Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


DETAILED ACTION
This action is in response to the Amendment filed on 10/11/2022.
Claims 1-7, 9-17 and 19-21 are under examination. Claims 8 and 18 have been cancelled.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-7 and 10-16 are rejected under 35 U.S.C. 103 as being unpatentable over Kincaid et al. (US 10,360,408 B1), Pettit et al. (US 11,102,251 B1) and Vasudevan et al. (US 10,656,953 B1).
Regarding claim 1, Kincaid et al. discloses: A system for determining compliance with security technical implementation guide (STIG) standards [col. 17, lines 34-36, “method and systems of this invention is in the evaluation of STIG compliance”], comprising:  5at least one processor; a memory device including instructions that, when executed by the at least one processor, cause the system to: analyze a STIG specifications contained in a STIG data file obtained from a STIG publisher into individual security configuration rules directed to system components of a computer system configuration [col. 7, lines 21-25, “The SCS may be coded in the system to transforms the CSVs for data transfer that is compatible with the command line format and/or programmed to generate an output file of at least one of XCCDF data, CMRS data, or an xml file”, col. 8, lines 22-24, “An XCCDF document represents a structured collection of security configuration rules for some set of target systems”, col. 17, lines 44-54, “The method starts with the step of box 70 where the DoD security guidelines as captured in the STIG are obtained. The next step is the download of the STIG via the step indicated by arrow 71 onto the Subject System to configure the Subject System using the native OS and to sequentially or simultaneously input the STIG data in the step outlined by box 73”, col. 5, line 59-col. 6, line 11, “The method inputs into the computer system a script input comprising comma separated values (CSVs) that provide data for an evaluation of the computer system's compliance with the SSGS under consideration and codes a series of command lines into a Security Check Script (SCS) retained at least temporarily in the computer system memory using the native operating system of the computer system. The SCS performs at least a portion of the automated evaluation of the SSGS under consideration when executed and generates a series of condition codes. The method also assembles at least a portion of the condition codes into an output file formatted for at least partial determination of a compliance status of the computer system with the SSGS under consideration. The output file may provide data suitable to generate at least one of XCCDF data”]; generate a configuration compliance package to evaluate the at least one configuration setting of the system component for compliance to the STIG standard [col. 17, lines 55-61, “This programming to configure the Subject System and provide the SCS is again performed using embedded software that is resident in the computer's memory. This specific example employs a Microsoft.RTM. operating system and uses the embedded Windows PowerShell.RTM. and WMI as previously described. This programming provides the Subject System with a resident SCS as shown in box 73”, also see col. 12, lines 9-14, “Coding input 11 for compliance with a particular SSGS is provided to the Subject system computer for generating the SCS. The SCS is then generated as shown by the arrow of step 12 using the native operating system to configure the Subject System into a computer system having the SCS embedded for execution (See box 13.)”]; and output the configuration compliance package to enable a determination of 15compliance of the at least one configuration setting with the STIG standard [col. 17, lines 62-65, “The SCS programmed into the Subject System operates on the SSGS data and provides, via the step shown by step 74, the reports on STIG compliance that includes a % score for compliance and recommendations for improvement”, , also see col. 12, lines 14-17, “The compliance data 14 that makes up the SSGS is then input into the Subject System containing the embedded SCS for execution in the step 15”].
Kincaid et al. does not explicitly disclose reduce each of the individual security configuration rules to a STIG standard that identifies a system component of the computer system configuration and specifies at least one configuration setting for the system component.
However, Pettit et al. teaches reduce each of the individual security configuration rules to a STIG standard that identifies a system component of the computer system configuration and specifies at least one configuration setting for the system component [col. 2, lines 41-44, “Security policies in the improved systems and methods can be implemented using configurations that define particular behaviors of computing devices, where those behaviors are required by the security policies. For example, one configuration may require that a parameter be set on a computing device that ensures placement of a Wi-Fi status indicator on a menu bar of an operating system's graphical user interface. Another configuration may require that a firewall is enabled on a computing device”, col. 2, lines 57-58, “Collections of configurations that are based on compliance standards are also determined and stored over time”, col. 2, lines 61-67, “suggesting collections of configurations based on standardized security policies; allowing administrators of different enterprises to select configurations that represent security policies of interest to those enterprises, and to optionally select different sets of configurations for different polices that apply to different groups of computing devices”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Pettit et al. into the teaching of Kincaid et al. with the motivation for validating compliance with the configurations during scheduled intervals as taught by Pettit et al. [Pettit et al.: abs.].
They do not explicitly disclose analyze the STIC data file to identify protocol markers in the STIC  data file that delimit individual security rules; extract the individual security configuration rules from the STIC data file identified using the protocol markers.
However, Vasudevan et al. teaches analyze the STIC data file to identify protocol markers in the STIC  data file that delimit individual security rules [fig. 7, CONFIG_ITEM tag is the marker]; extract the individual security configuration rules from the STIC data file identified using the protocol markers [col. 17, lines 5-14, “the engine 500 may include code that parses and interprets the STIG configuration file 220 such as to determine the particular actions that need to be performed (e.g. modifications to the existing configuration) to harden the configuration for each enabled STIG requirement, or each enabled STIG category of requirements. Subsequently, the engine 500 may perform 512 such actions needed to harden the particular STIG requirements indicated as enabled (consistent with the STIG mode state information 240)”, col. 17, lines 21-33, “The STIG configuration file 610 may include a record or element for each STIG requirement applicable to a configuration. The file 610 is illustrated as include N configuration items, respectively for N STIG requirements. Element 612 provides further detail regarding what information may be specified for each configuration item or STIG requirement of the configuration file 610. Generally, element 612 illustrates a template for a single configuration item or STIG requirements. Line 612a specifies a unique identifier that may be used to uniquely distinguish and differentiate among all STIG requirements in the file 610. Line 612b specifies one of a set of predefined configuration item types…”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Vasudevan et al. into the teaching of Kincaid et al. and Pettit et al. with the motivation for persistently storing state information regarding configuration requirements, such as STIG (Security Technical Implementation Guides) requirements as taught by Vasudevan et al. [Vasudevan et al.: abs.].
Regarding claim 2, the rejection of claim 1 is incorporated.
Kincaid et al. further discloses the configuration compliance package is configured to execute on a computer system having the computer system configuration and compare the at least one configuration setting with the STIG standard [col. 4, line 66-col. 5, line 4, “This also includes configuration settings for application software installed on the system. Once that information is obtained, it can be compared to the security requirements given by the particular SSGS for compliance or lack of compliance or obtain information to support manual evaluation of compliance”].
Regarding claim 3, the rejection of claim 1 is incorporated.
Kincaid et al. further discloses the memory device further includes instructions that, when executed by the at least one processor, cause the system to: generate a computer script to initiate execution of a task on the computer system configuration to evaluate the at least one configuration setting and determine whether a value of the 25configuration setting corresponds to the STIG standard; and generate the configuration compliance package to include the computer script [col. 4, line 66-col. 5, line 4, “This also includes configuration settings for application software installed on the system. Once that information is obtained, it can be compared to the security requirements given by the particular SSGS for compliance or lack of compliance or obtain information to support manual evaluation of compliance”, col. 12, lines 57-60, “Decision box 31 shows a particular condition as COND (n) that is compared to a required value given by the SSGS and shown as SSGS (n)”, col. 18, line 35-44, “The specific type of programming required to generate the SCS and provide a system configured with an embedded SCS will vary with the nature of the SSGS. Such programming will typically require extensive coding of independent and nested decision statements that may lead to further selective script portions of the SCS. Ultimately the coding will develop a set of codes that indicate the security status or condition of the system and may include the aforementioned tags that allow the generation of appropriate textual output”].
Regarding claim 4, the rejection of claim 1 is incorporated.
Kincaid et al. further discloses the memory device further includes 30instructions that, when executed by the at least one processor, cause the system to 272865-18-11816-US-NP generate the configuration compliance package to output a compliance report indicating whether the configuration setting complies with the STIG standard [col. 17, line 62-col. 18, line 3, “The SCS programmed into the Subject System operates on the SSGS data and provides, via the step shown by step 74, the reports on STIG compliance that includes a % score for compliance and recommendations for improvement. The final step shown by box 75 is the desired end result of showing STIG compliance or improvements needed for STIG compliance. This final result is sought by those government agencies and the commercial agencies that support the DoD so that they show STIG compliance”].
Regarding claim 5, the rejection of claim 1 is incorporated.
Vasudevan et al. further teaches the configuration compliance package is 5loaded onto a portable storage medium and the configuration compliance package is transferred from the portable storage medium to a computing device that hosts the computer system [abs, “Techniques provide for persistently storing state information regarding configuration requirements, such as STIG (Security Technical Implementation Guides) requirements… The state information may be persistently stored and applied or hardened across multiple processor nodes as well as across system upgrades”, col. 7, lines 5-7, “The flash devices may be constructed using nonvolatile semiconductor NAND flash memory”, col. 7, lines 22-27, “The data storage array may also include one or more device interfaces 23 for facilitating data transfers to/from the data storage devices 16a-16n”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Vasudevan et al. into the teaching of Kincaid et al. and Pettit et al. with the motivation for persistently storing state information regarding configuration requirements, such as STIG (Security Technical Implementation Guides) requirements and applied or hardened across multiple processor nodes as taught by Vasudevan et al. [Vasudevan et al.: abs.].
Regarding claim 6, the rejection of claim 1 is incorporated.
Kincaid et al. further discloses the configuration compliance package is 10transferred over a computer network to a computing device that hosts the computer system configuration [see fig 4].
Regarding claim 7, Kincaid et al. discloses: A computer implemented method for determining compliance with security technical implementation guide (STIG) standards [col. 17, lines 34-36, “method and systems of this invention is in the evaluation of STIG compliance”], comprising: decompose STIG specifications contained in a STIG data file obtained from a STIG publisher into individual security configuration rules directed to system components of a computer system configuration [col. 7, lines 21-25, “The SCS may be coded in the system to transforms the CSVs for data transfer that is compatible with the command line format and/or programmed to generate an output file of at least one of XCCDF data, CMRS data, or an xml file”, col. 8, lines 22-24, “An XCCDF document represents a structured collection of security configuration rules for some set of target systems”, col. 17, lines 44-54, “The method starts with the step of box 70 where the DoD security guidelines as captured in the STIG are obtained. The next step is the download of the STIG via the step indicated by arrow 71 onto the Subject System to configure the Subject System using the native OS and to sequentially or simultaneously input the STIG data in the step outlined by box 73”, col. 5, line 59-col. 6, line 11, “The method inputs into the computer system a script input comprising comma separated values (CSVs) that provide data for an evaluation of the computer system's compliance with the SSGS under consideration and codes a series of command lines into a Security Check Script (SCS) retained at least temporarily in the computer system memory using the native operating system of the computer system. The SCS performs at least a portion of the automated evaluation of the SSGS under consideration when executed and generates a series of condition codes. The method also assembles at least a portion of the condition codes into an output file formatted for at least partial determination of a compliance status of the computer system with the SSGS under consideration. The output file may provide data suitable to generate at least one of XCCDF data”];5 receiving a request for a configuration compliance package to evaluate configuration settings of the system component for compliance with the STIG standard [col. 17, lines 44-54, “Similar to the overview of the method and system as shown in FIG. 1, FIG. 9 captures the basic steps of the invention as it may be applied on its specific application to STIG viewer information from the DISA Website. The method starts with the step of box 70 where the DoD security guidelines as captured in the STIG are obtained. The next step is the download of the STIG via the step indicated by arrow 71 onto the Subject System to configure the Subject System using the native OS and to sequentially or simultaneously input the STIG data in the step outlined by box 73”]; generating the configuration compliance package to evaluate the at least one configuration settings of the system component for compliance with the STIG standards [col. 17, lines 55-61, “This programming to configure the Subject System and provide the SCS is again performed using embedded software that is resident in the computer's memory. This specific example employs a Microsoft.RTM. operating system and uses the embedded Windows PowerShell.RTM. and WMI as previously described. This programming provides the Subject System with a resident SCS as shown in box 73”, also see col. 12, lines 9-14, “Coding input 11 for compliance with a particular SSGS is provided to the Subject system computer for generating the SCS. The SCS is then generated as shown by the arrow of step 12 using the native operating system to configure the Subject System into a computer system having the SCS embedded for execution (See box 13.)”]; and outputting the configuration compliance package to enable a determination of compliance of the at least one configuration settings with the STIG standards [col. 17, lines 62-65, “The SCS programmed into the Subject System operates on the SSGS data and provides, via the step shown by step 74, the reports on STIG compliance that includes a % score for compliance and recommendations for improvement”, , also see col. 12, lines 14-17, “The compliance data 14 that makes up the SSGS is then input into the Subject System containing the embedded SCS for execution in the step 15”].
Kincaid et al. does not explicitly disclose reduce each of the individual security configuration rules to a STIG standard that identifies a system component of the computer system configuration and specifies at least one configuration setting for the system component.
However, Pettit et al. teaches reduce each of the individual security configuration rules to a STIG standard that identifies a system component of the computer system configuration and specifies at least one configuration setting for the system component [col. 2, lines 41-44, “Security policies in the improved systems and methods can be implemented using configurations that define particular behaviors of computing devices, where those behaviors are required by the security policies. For example, one configuration may require that a parameter be set on a computing device that ensures placement of a Wi-Fi status indicator on a menu bar of an operating system's graphical user interface. Another configuration may require that a firewall is enabled on a computing device”, col. 2, lines 57-58, “Collections of configurations that are based on compliance standards are also determined and stored over time”, col. 2, lines 61-67, “suggesting collections of configurations based on standardized security policies; allowing administrators of different enterprises to select configurations that represent security policies of interest to those enterprises, and to optionally select different sets of configurations for different polices that apply to different groups of computing devices”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Pettit et al. into the teaching of Kincaid et al. with the motivation for validating compliance with the configurations during scheduled intervals as taught by Pettit et al. [Pettit et al.: abs.].
Regarding claim 8, the rejection of claim 7 is incorporated.
Kincaid et al. further discloses parsing the STIG data file to identify a protocol marker contained in the STIG data file the delimits a security configuration rule as being directed to the system component of the computer system configuration; and extracting the security configuration rule from the STIG file to allow the security configuration rule to be the STIG standard [col. 7, lines 21-25, “The SCS may be coded in the system to transforms the CSVs for data transfer that is compatible with the command line format and/or programmed to generate an output file of at least one of XCCDF data, CMRS data, or an xml file”, col. 8, lines 22-24, “An XCCDF document represents a structured collection of security configuration rules for some set of target systems”, col. 17, lines 44-54, “The method starts with the step of box 70 where the DoD security guidelines as captured in the STIG are obtained. The next step is the download of the STIG via the step indicated by arrow 71 onto the Subject System to configure the Subject System using the native OS and to sequentially or simultaneously input the STIG data in the step outlined by box 73”, col. 5, line 59-col. 6, line 11, “The method inputs into the computer system a script input comprising comma separated values (CSVs) that provide data for an evaluation of the computer system's compliance with the SSGS under consideration and codes a series of command lines into a Security Check Script (SCS) retained at least temporarily in the computer system memory using the native operating system of the computer system. The SCS performs at least a portion of the automated evaluation of the SSGS under consideration when executed and generates a series of condition codes. The method also assembles at least a portion of the condition codes into an output file formatted for at least partial determination of a compliance status of the computer system with the SSGS under consideration. The output file may provide data suitable to generate at least one of XCCDF data”].
Pettit et al. teaches reduce each of the individual security configuration rules to a STIG standard that identifies a system component of the computer system configuration and specifies at least one configuration setting for the system component [col. 2, lines 41-44, “Security policies in the improved systems and methods can be implemented using configurations that define particular behaviors of computing devices, where those behaviors are required by the security policies. For example, one configuration may require that a parameter be set on a computing device that ensures placement of a Wi-Fi status indicator on a menu bar of an operating system's graphical user interface. Another configuration may require that a firewall is enabled on a computing device”, col. 2, lines 57-58, “Collections of configurations that are based on compliance standards are also determined and stored over time”, col. 2, lines 61-67, “suggesting collections of configurations based on standardized security policies; allowing administrators of different enterprises to select configurations that represent security policies of interest to those enterprises, and to optionally select different sets of configurations for different polices that apply to different groups of computing devices”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Pettit et al. into the teaching of Kincaid et al. with the motivation for validating compliance with the configurations during scheduled intervals as taught by Pettit et al. [Pettit et al.: abs.].
Regarding claim 10, the rejection of claim 7 is incorporated.
Kincaid et al. further discloses generating the configuration compliance package further comprises generating a computer script for the STIG standard to initiate execution of a task on the computer system configuration to evaluate a configuration setting related to the STIG standard and determine whether the configuration setting complies with the STIG standard [col. 4, line 66-col. 5, line 4, “This also includes configuration settings for application software installed on the system. Once that information is obtained, it can be compared to the security requirements given by the particular SSGS for compliance or lack of compliance or obtain information to support manual evaluation of compliance”, col. 12, lines 57-60, “Decision box 31 shows a particular condition as COND (n) that is compared to a required value given by the SSGS and shown as SSGS (n)”, col. 18, line 35-44, “The specific type of programming required to generate the SCS and provide a system configured with an embedded SCS will vary with the nature of the SSGS. Such programming will typically require extensive coding of independent and nested decision statements that may lead to further selective script portions of the SCS. Ultimately the coding will develop a set of codes that indicate the security status or condition of the system and may include the aforementioned tags that allow the generation of appropriate textual output”].
Regarding claim 11, the rejection of claim 7 is incorporated.
Kincaid et al. further discloses generating the configuration compliance 20package further comprises generating the configuration compliance package to output an indication whether a configuration setting complies with the STIG standard [col. 4, line 66-col. 5, line 4, “This also includes configuration settings for application software installed on the system. Once that information is obtained, it can be compared to the security requirements given by the particular SSGS for compliance or lack of compliance or obtain information to support manual evaluation of compliance”, col. 17, lines 62-65, “The SCS programmed into the Subject System operates on the SSGS data and provides, via the step shown by step 74, the reports on STIG compliance that includes a % score for compliance and recommendations for improvement”, , also see col. 12, lines 14-17, “The compliance data 14 that makes up the SSGS is then input into the Subject System containing the embedded SCS for execution in the step 15”].
Regarding claim 12, the rejection of claim 7 is incorporated.
Vasudevan et al. further teaches outputting the configuration compliance 25package further comprises providing the configuration compliance package for transfer to an external storage device to allow the configuration compliance package to be loaded onto a computing device that hosts the system component [abs, “Techniques provide for persistently storing state information regarding configuration requirements, such as STIG (Security Technical Implementation Guides) requirements… The state information may be persistently stored and applied or hardened across multiple processor nodes as well as across system upgrades”, col. 7, lines 5-7, “The flash devices may be constructed using nonvolatile semiconductor NAND flash memory”, col. 7, lines 22-27, “The data storage array may also include one or more device interfaces 23 for facilitating data transfers to/from the data storage devices 16a-16n”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Vasudevan et al. into the teaching of Kincaid et al. and Pettit et al. with the motivation for persistently storing state information regarding configuration requirements, such as STIG (Security Technical Implementation Guides) requirements and applied or hardened across multiple processor nodes as taught by Vasudevan et al. [Vasudevan et al.: abs.].
Regarding claim 13, the rejection of claim 7 is incorporated.
Kincaid et al. discloses sending the 292865-18-11816-US-NPconfiguration compliance package over a computer network to a client computing device [see fig 4].
Vasudevan et al. further teaches outputting the configuration compliance 30package for transfer to the external storage device further comprises sending the 292865-18-11816-US-NP configuration compliance package over a computer network to a client computing device to enable the transfer of the configuration compliance package to the external storage device [abs, “Techniques provide for persistently storing state information regarding configuration requirements, such as STIG (Security Technical Implementation Guides) requirements… The state information may be persistently stored and applied or hardened across multiple processor nodes as well as across system upgrades”, col. 7, lines 5-7, “The flash devices may be constructed using nonvolatile semiconductor NAND flash memory”, col. 7, lines 22-27, “The data storage array may also include one or more device interfaces 23 for facilitating data transfers to/from the data storage devices 16a-16n”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Vasudevan et al. into the teaching of Kincaid et al. and Pettit et al. for sending the 292865-18-11816-US-NPconfiguration compliance package over a computer network to a client computing device to enable the transfer of the configuration compliance package to the external storage device with the motivation for persistently storing state information regarding configuration requirements, such as STIG (Security Technical Implementation Guides) requirements and applied or hardened across multiple processor nodes as taught by Vasudevan et al. [Vasudevan et al.: abs.].
Regarding claim 14, the rejection of claim 7 is incorporated.
Kincaid et al. further discloses outputting the configuration compliance package further comprises sending the configuration compliance package over a computer network to a client computing device that hosts the system component to allow the configuration compliance package to be executed on the client computing device [see fig 4].
Regarding claim 15, the rejection of claim 7 is incorporated.
Vasudevan et al. further teaches generating a configuration implementation package used to implement at least a portion of the STIG standards by updating configuration settings for the system component to values indicated by the STIG standards [see fig. 6, The actions performed 512 modify the configuration of the SP and generate a modified configuration 514 that is a configuration hardened in accordance with the enabled STIG requirements as indicated by the STIG mode state information 240].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Vasudevan et al. into the teaching of Kincaid et al. and Pettit et al. with the motivation for persistently storing state information regarding configuration requirements, such as STIG (Security Technical Implementation Guides) requirements and applied or hardened across multiple processor nodes as taught by Vasudevan et al. [Vasudevan et al.: abs.].
Regarding claim 16, the rejection of claim 7 is incorporated.
Kincaid et al. further discloses the system component included in the computer system configuration includes: an operating system, a software application, firmware, or programmable computer hardware [col. 4, line 66-col. 5, line 4, “This also includes configuration settings for application software installed on the system. Once that information is obtained, it can be compared to the security requirements given by the particular SSGS for compliance or lack of compliance or obtain information to support manual evaluation of compliance”].

Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Kincaid et al. (US 10,360,408 B1), Pettit et al. (US 11,102,251 B1) and Vasudevan et al. (US 10,656,953 B1) as applied to claims 1-7 and 10-16 above, and further in view of Price et al. (US 2021/0110044 A1).
Regarding claim 9, the rejection of claim 8 is incorporated.
Kincaid et al. discloses obtaining the data file from an entity which publishes the security technical implementation guide.
Kincaid et al., Pettit et al. and Vasudevan et al. do not explicitly disclose wherein the data file includes one or more of an extensible configuration checklist description format 10(XCCDF) file, a security content automation protocol (SCAP) file, or a control correlation identifier (CCI) extensible markup language (XML) file.
However Price et al. teaches wherein the data file includes one or more of an extensible configuration checklist description format 10(XCCDF) file, a security content automation protocol (SCAP) file, or a control correlation identifier (CCI) extensible markup language (XML) file [par. 0007, “The SCC tool, when used with the latest STIG Security Content Automation Protocol ("SCAP") benchmarks for a given organization, generates results that are commonly cited artifacts in accreditation packages”, par. 0018, “the analysis software executable automates the running of an automated compliance-scanning tool, which automatically employs SCAP benchmarking to generate artifacts from a file in a format specifying security checklists, benchmarks and configuration documentation for certification and accreditation packages if such packages are desired”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Price et al. into the teaching of Kincaid et al., Pettit et al. and Vasudevan et al. with the motivation for the analysis software executable automates the running of an automated compliance-scanning tool as taught by Price et al. [Price et al.: par. 0018].

Claims 17 and 19-21 are rejected under 35 U.S.C. 103 as being unpatentable over Kincaid et al. (US 10,360,408 B1), Pettit et al. (US 11,102,251 B1), Vasudevan et al. (US 10,656,953 B1) and D’Onofrio et al. (US 2020/0119983 A1).
Regarding claim 17, it recites limitations similar to claims 7 and 8. The reason for the rejection of claims 7 and 8 is incorporated herein. 
Kincaid et al. disclose method for security compliance. 
Kincaid et al. does not explicitly security compliance service.
However D’Onofrio et al. teaches security compliance service [abs, “A back-end configuration management computer server may retrieve one of the secure configuration benchmarks and provision, by an orchestration engine, an initial operating system build in accordance with the retrieved secure configuration benchmark and an automation template. The back-end configuration management computer server may then apply, by a provisioning tool, enterprise-specific modifications to the initial operating system build to create an environment compliant with an enterprise standard benchmark”, par. 0022, “Further note that the back-end configuration management computer server 150 might also be associated with a third party, such as a vendor or cloud-based implementation that performs a service for an enterprise”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of D’Onofrio et al. into the teaching of Kincaid et al., Pettit et al. and Vasudevan et al. with the motivation to create an environment compliant with an enterprise standard benchmark as taught by D’Onofrio et al. [D’Onofrio et al.: par. 0004].
Regarding claim 19, the rejection of claim 17 is incorporated.
Kincaid et al. further discloses the configuration compliance package contains a plurality of computer scripts configured to initiate task on the computer system configuration to evaluate the at least one configuration settings 20of the system component and determine whether the at least one configuration settings corresponds to the STIG standards [abs, “A method and system for automating the evaluation of a computer system under a Software Security Guideline Set (SSGS) using the internal scripts and the script generating capability of the computer system under evaluation to perform much of the evaluation of the SSGS”].
Regarding claim 20, the rejection of claim 17 is incorporated.
However, Pettit et al. further teaches the security compliance service is a web application configured to provide configuration 25compliance packages to client devices [abs, col. 9, lines 43-52, “Particular embodiments described herein include computing devices that send a requests to a management platform at different time periods for lists of configurations that are assigned to those computing devices at those different time periods”, “each computing device uses a unique key to authenticate to a webapp API of the management platform 110. This computer-specific key is also used to identify which computing device is making the request, and the identity of the computing device is used to identify the configuration group to which that computing device belongs. The local agent calls a parameters API endpoint using its unique key to authenticate the request, and the management platform 110 (e.g., webapp) determines what data to send based upon the authentication”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Pettit et al. into the teaching of Kincaid et al. with the motivation for deploying configurations on computing devices and validating compliance with the configurations during scheduled intervals as taught by Pettit et al. [Pettit et al.: abs.].
Regarding claim 21, the rejection of claim 17 is incorporated.
Kincaid et al. discloses the request for the configuration compliance package.
However Pettit et al. further teaches the request for the configuration compliance package is received at an application programming interface (API) configured to provide client devices with an interface to the 30security compliance service [abs, col. 9, lines 43-52, “Particular embodiments described herein include computing devices that send a requests to a management platform at different time periods for lists of configurations that are assigned to those computing devices at those different time periods”, “each computing device uses a unique key to authenticate to a webapp API of the management platform 110. This computer-specific key is also used to identify which computing device is making the request, and the identity of the computing device is used to identify the configuration group to which that computing device belongs. The local agent calls a parameters API endpoint using its unique key to authenticate the request, and the management platform 110 (e.g., webapp) determines what data to send based upon the authentication”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Pettit et al. into the teaching of Kincaid et al. with the motivation for deploying configurations on computing devices and validating compliance with the configurations during scheduled intervals as taught by Pettit et al. [Pettit et al.: abs.].


Response to Arguments
Applicant’s arguments, filed on 10/11/2022, with respect to rejection under 35 USC § 103 have been fully considered but they are not persuasive.
On pages 9-10 of the Remarks, Applicant argues that “Vasudevan does not make up for the deficient teachings of Kincaid and Pettit. Indeed, there is nothing in col. 17, lines 21-33 of Vasudevan that teach or suggest identification of protocol markers that delimit individual security configuration rules that are directed to system components of a computer system configuration. Nor do these citations in Vasudevan teach or suggest the extraction of individual security configuration rules from the STIG data file using the protocol markers”.
In response, the Examiner respectfully disagrees. Fig. 7 of Vasudevan is an example illustrating in more detail information that may be included in configuration file specifying requirements in an embodiment. Each configuration item is defined by an CONFIG_ITEM tag (marker) and Vasudevan discloses “The STIG configuration file 610 may include a record or element for each STIG requirement applicable to a configuration. The file 610 is illustrated as include N configuration items, respectively for N STIG requirements. Element 612 provides further detail regarding what information may be specified for each configuration item or STIG requirement of the configuration file 610. Generally, element 612 illustrates a template for a single configuration item or STIG requirements. Line 612a specifies a unique identifier that may be used to uniquely distinguish and differentiate among all STIG requirements in the file 610” (col. 17, lines 21-32). Vasudevan further discloses “the engine 500 may include code that parses and interprets the STIG configuration file 220 such as to determine the particular actions that need to be performed (e.g. modifications to the existing configuration) to harden the configuration for each enabled STIG requirement, or each enabled STIG category of requirements. Subsequently, the engine 500 may perform 512 such actions needed to harden the particular STIG requirements indicated as enabled (consistent with the STIG mode state information 240)” (col. 17, lines 5-14). Therefore, the Examiner respectfully submits that Vasudevan teach/suggest the features of “analyze the STIC data file to identify protocol markers in the STIC  data file that delimit individual security rules; extract the individual security configuration rules from the STIC data file identified using the protocol markers” and the combination of Kincaid et al., Pettit et al. and Vasudevan et al. teaches all features of independent claims.
On page 10 of the Remarks regarding claims 2-7, 9-17 and 19-21, Applicant’s arguments rely upon or rehash the arguments addressed above. Therefore, the responses above are incorporated herein to address the remaining arguments.


Conclusion
The prior art made of record and not relied upon is considered pertinent to Applicant’s disclosure:
US 20180091558 A1		Secure Configuration Evaluation, Remediation, and Reporting Tool (SCERRT)
US 20180053132 A1		Plan of Action and Milestones (POA&M) Automated Generation Engine (PAGE) System and Related Methods
US 20150193629 A1		AUTOMATING THE CREATION AND MAINTENANCE OF POLICY COMPLIANT ENVIRONMENTS
US 20150213268 A1		REMOTE ENTERPRISE SECURITY COMPLIANCE REPORTING TOOL
US 20100058114 A1		SYSTEMS AND METHODS FOR AUTOMATED MANAGEMENT OF COMPLIANCE OF A TARGET ASSET TO PREDETERMINED REQUIREMENTS
US 20180121658 A1		CYBER RISK ASSESSMENT AND MANAGEMENT SYSTEM AND METHOD

THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to JASON CHIANG whose telephone number is (571)270-3393.  The examiner can normally be reached on 9 AM to 6 PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571) 272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/JASON CHIANG/Primary Examiner, Art Unit 2431