Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-4 and 6-9 are rejected under 35 U.S.C. 103 as being unpatentable over Parekh et al., USPN 2022/0210196, in view of Patel et al., USPN 2021/0211452, in further view of Tamir et al., USPN 2018/0219908.
With regard to claims 6 and 1, Parekh discloses a method of performing cybersecurity risk tracking (0077-0078), including steps of associating parameters with activities an organization is required to or should perform (0138, 0078, 0075, 0081), quantitatively classifying cybersecurity compliance with respect to the parameters (0094, 0079), identifying deficiencies with respect to the cybersecurity compliance (0094), and reporting at least some of the cybersecurity compliance and deficiencies (0093-0095), wherein the step of identifying deficiencies uses an adaptive risk model (0041, 0082), and wherein the adaptive risk model further includes at least identifying capability for cybersecurity (0097, 0075), quantifiably measuring cybersecurity maturity based at least in part on the identifying of capability (0097, 0094, 0081, 0082), prioritizing remediation activities based at least in part on the measuring (0075, 0094), and focusing remediation efforts based at least in part on the prioritizing (0075, 0094), and wherein the steps of associating and identifying are performed in a software as a service framework agnostic manner (0082). Parekh further discloses setting a baseline for triggering alerts (098), but does not disclose that a baseline for compliance is corrected at least in part based on the adaptive risk model and a definition of possibly highest potential impacts to delivery of business services. Patel discloses an adaptive (0065) cybersecurity risk tracking system (0003, 0037) similar to that of Parekh. Patel further discloses a baseline for compliance is corrected at least in part based on the adaptive risk model (“at least one management action to each vulnerability” 0038). It would have been obvious for one of ordinary skill in the art, prior to the instant effective filing date, to implement the baseline remediation of Patel in the method of Parekh for the motivation of improved protection of most vulnerable and valuable assets, to better protect from greater risk. Patel discloses that part of determining the risk baseline is a definition of possibly highest potential impacts to patients, such as not having a CT scanner available (0066), but does not specifically disclose the potential impact is to delivery of business services. Parekh also does not teach this limitation. Tamir discloses a system of prioritizing risk of cyber-attacks and remediation (0003, 0049-0066), similar to that of Patel and Parekh, and further discloses the risk baseline is and a definition of possibly highest potential impacts to delivery of business services (0073, 0086). It would have been obvious for one of ordinary skill in the art, prior to the instant effective filing date, to consider the business services affected by a cyber-attack, as taught by Tamir, in the prioritization system of Parekh in view of Patel for the motivation of improved protection and intelligent prioritization, a stated motivation of Parekh (0074, 0094), Patel (0002) and Tamir (0003).
With regard to claims 2 and 7, Parekh in view of Patel in further view of Tamir discloses the system of claim 1, and Parekh further discloses the reporting is via a cybersecurity risk tracker (0099-0100, 0094).
With regard to claims 3 and 8, Parekh in view of Patel in further view of Tamir discloses the system of claim 1, and Parekh further discloses tying at least some of the cybersecurity compliance and deficiencies to a vendor (0072-0078).
With regard to claims 4 and 9, in Parekh view of Patel in further view of Tamir discloses the system of claim 1, and Parekh further discloses the vendor is reported via a cybersecurity risk tracker (0072-0078, 0099-0100, 0094).
Response to Arguments
Applicant's arguments filed 10 November 2025 have been fully considered, and in combination with the amendments to the claims filed 10 November 2025, they overcame the previous rejection. The amendment necessitated further search and consideration, which resulted in the rejection outlined above.
References Cited
Gill et al., USPN 2011/0126111, discloses a system identifies incidents that are likely to cause significant impact to business services (0071, 0123-0125) in a software as a service framework agnostic manner (0101), but was not seen as the best prior art to use in forming a rejection to the instant claims.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JACOB LIPMAN whose telephone number is (571)272-3837. The examiner can normally be reached 5:30AM-6:00PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached at 571-272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/JACOB LIPMAN/Primary Examiner, Art Unit 2434