Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
Applicant's arguments filed 6/4/26 have been fully considered but is not persuasive.
Applicant argues that the amended limitations state a first score and a second score that are not related. Applicant argues that Mosbys scoring related to risk which are different from “predetermined baseline selection criteria that is used to determined whether a baseline is necessary for the application.
Examiner respectfully disagrees. The claims do not state that the first and second score are not related. Examiner asserts that one of ordinary skill in the art would not require a first and second score based on different criteria to be “unrelated”. For example a first score may relate to vulnerability, and a second score may be related to criticality, and yet these 2 scores are related. The claim limitations may still be met on this bases.
Examiner asserts that the “baseline selection criteria” as stated in the claim is not defined. Examiner asserts that “the baseline selection” in Mosby is the baseline security that an is required to meet to have access to enterprise resources. This is assessed on a risk score. Mosby then further teaches remediation or “a security baseline” that is required and applied in order to approve the application for access. Examiner asserts that this reference meets the first of Applicants arguments.
Applicant argues that the prior art fails to teach a second score based on “predetermined requirement used to determined whether the application is critical or non-critical”. Applicant has failed to define what “predetermined requirement criteria” are.
Examiner asserts that Jarvis teaches scoring system based on criticality to an enterprise. The “predetermined requirement criteria” is the requirement of what level of impact a particular application or system would have for an enterprise. If the score indicates a system is “critical” then fixing that system would be prioritized. Thus Jarvis meets classification of an application as critical or non critical based on a second score, which is based on a “requirement criteria” [0062]-[0065] [0067] [0069] (criticality score, and applying security control based on score and criticality) [0048] (prioritize protective security controls)
Since a critical application is prioritized for remediation, and as shown in Mosby, the “security baseline” is a minimum level of risk after configuration/remediation, then Examiner asserts that Jarvis teaches the claim as stated.
Examiner also cites: Spisak US 2020/0092319 which teaches criticality [0043][0044] and control or configuration based on criticality [0086][0087] (security baseline) among other teachings.
Examiner notes that Applicant reads into the claim language elements from the specification that are not readily apparent from the claims as stated. Examiner must read the claims with a broad but reasonable interpretation, and may not incorporate details from the instant specification into the claims as stated.
Examiner notes that “security baseline” is a claim term but not known to one of ordinary skill in the art. Applicant appears to be using it as a “security configuration” of an application.
Examiner notes that the claims state determining whether an application is “critical or non-critical”. Examiner asserts that one of ordinary skill in the art would not understand if this means the application has a critical security issue, or if the application is critical to have for the system.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1, 2, 4-10, 12-16, 18-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Mosby US 20210279337 in view of Jarvis US 2023/0031994.
As per claim 1. Mosby teaches A method, comprising: obtaining an application admission request to enter a cybersecurity infrastructure; generating, by a computer processor, an assessment of the application based on a predetermined baseline selection criteria; [0031]-[0037][0046][0057][0065][0087]-[0091] (Security baseline, risk scores, categorizing the application risk category)
Mosby teaches wherein the predetermined baseline selection criteria is used to determine whether a security baseline is necessary for the application.
Mosby teaches generating, by the computer processor, an assessment of the application based on a predetermined basline selection criteria; [0031]-[0037][0046][0057][0065][0087]-[0091] (Security baseline, risk scores, categorizing the application risk category) (Mosby teaches a “base score” which examiner equates to a “baseline”. Mosby teaches that the application is further scored by a “risk score” which rates severity of vulnerability. Mosby teaches that this “risk score” may be adjusted to a “required” level based on enterprise customized environmental criteria, or policy and adjustments/mitigation in order for the application to actually be an acceptable for use; configuration policy “baseline” is applied to the application)
Jarvis teaches determining, by the computer processor, a classification of the application based on the assessments, wherein the application is classified as critical or non-critical; [0016][0044][0045] (criticality score of application) [0062]-[0065] [0067] [0069] (criticality score, and applying security control based on score and criticality) [0048] (prioritize protective security controls)
Jarvis teaches developing, by the computer processor, a security baseline for the application classified as critical; and updating, by the computer processor, a cybersecurity management database with information on the classification application. Jarvis teaches the predetermined requirement criteria is used to determine whether the application is critical or not critical.
[0062]-[0065] [0067] [0069] (criticality score, and applying security control based on score and criticality) [0048] (prioritize protective security controls/ baseline)
Jarvis teaches determining, by the computer processor, a first score of the application based on the assessment of the application using the predetermined baseline selection criteria; and determining, by the computer processor, a second score of the application based on the assessment of the application using the predetermined requirement criteria. [0045][0063] Fig. 5 (teaches a plurality of scores and comparison to a threshold to determined risk) [0062]-[0065] [0067] [0069] (criticality score, and applying security control based on score and criticality) [0048] (prioritize protective security controls)
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the teaching of Jarvis with the prior art of record because it provides more accurate security control scheme for each category of data.
As per claim 3. Jarvis teaches The method of claim 2, wherein the classification is determined based on comparing the first score and the second score to a predetermined threshold. [0045][0063] Fig. 5 (teaches a plurality of scores and comparison to a threshold to determined risk)
As per claim 4. Jarvis teaches The method of claim 1, further comprising: generating, by the computer processor, a generic security control for the applications classified as non-critical; and updating, by the computer processor, the cybersecurity management database with an information on the classification of the application. [0063][0065][0066] (teaches classification of critical levels of classification and corresponding security controls)
As per claim 5. Mosby teaches The method of claim 1, wherein the cybersecurity management database stores classification information of a plurality of applications. [0030][0062][0104]-[0117] (teaches databases for applications and data used to score applications)
As per claim 6. Mosby teaches The method of claim 1, wherein the application admission request to enter the cybersecurity infrastructure is generated by a user or by a cybersecurity network. [0096] (users bring their own device including applications)
As per claim 7. Jarvis teaches The method of claim 4, wherein the generic security controls are NIST, DOD or enterprise's cybersecurity controls. [0049][0065][0066] (teaches use of NIST guidelines)
As per claim 8. Mosby teaches The method of claim 1, wherein the assessment of the application based on the predetermined baseline selection criteria includes application being an off-the-shelf product and not having a custom code, the application having an editable configuration, and the application being a standalone application and not being a part of an existing baseline. [0040][0050][0087] [0104]-[0117] (no custom applications, off the shelf) (any application can be changed/patched, and thus editable, etc)
As per claim 9. Jarvis teaches The method of claim 1, wherein the assessment of the application based on the predetermined requirement criteria includes application's cybersecurity tier, application's admittance to an intranet or extranet zone, and a number of employees using the application. [0018][0019][[0061][0063] Figure 4, Figure 5 (teaches using as part of a risk evaluation, risk value, internal/external, and number of users)
As per claim 10. Mosby teaches A system, comprising: a network comprising a plurality of network elements;a hardware probe coupled to the plurality of network elements; a network element coupled to the plurality of network elements, the network element comprising a software probe; and a computer processor, wherein the computer processor is coupled to the hardware probe, the software probe, and the plurality of network elements, and wherein the computer processor comprises functionality for: obtaining an application admission request to enter a cybersecurity infrastructure; generating an assessment of the application based on a predetermined baseline selection criteria; Mosby teaches wherein the predetermined baseline selection criteria is used to determine whether a security baseline is necessary for the application.
[0017][0019][0031]-[0037][0046][0057][0065][0087]-[0091] (Security baseline, risk scores, categorizing the application risk category).
(Mosby teaches a “base score” which examiner equates to a “baseline”. Mosby teaches that the application is further scored by a “risk score” which rates severity of vulnerability. Mosby teaches that this “risk score” may be adjusted to a “required” level based on enterprise customized environmental criteria, or policy and adjustments/mitigation in order for the application to actually be an acceptable for use)
Jarvis teaches determining a classification of the application based on the predetermined baseline selection criteria; generating an assessment of the application based on a predetermined requirement criteria; developing a security baseline for the application classified for a baseline selection; and updating a cybersecurity management database with information on the classification of the application. [0016][0044][0045] (criticality score of application)
[0038][0046][0049][0059][0063][0067] (security and control baselines, database, training to update thresholds/confidence risk rating)
Jarvis teaches the predetermined requirement criteria is used to determine whether the application is critical or not critical.[0062]-[0065] [0067] [0069] (criticality score, and applying security control based on score and criticality) [0048] (prioritize protective security controls/ baseline)
Jarvis teaches the computer processor further comprises functionality for: determining a first score of the application based on the assessment of the application based on the predetermined baseline selection criteria; and determining a second score of the application based on the assessment of the application based on the predetermined requirement criteria. [0045][0063] Fig. 5 (teaches a plurality of scores and comparison to a threshold to determined risk)
As per claim 12. Jarvis teaches The system of claim 11, wherein the classification is determined based on comparing the first score and the second score to a predetermined threshold. [0045][0063] Fig. 5 (teaches a plurality of scores and comparison to a threshold to determined risk)
As per claim 13. Jarvis teaches The system of claim 10, wherein the computer processor further comprises functionality for: generating a generic security control for the applications classified as non-critical; and updating the cybersecurity management database with an information on the classification of the application. [0063][0065][0066] (teaches classification of critical levels of classification and corresponding security controls)
As per claim 14. Mosby teaches The system of claim 10, wherein the cybersecurity management database stores a classification information of a plurality of applications. [0030][0062][0104]-[0117] (teaches databases for applications and data used to score applications)
As per claim 15. Mosby teaches The system of claim 10, wherein the application admission request to enter the cybersecurity infrastructure is generated by a user or by the cybersecurity network. [0096] (users bring their own device including applications)
As per claim 16. Mosby teaches A non-transitory computer readable medium storing instructions executable by a computer processor, the instructions comprising functionality for: obtaining an application admission request to enter a cybersecurity infrastructure; generating an assessment of the application based on a predetermined baseline selection criteria; generating an assessment of the application based on a predetermined requirement criteria; Mosby teaches wherein the predetermined baseline selection criteria is used to determine whether a security baseline is necessary for the application.
[0016][0044][0045] (criticality score of application) [0031]-[0037][0046][0057][0065][0087]-[0091] (Security baseline, risk scores, categorizing the application risk category)
(Mosby teaches a “base score” which examiner equates to a “baseline”. Mosby teaches that the application is further scored by a “risk score” which rates severity of vulnerability. Mosby teaches that this “risk score” may be adjusted to a “required” level based on enterprise customized environmental criteria, or policy and adjustments/mitigation in order for the application to actually be an acceptable for use)
Jarvis teaches determining a classification of the application based on the predetermined baseline selection criteria; developing a security baseline for the application classified for a baseline selection; and updating a cybersecurity management database with information on the classification of the application. [0038][0046][0049][0059][0063][0067] (security and control baselines, database, training to update thresholds/confidence risk rating)
Jarvis teaches the predetermined requirement criteria is used to determine whether the application is critical or not critical.[0062]-[0065] [0067] [0069] (criticality score, and applying security control based on score and criticality) [0048] (prioritize protective security controls/ baseline)
Jarvis teaches wherein the instructions further comprise functionality for: determining a first score of the application based on the assessment of the application based on the predetermined baseline selection criteria; and determining a second score of the application based on the assessment of the application based on the predetermined requirement criteria. [0045][0063] Fig. 5 (teaches a plurality of scores and comparison to a threshold to determined risk)
As per claim 18. Jarvis teaches The non-transitory computer readable medium of claim 17, wherein the classification is determined based on comparing the first score and the second score to a predetermined threshold. [0045][0063] Fig. 5 (teaches a plurality of scores and comparison to a threshold to determined risk)
As per claim 19. Jarvis teaches The non-transitory computer readable medium of claim 16, wherein the instructions further comprise functionality for: generating a generic security control for the applications classified as non-critical; and updating the cybersecurity management database with an information on the classification of the application. [0063][0065][0066] (teaches classification of critical levels of classification and corresponding security controls)
As per claim 20. Mosby teaches The non-transitory computer readable medium of claim 16, wherein the cybersecurity management database stores a classification information of a plurality of applications. [0030][0062][0104]-[0117] (teaches databases for applications and data used to score applications)
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER BROWN whose telephone number is (571)272-3833. The examiner can normally be reached M-F 8-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached at (571) 270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/CHRISTOPHER J BROWN/Primary Examiner, Art Unit 2439