Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
Applicant's arguments filed 12/2/25 have been fully considered but they are not persuasive.
Applicant argues that the combination of Mosby US 2021/0279337, and Jarvis US 2023/0031994 fail to teach the claim limitation “determining, by the computer processor, a first score of the application based on the assessment of the application using the predetermined baseline selection criteria; and determining, by the computer processor, a second score of the application based on the assessment of the application using the predetermined requirement criteria.”
This amendment has been moved to claim 1, but rejected in the previous office action as claim 2.
Examiner argues that the claim recites a first score based on a “baseline” and a second score based on “required criteria” The claim does not define what these terms mean.
Mosby teaches a “base score” [0065] which examiner equates to a “baseline”. Mosby teaches that the application is further scored by a “risk score” [0064] which rates severity of vulnerability. Mosby teaches that this “risk score” may be adjusted to a “required” level based on enterprise customized environmental criteria, or policy and adjustments/mitigation in order for the application to actually be an acceptable for use as taught by [0087]-[0091]
Jarvis additionally teaches risk scores and categorizing said scores according to criticality and a risk control scheme. Jarvis teaches that each “risk profile” includes “risk factor scores” including 6 separate risk categories that are aggregated to a total score. Examiner asserts that the risk factor scores in combination with Mosby teach a first and second score for an application.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1, 2, 4-10, 12-16, 18-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Mosby US 20210279337 in view of Jarvis US 2023/0031994.
As per claim 1. Mosby teaches A method, comprising: obtaining an application admission request to enter a cybersecurity infrastructure; generating, by a computer processor, an assessment of the application based on a predetermined baseline selection criteria; [0031]-[0037][0046][0057][0065][0087]-[0091] (Security baseline, risk scores, categorizing the application risk category)
Mosby teaches generating, by the computer processor, an assessment of the application based on a predetermined requirement criteria; [0031]-[0037][0046][0057][0065][0087]-[0091] (Security baseline, risk scores, categorizing the application risk category) (Mosby teaches a “base score” which examiner equates to a “baseline”. Mosby teaches that the application is further scored by a “risk score” which rates severity of vulnerability. Mosby teaches that this “risk score” may be adjusted to a “required” level based on enterprise customized environmental criteria, or policy and adjustments/mitigation in order for the application to actually be an acceptable for use)
Jarvis teaches determining, by the computer processor, a classification of the application based on the assessments, wherein the application is classified as critical or non- critical; [0016][0044][0045] (criticality score of application)
Jarvis teaches developing, by the computer processor, a security baseline for the application classified as critical; and updating, by the computer processor, a cybersecurity management database with information on the classification of the application. [0038][0046][0049][0059][0063][0067] (security and control baselines, database, training to update thresholds/confidence risk rating)
Jarvis teaches determining, by the computer processor, a first score of the application based on the assessment of the application using the predetermined baseline selection criteria; and determining, by the computer processor, a second score of the application based on the assessment of the application using the predetermined requirement criteria. [0045][0063] Fig. 5 (teaches a plurality of scores and comparison to a threshold to determined risk)
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the teaching of Jarvis with the prior art of record because it provides more accurate security control scheme for each category of data.
As per claim 3. Jarvis teaches The method of claim 2, wherein the classification is determined based on comparing the first score and the second score to a predetermined threshold. [0045][0063] Fig. 5 (teaches a plurality of scores and comparison to a threshold to determined risk)
As per claim 4. Jarvis teaches The method of claim 1, further comprising: generating, by the computer processor, a generic security control for the applications classified as non-critical; and updating, by the computer processor, the cybersecurity management database with an information on the classification of the application. [0063][0065][0066] (teaches classification of critical levels of classification and corresponding security controls)
As per claim 5. Mosby teaches The method of claim 1, wherein the cybersecurity management database stores classification information of a plurality of applications. [0030][0062][0104]-[0117] (teaches databases for applications and data used to score applications)
As per claim 6. Mosby teaches The method of claim 1, wherein the application admission request to enter the cybersecurity infrastructure is generated by a user or by a cybersecurity network. [0096] (users bring their own device including applications)
As per claim 7. Jarvis teaches The method of claim 4, wherein the generic security controls are NIST, DOD or enterprise's cybersecurity controls. [0049][0065][0066] (teaches use of NIST guidelines)
As per claim 8. Mosby teaches The method of claim 1, wherein the assessment of the application based on the predetermined baseline selection criteria includes application being an off-the-shelf product and not having a custom code, the application having an editable configuration, and the application being a standalone application and not being a part of an existing baseline. [0040][0050][0087] [0104]-[0117] (no custom applications, off the shelf) (any application can be changed/patched, and thus editable, etc)
As per claim 9. Jarvis teaches The method of claim 1, wherein the assessment of the application based on the predetermined requirement criteria includes application's cybersecurity tier, application's admittance to an intranet or extranet zone, and a number of employees using the application. [0018][0019][[0061][0063] Figure 4, Figure 5 (teaches using as part of a risk evaluation, risk value, internal/external, and number of users)
As per claim 10. Mosby teaches A system, comprising: a network comprising a plurality of network elements;a hardware probe coupled to the plurality of network elements; a network element coupled to the plurality of network elements, the network element comprising a software probe; and a computer processor, wherein the computer processor is coupled to the hardware probe, the software probe, and the plurality of network elements, and wherein the computer processor comprises functionality for: obtaining an application admission request to enter a cybersecurity infrastructure; generating an assessment of the application based on a predetermined baseline selection criteria; [0017][0019][0031]-[0037][0046][0057][0065][0087]-[0091] (Security baseline, risk scores, categorizing the application risk category).
(Mosby teaches a “base score” which examiner equates to a “baseline”. Mosby teaches that the application is further scored by a “risk score” which rates severity of vulnerability. Mosby teaches that this “risk score” may be adjusted to a “required” level based on enterprise customized environmental criteria, or policy and adjustments/mitigation in order for the application to actually be an acceptable for use)
Jarvis teaches determining a classification of the application based on the predetermined baseline selection criteria; generating an assessment of the application based on a predetermined requirement criteria; developing a security baseline for the application classified for a baseline selection; and updating a cybersecurity management database with information on the classification of the application. [0016][0044][0045] (criticality score of application)
[0038][0046][0049][0059][0063][0067] (security and control baselines, database, training to update thresholds/confidence risk rating)
Jarvis teaches the computer processor further comprises functionality for: determining a first score of the application based on the assessment of the application based on the predetermined baseline selection criteria; and determining a second score of the application based on the assessment of the application based on the predetermined requirement criteria. [0045][0063] Fig. 5 (teaches a plurality of scores and comparison to a threshold to determined risk)
As per claim 12. Jarvis teaches The system of claim 11, wherein the classification is determined based on comparing the first score and the second score to a predetermined threshold. [0045][0063] Fig. 5 (teaches a plurality of scores and comparison to a threshold to determined risk)
As per claim 13. Jarvis teaches The system of claim 10, wherein the computer processor further comprises functionality for: generating a generic security control for the applications classified as non-critical; and updating the cybersecurity management database with an information on the classification of the application. [0063][0065][0066] (teaches classification of critical levels of classification and corresponding security controls)
As per claim 14. Mosby teaches The system of claim 10, wherein the cybersecurity management database stores a classification information of a plurality of applications. [0030][0062][0104]-[0117] (teaches databases for applications and data used to score applications)
As per claim 15. Mosby teaches The system of claim 10, wherein the application admission request to enter the cybersecurity infrastructure is generated by a user or by the cybersecurity network. [0096] (users bring their own device including applications)
As per claim 16. Mosby teaches A non-transitory computer readable medium storing instructions executable by a computer processor, the instructions comprising functionality for: obtaining an application admission request to enter a cybersecurity infrastructure; generating an assessment of the application based on a predetermined baseline selection criteria; generating an assessment of the application based on a predetermined requirement criteria; [0016][0044][0045] (criticality score of application) [0031]-[0037][0046][0057][0065][0087]-[0091] (Security baseline, risk scores, categorizing the application risk category)
(Mosby teaches a “base score” which examiner equates to a “baseline”. Mosby teaches that the application is further scored by a “risk score” which rates severity of vulnerability. Mosby teaches that this “risk score” may be adjusted to a “required” level based on enterprise customized environmental criteria, or policy and adjustments/mitigation in order for the application to actually be an acceptable for use)
Jarvis teaches determining a classification of the application based on the predetermined baseline selection criteria; developing a security baseline for the application classified for a baseline selection; and updating a cybersecurity management database with information on the classification of the application. [0038][0046][0049][0059][0063][0067] (security and control baselines, database, training to update thresholds/confidence risk rating)
Jarvis teaches wherein the instructions further comprise functionality for: determining a first score of the application based on the assessment of the application based on the predetermined baseline selection criteria; and determining a second score of the application based on the assessment of the application based on the predetermined requirement criteria. [0045][0063] Fig. 5 (teaches a plurality of scores and comparison to a threshold to determined risk)
As per claim 18. Jarvis teaches The non-transitory computer readable medium of claim 17, wherein the classification is determined based on comparing the first score and the second score to a predetermined threshold. [0045][0063] Fig. 5 (teaches a plurality of scores and comparison to a threshold to determined risk)
As per claim 19. Jarvis teaches The non-transitory computer readable medium of claim 16, wherein the instructions further comprise functionality for: generating a generic security control for the applications classified as non-critical; and updating the cybersecurity management database with an information on the classification of the application. [0063][0065][0066] (teaches classification of critical levels of classification and corresponding security controls)
As per claim 20. Mosby teaches The non-transitory computer readable medium of claim 16, wherein the cybersecurity management database stores a classification information of a plurality of applications. [0030][0062][0104]-[0117] (teaches databases for applications and data used to score applications)
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER BROWN whose telephone number is (571)272-3833. The examiner can normally be reached M-F 8-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached at (571) 270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/CHRISTOPHER J BROWN/Primary Examiner, Art Unit 2439