Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Detailed Action
Remarks
	This communication has been issued in response to Applicant’s submitted claim language filed 27 May 2021.  Claims 1-20 are pending in this application.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 27 May 2021 was filed along with the mailing date of the disclosure.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.


Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

	Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.  Applicant’s Independent Claim 1 provides for “detecting that an asset stored on a storage device of a computer system is omitted from an asset-specific access policy”, “scoring, using a utilization history of the asset, a criticality of the asset, the scoring comprising generating a first criticality score for the asset”, “classifying, using the first criticality score, the asset into a policy category”, and “applying, to the asset, a selected access policy, the selected access policy selected from a set of access policies assigned to a set of assets in the policy category, the selected access policy specifying an access restriction of the asset” containing limitations that can practically be performed in the human mind, and as such, under the broadest reasonable interpretation they amount to a mental process.  The acts of detecting, scoring, classifying, and applying can all be accomplished using mental steps, without the use of a computing component, and can entail the visual and mental management and classification of documents representing assets, for example.   
 Claim 1 as currently provided, fails to recite additional elements that integrate the judicial exception disclosed above into a practical application.  The “storage device of a computer system” are recited at a high-level of generality (i.e., as a generic storage device for performing generic computer functions of, “detecting that an asset...is omitted from an asset-specific access policy”, “scoring...a criticality of the asset...”, “classifying...the asset into a policy category”, and “applying...a selected access policy, the selected access policy selected from a set of access policies assigned to a set of assets in the policy category...”) such that they amount to no more than mere instructions to apply the exception using one or more generic computer components.  The mere execution of these tasks using one or more generic computing components does not integrate an abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. 
	The claim as currently presented does not recite additional elements that amount to significantly more than the judicial exception analyzed above. As discussed above with respect to integration of the abstract idea into a practical application, the additional elements of utilizing a “storage device of a computer system”, “A computer program product for digital asset management...comprising: one or more computer readable storage media...”, and “A computer system comprising one or more processors, one or more computer- readable memories, and one or more computer-readable storage devices...” for detecting that an asset is omitted, as stated within at least Independent Claims 1, 10 & 20, amount to no more than mere instructions applying the exception using generic computer components.  Applicant’s disclosure, at least within paragraphs [0004-0006], provide the mere use of one or more computer storage devices within a computer system utilizing one or more processors and one or more computer-readable memories for the execution of “detecting”, “scoring”, “classifying”, and “applying” steps corresponding to one or more assets.   Applicant’s limitations utilizing components such as “a utilization history” and “a first criticality score” for at least the scoring and classifying of assets in the computer system amount to the mere selection, scoring, and classification of assets, similar to at least Selecting information, based on types of information and availability of information in a power-grid environment, for collection, analysis and display, Electric Power Group, LLC v. Alstom S.A., 830 F.3d 1350, 1354-55, 119 USPQ2d 1739, 1742 (Fed. Cir. 2016)). 
Independent Claims 10 & 20 have been analyzed using similar rationale and is similarly not patent eligible is directed to an abstract idea without significantly more.  

	Claim 2, and corresponding Claim 11 dependent upon Independent Claim 10, recites the limitation, “scoring...the criticality of the asset”, which is a well-understood, routine and conventional technique commonly used within the application of a computer, and which continues to account for the mere scoring of an asset to determine its criticality, and which is insignificant extra-solution activity, similar to the mere scoring and classification of information based on an activity log of Consulting and updating an activity log, Ultramercial, 772 F.3d at 715, 112 USPQ2d at 1754), making them not enough to turn the abstract idea of the Independent Claims into a practical application.  Additionally, the use of “a collaboration history of the asset,” for the determination of a criticality score for an asset within Claim 2 is recited at a high level of generality (i.e., as a means for scoring assets) and amount to insignificant extra-solution activity.
	Claim 3, and corresponding Claim 12 dependent upon Independent Claim 10, recites the limitation, “scoring...the criticality of the asset”, which is a well-understood, routine and conventional technique commonly used within the application of a computer, and which continues to account for the mere scoring of an asset to determine its criticality, and which is insignificant extra-solution activity, similar to the mere scoring and classification of information based on an activity log of Consulting and updating an activity log, Ultramercial, 772 F.3d at 715, 112 USPQ2d at 1754), making them not enough to turn the abstract idea of the Independent Claims into a practical application.  Additionally, the use of “user role data recorded in the utilization history of the asset” for the determination of a criticality score for an asset within Claim 3 is recited at a high level of generality (i.e., as a means for scoring assets) and amount to insignificant extra-solution activity.
	Claim 4, and corresponding Claim 13 dependent upon Independent Claim 10, recites the limitation, “scoring...the criticality of the asset”, which is a well-understood, routine and conventional technique commonly used within the application of a computer, and which continues to account for the mere scoring of an asset to determine its criticality, and which is insignificant extra-solution activity, similar to the mere scoring and classification of information based on an activity log of Consulting and updating an activity log, Ultramercial, 772 F.3d at 715, 112 USPQ2d at 1754), making them not enough to turn the abstract idea of the Independent Claims into a practical application.  Additionally, the use of “a topic of the asset determined using a natural language processing engine” for the determination of a criticality score for an asset within Claim 4 is recited at a high level of generality (i.e., as a means for scoring assets) and amount to insignificant extra-solution activity.
	Claim 5, and corresponding Claim 14 dependent upon Independent Claim 10, recites the limitation, “scoring...the criticality of the asset”, which is a well-understood, routine and conventional technique commonly used within the application of a computer, and which continues to account for the mere scoring of an asset to determine its criticality, and which is insignificant extra-solution activity, similar to the mere scoring and classification of information based on an activity log of Consulting and updating an activity log, Ultramercial, 772 F.3d at 715, 112 USPQ2d at 1754), making them not enough to turn the abstract idea of the Independent Claims into a practical application.  Additionally, the use of components such as “natural language comment data of the asset”, ”natural language processing engine” and “a trained topic classification model” for the determination of a criticality score for an asset within Claim 5 is recited at a high level of generality (i.e., as a means for scoring assets) and amount to insignificant extra-solution activity.
	Claim 6, and corresponding Claim 15 dependent upon Independent Claim 10, recites the limitation, “allowing, according to the access restriction, access to the asset”, which is a well-understood, routine and conventional technique commonly used within the application of a computer, and which continues to account for the mere accessing of one or more assets based on adherence to one or more constraints, and which is insignificant extra-solution activity, similar to the mere accessing of information of Selecting information, based on types of information and availability of information in a power-grid environment, for collection, analysis and display, Electric Power Group, LLC v. Alstom S.A., 830 F.3d 1350, 1354-55, 119 USPQ2d 1739, 1742 (Fed. Cir. 2016), making them not enough to turn the abstract idea of the Independent Claims into a practical application.  Additionally, the use of components such as “access restrictions” for the accessing of an asset within Claim 6 is recited at a high level of generality (i.e., as a means for accessing assets) and amount to insignificant extra-solution activity.
	Claim 7, and corresponding Claim 16 dependent upon Independent Claim 10, recites the limitation, “disallowing, according to the access restriction, access to the asset”, which is a well-understood, routine and conventional technique commonly used within the application of a computer, and which continues to account for the mere restriction of accessing of one or more assets based on adherence to one or more constraints, and which is insignificant extra-solution activity, similar to the mere accessing or disallowance of information of Selecting information, based on types of information and availability of information in a power-grid environment, for collection, analysis and display, Electric Power Group, LLC v. Alstom S.A., 830 F.3d 1350, 1354-55, 119 USPQ2d 1739, 1742 (Fed. Cir. 2016), making them not enough to turn the abstract idea of the Independent Claims into a practical application.  Additionally, the use of components such as “access restrictions” for the restriction from accessing of an asset within Claim 7 is recited at a high level of generality (i.e., as a means for accessing assets) and amount to insignificant extra-solution activity.
	Claim 8 recites the limitation, “replicating, according to the selected access policy, the asset, the replicated asset stored on a second storage device separate from the storage device”, which is a well-understood, routine and conventional technique commonly used within the application of a computer, and which continues to account for the mere replication and storage of one or more assets based on policies or rulesets, and which is insignificant extra-solution activity, similar to the mere manipulation and storage of information of Selecting information, based on types of information and availability of information in a power-grid environment, for collection, analysis and display, Electric Power Group, LLC v. Alstom S.A., 830 F.3d 1350, 1354-55, 119 USPQ2d 1739, 1742 (Fed. Cir. 2016), making them not enough to turn the abstract idea of the Independent Claims into a practical application.  Additionally, the use of components such as “access policy” and “a second storage device” for the respective replication and storage an asset within Claim 8 is recited at a high level of generality (i.e., as a means for accessing assets) and amount to insignificant extra-solution activity.
	Claim 9 recites the limitation, “scoring, at a second time, an updated criticality of the asset, the scoring comprising generating an updated criticality score of the asset”, “classifying, using the updated criticality score, the asset into an updated policy category”, and “applying, to the asset, responsive to determining that the updated policy category differs from the policy category, an updated selected access policy, the updated selected access policy selected from a second set of access policies assigned to a second set of assets in the updated policy category” , which is a well-understood, routine and conventional technique commonly used within the application of a computer, and which continues to account for the mere “scoring”, “classification”, and “applying” limitations corresponding to one or more assets, and which are insignificant extra-solution activity, similar to the mere scoring and classification of information of Selecting information, based on types of information and availability of information in a power-grid environment, for collection, analysis and display, Electric Power Group, LLC v. Alstom S.A., 830 F.3d 1350, 1354-55, 119 USPQ2d 1739, 1742 (Fed. Cir. 2016), making them not enough to turn the abstract idea of the Independent Claims into a practical application.  Additionally, the use of components such as “an updated criticality of the asset” and “access policy” for the determination of an updated criticality score an asset within Claim 9 is recited at a high level of generality (i.e., as a means for accessing assets) and amount to insignificant extra-solution activity.
	Claim 17 recites the limitation, “wherein the stored program instructions are stored in the at least one of the one or more storage media of a local data processing system, and wherein the stored program instructions are transferred over a network from a remote data processing system”, is a well-understood, routine and conventional technique commonly used within the application of a computer and its components, and continues to account for the mere storage of program instructions corresponding to one or more assets, and which are insignificant extra-solution activity, similar to the mere storage of information of Consulting and updating an activity log, Ultramercial, 772 F.3d at 715, 112 USPQ2d at 1754), making them not enough to turn the abstract idea of the Independent Claims into a practical application.  The use of components such as “one or more storage media of a local data processing system” and “a network from a remote data processing system” for the transmission and storage of asset information within Claim 17 is recited at a high level of generality (i.e., as a means for transmitting and storing of assets), amount to no more than mere instructions to apply the exception using one or more generic computer components.  The mere execution of these tasks using one or more generic computing components does not integrate an abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea.
	Claim 18 recites the limitation, “wherein the stored program instructions are stored in the at least one of the one or more storage media of a server data processing system, and wherein the stored program instructions are downloaded over a network to a remote data processing system for use in a computer readable storage device associated with the remote data processing system”, is a well-understood, routine and conventional technique commonly used within the application of a computer and its components, and continues to account for the mere storage of program instructions corresponding to one or more assets, and which are insignificant extra-solution activity, similar to the mere storage of information of Consulting and updating an activity log, Ultramercial, 772 F.3d at 715, 112 USPQ2d at 1754), making them not enough to turn the abstract idea of the Independent Claims into a practical application.  The use of components such as “one of the one or more storage media of a server data processing system”, “a network from a remote data processing system” and “a computer readable storage device associated with the remote data processing system” for the transmission and storage of asset information within Claim 18 is recited at a high level of generality (i.e., as a means for transmitting and storing of assets), amount to no more than mere instructions to apply the exception using one or more generic computer components.  The mere execution of these tasks using one or more generic computing components does not integrate an abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea.
Claim 19 recites the limitation, “wherein the computer program product is provided as a service in a cloud environment”, is a well-understood, routine and conventional technique commonly used within the application of a computer and its components, and continues to account for the mere utilization of program instructions for a service being provided which corresponds to one or more assets, and which are insignificant extra-solution activity, similar to the mere storage of information of Consulting and updating an activity log, Ultramercial, 772 F.3d at 715, 112 USPQ2d at 1754), making them not enough to turn the abstract idea of the Independent Claims into a practical application.  The use of components such as “a cloud environment” for the transmission and storage of asset information within Claim 19 is recited at a high level of generality (i.e., as a means for transmitting and storing of assets), amount to no more than mere instructions to apply the exception using one or more generic computer components.  The mere execution of these tasks using one or more generic computing components does not integrate an abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claim 1-3, 6-10-12 & 15-20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Ahuja et al (USPG Pub No. 20140173739A1; Ahuja hereinafter).

As for Claim 1, Ahuja teaches, A computer-implemented method comprising: 
“detecting that an asset stored on a storage device of a computer system is omitted from an asset-specific access policy” (see pp. [0043-0044]; e.g., Paragraph [0043] teaches of the use of at least sensors or agents for the monitoring and data collection corresponding to assets, providing security for those assets in the form of one or more countermeasures.  A “passive countermeasures” are utilized after the detection of a threat towards the one or more assets by one or more sensors/agents assigned to monitor an asset and collect information.  As stated within the cited paragraph [0043], “a passive countermeasure may be configured to detect data having a signature associated with a particular attack, and block data with that signature”, thus, omitting/removing data with a signature recognized as being a threat based on configured passive countermeasures being executed, reading on Applicant’s claimed limitation.  The reference of Ahuja provides for automated asset criticality assessment, where assets are protected by one or more active countermeasures used to make changes to the configuration of assets and/or eliminate vulnerability by changing the existing passive countermeasures applied to the one or more assets); 
“scoring, using a utilization history of the asset, a criticality of the asset, the scoring comprising generating a first criticality score for the asset” (see pp. [0025], [0030]; e.g., the reference of Ahuja teaches of determining a criticality metric, such as a criticality rating and/or score based on at least rules being defined that correlate types of patterns of asset usage with high criticality, and/or collected data regarding the usage of an assets collected from one or more utilities and tools within a computing environment, considered equivalent to Applicant’s “utilization history of the asset” influencing its criticality.  Paragraph [0025] teaches of the various attributes that pertain to a particular asset and are evaluated by at least an “assessment engine”, such as “network traffic patterns involving or referencing the asset”, “change control”, and “status of an asset within an environment”, where at least “network traffic patterns involving or referencing the asset” is indicative of the usage of one or more assets over the network); 
“classifying, using the first criticality score, the asset into a policy category” (see pp. [0012]; e.g., the reference of Ahuja teaches that assets can be categorized by at least one or more of a “type” attribute.  Paragraph [0029] teaches of the incorporation of “content rules” that involve the characterization of assets into various categories through evaluation of characteristics of the content, such as its type, role or purpose within the environment, where and how the data is served or stored, etc., further reading on Applicant’s claimed limitation.  This information is further used as indicators to the data’s criticality, and as the identification of protections that are in place for the assets, considered equivalent to an indication of a “policy category); and 
“applying, to the asset, a selected access policy, the selected access policy selected from a set of access policies assigned to a set of assets in the policy category, the selected access policy specifying an access restriction of the asset” (see pp. [0032-0033], [0044]; e.g., paragraph [0032] of the Ahuja reference states that content rules can be applied to assist in determining the criticality of device assets or system-type assets that manage, store, access, or otherwise use content.  As stated the cited paragraph [0032], “... content-based security policies, schemes, and tools and deployment or association of the protections with various system- and/or application-type assets can be defined by content rules 246 as evidence of a system- and/or application-type asset's criticality. For example, data loss protection, content management tools, etc. can identify the extent to which an system- and/or application-type asset is permitted or authorized to access a particular content-type asset, as well as what type of access and activities permitted for the system- and/or application-type asset. Such information can be used to identify, based on content rules 246, the importance or value of the system- and/or application-type asset within the computing environment, among other examples”, providing evidence that appropriate policies, schemes, and tools can be applied to assets based at least in part on their content rules.  Traffic Rules, mentioned within the following paragraph [0033], are utilized in a similar fashion as content rules, as monitored and collected data relating to the network traffic of one or more assets, such as “the types of protocols and protections (e.g., encryption) applied to the traffic”, is taken into consideration for the determination of criticality.  Paragraph [0044] teaches of “active countermeasures” being applied to one or more assets for protection to eliminate vulnerabilities that may be masked by existing “passive countermeasures”.  Active countermeasures can close a back-door that was open on an asset or correct another type of system vulnerability, thus, applying one or more policies that specify an access restriction on an asset).  

As for Claim 2, Ahuja teaches, “scoring, using a collaboration history of the asset, the criticality of the asset” (see pp. [0025], [0030]; e.g., the reference of Ahuja teaches of determining a criticality metric, such as a criticality rating and/or score based on at least rules being defined that correlate types of patterns of asset usage with high criticality, and/or collected data regarding the usage of an assets collected from one or more utilities and tools within a computing environment, considered equivalent to Applicant’s “collaboration history of an asset” influencing its criticality.  Paragraph [0025] teaches of the various attributes that pertain to a particular asset and are evaluated by at least an “assessment engine”, such as “network traffic patterns involving or referencing the asset”, “change control”, and “status of an asset within an environment”, where at least “network traffic patterns involving or referencing the asset” is indicative of various combined uses of one or more assets over the network).  

As for Claim 3, Ahuja teaches, “scoring, using user role data recorded in the utilization history of the asset, the criticality of the asset” (see pp. [0029]; e.g., the reference of Ahuja teaches of taking user roles into consideration when assessing the criticality of an asset.  As stated within the cited paragraph, “data created by or owned by a non-administrator, non-management user, etc. can be regarded as being generally less critical than similar data created or managed by a system administrator, upper-level manager, etc.”, providing teachings that user role plays a part in determining the criticality of an asset).  

As for Claim 6, Ahuja teaches, “allowing, according to the access restriction, access to the asset” (see pp. [0030], [0032]; e.g., the reference of Ahuja teaches of applying “content rules” to assist in determining criticality of device assets or system-type assets, where a system asset can be identified as “having or permitting access to...content of an asset”, for example.  According to paragraph [0030], “content rules” can pertain to how, how often, and under what conditions, etc. particular data is accessed, executed, or otherwise used by other assets).  

As for Claim 7, Ahuja teaches, “disallowing, according to the access restriction, access to the asset” (see pp. [0065]; e.g., As taught within the cited paragraph [0065], a server can host content where some content and application assets hosted by the data server can be protected through access control policies, data loss prevention protocols and policies, therefore, preventing access to assets based on at least access controls that apply restrictions on access).  

As for Claim 8, Ahuja teaches, “replicating, according to the selected access policy, the asset, the replicated asset stored on a second storage device separate from the storage device” (see pp. ; e.g., the reference of Ahuja, at least within paragraph [0043], provides teachings into the creation of back-up copies of particular files targeted by an attack, which was applied by at least a “risk assessment engine” that uses passive countermeasures issued by at least “host-based intrusion prevention systems”).  

As for Claim 9, Ahuja teaches, 
“scoring, at a second time, an updated criticality of the asset, the scoring comprising generating an updated criticality score of the asset” (see pp. [0036-0040]; e.g., the cited paragraphs [0036-0040] discuss the utilization of user rules, which can be defined and used in automated criticality assessments of assets.  User rules map associations between an asset and a plurality of other factors that would cause and increase or decrease in the criticality of an asset.  User rules can dictate that an asset frequently interacted with or used by one or more of a group of users can result in increases to the asset’s criticality rating, reading on Applicant’s claimed limitation, as an increase to the criticality of an asset is an update to an existing criticality score based on one or more factors.  Paragraph [0038] provides an example of context being considered in automated critical assessments, such as “temporal considerations” influencing the criticality of an asset from one instance to another, which is indicative of Applicant’s “second time” for the updating of a criticality score); 
“classifying, using the updated criticality score, the asset into an updated policy category” (see pp. [0058]; e.g., paragraph [0058] teaches of criticality ratings being based on attribute information and data from one or more sources, where categories of attribute information can be identified and considered together in the generation of category-specific criticality ratings (or subscores), such as attribute information from traffic-related information. Paragraphs [0064-0065] teach of the incorporation of security policies, tools and protocols already employed in connection with an asset.  Rules and criteria can be further established for use in criticality assessment .   According to paragraph [0074], criticality of an asset, such as a criticality rating, can be considered to prioritize management, scans, countermeasure deployment, and other activities within a computing environment, with higher criticality assets receiving attention before lower criticality assets, reading on the claimed limitation, as the criticality of an asset is used to update countermeasure deployment {i.e. Applicant’s “updated policy category”}); and 
“applying, to the asset, responsive to determining that the updated policy category differs from the policy category, an updated selected access policy, the updated selected access policy selected from a second set of access policies assigned to a second set of assets in the updated policy category” (see pp. [0073-0074], [0080]; e.g., the reference of Ahuja, within the cited paragraphs, states, “...determining the criticality rating can include determining whether the set of attributes correspond with a set of characteristics defined as evidencing higher or lower criticality of assets within the computing environment. The set of characteristics can be embodied in rules, criteria, logic, etc... Particular subsets of a library of checks can be identified as pertaining to or relevant to a particular asset or asset type as well”.  A set of attributes being assessed from monitored communications can include at least an “amount of traffic over the network”, “a role of a particular asset”, and security protections deployed in connection with the particular asset, where security protections can be one of data loss prevention, change control policies, and access control).  
The combined references of Ahuja and Pang are considered analogous art for being within the same field of endeavor, which is priority ranking of assets/endpoints within a network.  Therefore, it would have been obvious to one of ordinary skill in the art by the effective filing date of the claimed invention to have combined the utilization of natural language processing techniques when deriving at least a criticality metric, as taught by Pang, with the method of Ahuja, because there can be a large number of endpoints that can be compromised within a network, and it would be important to triage other nodes within the network to determine whether they are also compromised or at risk of being compromised while awaiting triage (Pang; [0003])


Claims 10-12, 15 & 16 amount to a computer program product comprising instructions that, when executed by one or more processors, performs the computer-implemented method of Claims 1-3, 6 & 7, respectively.  Accordingly, Claims 10-12, 15 & 16 are rejected for substantially the same reasons as presented above for Claims 1-3, 6 & 7 and based on the references’ disclosure of the necessary supporting hardware and software (Ahuja; see pp. [0011-0014]; e.g., method for implementation integrating hardware and software components).


As for Claim 17, Ahuja teaches, “wherein the stored program instructions are stored in the at least one of the one or more storage media of a local data processing system” (see pp. [0014], [0076]; e.g., utilizing a criticality assessment server within a computing environment having system assets that can include one or more local client or endpoint devices that connect to servers over a network.  Paragraph [0076] teaches of the utilization of computer storage medium), and 
“wherein the stored program instructions are transferred over a network from a remote data processing system” (see pp. [0014]; e.g., as stated within rationale provided above, the Ahuja reference teaches of utilizing a criticality assessment server within a computing environment having system assets that can include one or more local client or endpoint devices that connect to servers over a network).  

As for Claim 18, Ahuja teaches, “wherein the stored program instructions are stored in the at least one of the one or more storage media of a server data processing system” (see pp. [0010], [0076]; e.g., utilizing a criticality assessment server within a computing environment having server assets that host applications, services, databases and other data stores.  Paragraph [0076] teaches of the utilization of computer storage medium), and 
“wherein the stored program instructions are downloaded over a network to a remote data processing system for use in a computer readable storage device associated with the remote data processing system” (see pp. [0012]; e.g., the reference of Ahuja teaches of assets within the computing environment being used or consumed by other software/hardware assets of the computing environment, such as “remote hosts or data sources outside of environment”, reading on Applicant’s claimed limitation).  

As for Claim 19, Ahuja teaches, “wherein the computer program product is provided as a service in a cloud environment” (see pp. [0039], [0075]; e.g., implementing criticality assessments in a cloud computing environment).  

Claim 20 amounts to a computer system comprising instructions that, when executed by one or more processors, performs the computer-implemented method of Claim 1.  Accordingly, Claim 20 is rejected for substantially the same reasons as presented above for Claim 1, and based on the references’ disclosure of the necessary supporting hardware and software (Ahuja; see pp. [0011-0014]; e.g., method for implementation integrating hardware and software components).


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 4, 5, 13 & 14 are rejected under 35 U.S.C. 103 as being unpatentable over Ahuja et al (USPG Pub No. 20140173739A1; Ahuja hereinafter) in view of PANG et al (USPG Pub No. 20160359891A1; Pang hereinafter).

As for Claim 4, the reference of Ahuja provides for automated asset criticality assessment.
Ahuja does not recite the limitation of, “scoring, using a topic of the asset determined using a natural language processing engine, the criticality of the asset”.
Pang teaches, “scoring, using a topic of the asset determined using a natural language processing engine, the criticality of the asset” (see pp. [0012],[0037]; e.g., the reference of Pang serves as an enhancement to the teachings of Ahuja by providing for application monitoring prioritization that determines at least a “criticality ranking” and a secondary value for a first endpoint in a datacenter, which can be combined to generate a priority ranking for a second endpoint.  As stated within the cited paragraph [0037], a search filter within a web frontend can be configured to allow a user to filter by search, and utilizes “natural language processing” to analyze a user’s input, reading on Applicant’s claimed invention, as topics/subject matter can be derived from user input using the natural language processing method). 
The combined references of Ahuja and Pang are considered analogous art for being within the same field of endeavor, which is priority ranking of assets/endpoints within a network.  Therefore, it would have been obvious to one of ordinary skill in the art by the effective filing date of the claimed invention to have combined the utilization of natural language processing techniques when deriving at least a criticality metric, as taught by Pang, with the method of Ahuja, because there can be a large number of endpoints that can be compromised within a network, and it would be important to triage other nodes within the network to determine whether they are also compromised or at risk of being compromised while awaiting triage (Pang; [0003])  


As for Claim 5, the reference of Ahuja provides for automated asset criticality assessment.
Ahuja does not recite the limitation of, “scoring, using natural language comment data of the asset, the criticality of the asset, the natural language comment data extracted using a natural language processing engine and classified using a trained topic classification model”.
Pang teaches, “scoring, using natural language comment data of the asset, the criticality of the asset, the natural language comment data extracted using a natural language processing engine and classified using a trained topic classification model” (see pp. [0037], [0055-0056], [0067]; e.g., as stated within rationale provided above, At paragraph [0037], Pang provides for the use of a search filter within a web frontend that can be configured to allow a user to filter by search, and utilizes “natural language processing” to analyze a user’s input, where a user’s input is considered equivalent to Applicant’s natural language comment data that is being considered for the scoring of an endpoint/asset.  According to at least paragraphs [0055-0056], a business criticality ranking can be established for a variety of endpoint classifications, as provided by at least a network monitoring system, where the network monitoring system creates a dependency map to inform of criticality rankings, and prioritizes endpoints assigned higher business criticality rankings.  Paragraph [0067] teaches of the use of at least “machine learning” to allow the system to monitor scenarios of compromised nodes, and test/apply various priority rankings in order to minimize problems for other endpoints by varying the priority ranking.  The machine learning program, considered equivalent to Applicant’s “trained topic classification model”, learns based on multiple run simulations of compromised endpoints becoming compromised by events such as threats {i.e. [0065]}).  
The combined references of Ahuja and Pang are considered analogous art for being within the same field of endeavor, which is priority ranking of assets/endpoints within a network.  Therefore, it would have been obvious to one of ordinary skill in the art by the effective filing date of the claimed invention to have combined the utilization of natural language processing techniques when deriving at least a criticality metric, as taught by Pang, with the method of Ahuja, because there can be a large number of endpoints that can be compromised within a network, and it would be important to triage other nodes within the network to determine whether they are also compromised or at risk of being compromised while awaiting triage (Pang; [0003])  

Claims 13 & 14 amount to a computer program product comprising instructions that, when executed by one or more processors, performs the computer-implemented method of Claims 4 & 5, respectively.  Accordingly, Claims 13 & 14 are rejected for substantially the same reasons as presented above for Claims 4 & 5 and based on the references’ disclosure of the necessary supporting hardware and software (Ahuja; see pp. [0011-0014]; e.g., method for implementation integrating hardware and software components).


Conclusion
The prior art made of reference and not relied upon is considered pertinent to Applicant’s disclosure.  
***Reehill et al (USPG Pub No. 20200201874A1) teaches systems and methods for providing dynamically configured responsive storage.
***Todd et al (US Patent No. 10,303,690B1) teaches automated identification and classification of critical data elements.
**Lerner et al (US Patent No. 10,282,426B1) teaches asset inventory reconciliation services for use in asset management architectures.
***Berti et al (USPG Pub No. 20190251489A1) teaches a blockchain-implemented digital agreement management for digital twin assets.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to RAHEEM HOFFLER whose telephone number is (571)270-1036. The examiner can normally be reached Monday-Friday: 10:00am-2:00pm; 6pm-10:00pm w/ flex.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Tamara Kyle can be reached on 5712724241. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/TAMARA T KYLE/Supervisory Patent Examiner, Art Unit 2156                                                                                                                                                                                                        
/RAHEEM HOFFLER/
Examiner
Art Unit 2156

								11/14/2022