severity scale ([54,94]);
	obtaining vulnerability data from a third-party vulnerability tool, wherein the vulnerability data comprises a first severity rating ranked on the first severity scale for each vulnerability of the one or more vulnerabilities ([71]);
	determining a second severity rating ranked on the second severity scale for each vulnerability of the one or more vulnerabilities based on the one or more normalized definitions ([45,71,110]);
	determining an importance of each component of the one or more hardware or software components ([15]); and
	generating a risk score for each component of the one or more hardware or software components of the managed network based on the second severity rating for each vulnerability of the one or more vulnerabilities and the importance of each component ([15,54,117-118]).	It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the vulnerability and change management techniques of Zettel in view of Thakur with the vulnerability management disclosure of Basavapatna in order to accurately utilize multiple data sources together, avoiding calculation errors via data normalization, and also improving the ease of comparing data in multiple source formats.

Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Zettel in view of Thakur and Basavapatna, as applied to claim 8 above, further in view of Doubleday (US-20160373478-A1).
	Regarding claim 9, Zettel in view of Thakur and Basavapatna and show claim 9.	Zettel in view of Thakur and Basavapatna do not show wherein the actions comprise automatically associating the risk score for each component of the one or more hardware or software components of the managed network with the change request.	Doubleday shows wherein the actions comprise automatically associating the risk score for each component of the one or more hardware or software components of the managed network with the change request (Abstract, Fig. 4, [25-26]).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the vulnerability and change management techniques of Zettel in view of Thakur and Basavapatna with the risk score use of Doubleday in order to simplify system administration and vulnerability mitigation by clarifying the mechanisms for both prioritizing vulnerabilities and visualization of the resultant prioritizations.



Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. This includes:	Hugard (US-20130247206-A1) and 
Holz (US-20180157842-A1).

Any inquiry concerning this communication or earlier communications from the examiner should be directed to JOHN M MACILWINEN whose telephone number is (571)272-9686. The examiner can normally be reached Monday - Friday, 9:00 - 5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, WILLIAM TROST can be reached on (571)272-7872. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

JOHN MACILWINEN
Primary Examiner
Art Unit 2442



/JOHN M MACILWINEN/Primary Examiner, Art Unit 2442