CYBERSECURITY RISK TRACKING, MATURATION, AND/OR CERTIFICATION

§101 §103

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Status of Claims Claims 1-18 have been examined and are pending. Claims 1-18 have been rejected in this Final Office Action. Priority Application 18/202,374 was filed 05/26/2023. Claim Rejections - 35 USC § 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. Claims 1-18 are rejected under 35 U.S.C. 101 because the claimed invention is directed to judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more. Claims 1-18 are directed to a system, method, or product which are/is one of the statutory categories of invention. (Step 1: YES). Claims 1, and 10, are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. The claim recites a method and system for devices to measure maturation management, measure risk register management, measure third-party and supplier risk management, measure policy management, and combine and quantify the measurements. For Claims 1 and 10 the limitations of (Claim 1 being representative): […] at least measure maturation management, measure risk register management, measure third-party and supplier risk management, measure policy management, and combine and quantify the measurements, wherein a risk model […] is adapted[…], as drafted, are processes that, under the broadest reasonable interpretation, covers certain methods of organizing human activity (i.e., managing personal behavior including following rules or instructions) but for recitation of generic computer components. The Examiner notes that “certain method[s] of organizing human activity” includes a person's interaction with a computer (see MPEP 2106.04(a)(2)(II)). If a claim limitation, under its broadest reasonable interpretation, covers managing personal behavior or interactions between people but for the recitation of generic computer components, then it falls within the “certain methods of organizing human activity” grouping of abstract ideas. Alternately, as drafted, the claims recite a process that, under the broadest reasonable interpretation cover performance of the limitation in the mind but for recitation of generic computer components. That is, other than reciting a process implemented by a system, nothing in the claim precludes the step from practically being performed in the mind. For example, but for the system, this claim encompasses a person to measure different risk and policy information described in the identified abstract idea, supra. If a claim limitation under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the “Mental Processes” grouping of abstract idea. The claim further recites “wherein a risk model utilized by the devices is adapted based at least in part on the adaptive machine learning”. When given its broadest reasonable interpretation in light of the disclosure, a risk model utilized by the devices based on machine learning represents the creation of mathematical interrelationships between data. As such, a risk model based on machine learning represents a mathematical concept that is interpreted to be part of the identified abstract idea, supra. The types of identified abstract ideas are considered together as a single abstract idea for analysis purposes. Accordingly, Claims 1, and 10 recite an abstract idea. (Step 2A- Prong 1: YES. The claims recite an abstract idea). This judicial exception is not integrated into a practical application. Claims 1, and 10 recites the additional elements of a compliance management system (Claim 1, and 10), devices (Claims 1), and adaptive machine learning (Claims 1 and 10), that implements the identified abstract idea. These additional elements are not described by the applicant and are recited at a high-level of generality (i.e., one or more generic computers performing a generic computer functions) such that it amounts no more than mere instructions to apply the exception using a generic computer components. Accordingly, even in combination these additional elements do not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. Claims 1, and 10 are directed to an abstract idea. (Step 2A-Prong 2: NO: the additional claimed elements are not integrated into a practical application). The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional elements of a compliance management system (Claim 1, and 10), devices (Claims 1), and adaptive machine learning (Claims 1 and 10), to perform the noted steps amounts to no more than mere instructions to apply the exception using a generic computer component. Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept (“significantly more”). Accordingly, even in combination, these additional elements do not provide significantly more. As such claims 1, and 10 are not patent eligible. (Step 2B: NO. The claims do not provide significantly more). Dependent Claims 2-9, and 11-18 are similarly rejected because they either further define/narrow the abstract idea of independent claims 1, and 10 as discussed above. Claim(s) 3, and 12 merely describe(s) providing a score based on combining and quantifying the measurements. Claim(s) 4, and 13 merely describe(s) making additional measurements. Claim(s) 5, and 14 merely describe(s) applying an overlay to the measurements. Claim(s) 6 and 15 merely describe(s) using an adaptive process to implement the system. Claim(s) 8, and 17 merely describe(s) multiple users. Claim(s) 9, and 18 merely describe(s) not sharing information with users. Therefore claims 3-6, 8-9, 12-15, and 17-18 are considered patent ineligible for the reasons given above. Dependent Claim(s) 2, 7, 11, and 16 recite limitations that further define the abstract idea noted in independent claims 1, and 10. In addition, it recites the additional elements of computing infrastructure, and machine learning. The computing infrastructure, and machine learning, are recited at a high level of generality such that it amounts to no more than mere instructions to apply the exception using a generic computing component. Even in combination, these additional elements do not integrate the abstract idea into a practical application and do not amount to significantly more than the abstract idea itself. Therefore, dependent claims 2-9, and 11-18 are considered patent ineligible for the reasons given above. Claim Rejections - 35 USC § 103 Claim(s) 1-8, and 10-17 are rejected under 35 U.S.C. 103 as being unpatentable over Gray (US 20240169293 A1), in view of Heckman (US 11431740 B2), and in further view of Shivanna (US 20210400076 A1). Regarding Claim 1, Gray discloses, A system, comprising: "FIG. 2 that supports predictive assessments of vendor risk in accordance with aspects of the present disclosure. Flow diagram 200 may be implemented by a modeling entity 115, as described with reference to FIG. 1. The modeling entity 115 may include one or more servers, processors, memories, or any combination thereof. In some examples, the flow diagram 200 may be implemented by a device, which may be referred to as an apparatus and one or more processors, or a non-transitory computer-readable medium, storing code for predictively assessing vendor risk. The code may include instructions executable by the processors. The techniques described herein may be performed by such a device, which may be an example of the device 905, or by various disparate elements of a system (e.g., including processors, memory, a GUI, electronic communications between the various elements, etc.)" (Gray Par. 0041). measure maturation management, "The maturity level of each control family may also be considered through people, process, and technology. This information may be primarily binary information, with a value (e.g., 72) being ternary and another value (e.g., 35) being senary, confirming the existence of a cyber security control in place under the entity's program and may range upwards of 250 in total for some assessment levels" (Gray Par. 0043). measure risk register management, "Since residual risk is an output of the scoring, predicted overall residual risk may be measured compared to the true overall residual risk. The residual risk is a way to quantify the reduction in risk from having certain cyber security controls in place, thus reducing the inherent risk of the threat landscape to a company. The MAE may be used as a measure of how far an estimating the residual risk is from the true residual risk in a test set" (Gray Par. 0066). measure third-party and supplier risk management, "FIG. 4 illustrates an example of a security report 400 that supports predictive assessments of vendor risk in accordance with aspects of the present disclosure. The security report 400 may illustrate a GUI output of the system described herein via a user equipment, which may include a display, tab, screen shot, or dashboard view, among other examples. The security report 400 may include an indication of a predicted maturity (e.g., for a given entity, such as a vendor 110). Predicted Maturity is a prediction of the third party's responses to the capability maturity model section of the self-assessment questionnaire. The questions intend to measure the third party's people, process and technology across all control groups. The predicted value is shown in context of the most aggressive and conservative values" (Gray Par. 0072). Gray discloses measuring maturation management, risk register management, third-party and supplier risk management by utilizing machine learning to produce the predictive risk profiles (Gray Par. 0004, 0013), but fails to disclose a compliance system measuring policy management, combining and quantifying the measurements, and a risk model utilized by the devices is adapted based at least in part on the adaptive machine learning. Heckman, however, does disclose, A compliance management system, comprising: “The computing system 102 may also include a business capability component 130 that is configured to provide particular assets and processes that a compliance manager may manage in the organization” (Heckman Col. 8 Lines 15-18). measure policy management, and "The CS tool/component may be configured to use a maturity model and/or various maturity level determinations to develop an overall maturity factor, referred to as the maturity model score. The maturity model may consider and incorporate the effectiveness of the organization's cybersecurity/privacy program or project on a spectrum in which foundation levels ensure that the organization develops sound cybersecurity/privacy policies and procedures. The maturity model may include declarative statements and information that may be used to determine whether an organization's cybersecurity/privacy policies, processes, procedures, and associated behaviors support various levels across the core areas, as well as across a number of categories and subcategories (“domains”)" (Heckman Col. 6 Line 61 – Col. 7 Line 7). combine and quantify the measurements. "The initial review component 204 may generate initial review results from the documentation review. The initial review results may be provided to the analysis and evaluation component 206. In various embodiments, the analysis and evaluation component 206 may utilize the CS tool/component as described to generate current and target cybersecurity/privacy risk framework profile or risk level (e.g., AI_OVERALL_RISK_VALUE, TB_OVERALL_RISK_VALUE, etc.) and maturity model scores (e.g., AI_OVERALL_MATURITY_VALUE, TB_OVERALL_MATURITY_VALUE, etc.). In various embodiments, generating the risk framework profile and maturity model may be based on computed risk management level values and maturity levels for each functional program at the core, category, and subcategory levels. In some embodiments, the analysis and evaluation component 206 may output a comprehensive report 210 containing these values, the overall current and target risk framework profile and maturity model scores, and set of cybersecurity/privacy organizational recommendations with specific mitigation strategies" (Heckman Col. 14 Lines 37-57). It would have been obvious to one of ordinary skill in the art at the time of the claimed invention to have combined the risk management system of Gray with compliance system that measures policy management, and combines and quantifies measurements of Heckman to monitor and/or track remediation activities and/or any resulting changes to current risk management level or current maturity level, and determine whether the changes are positive/negative and/or whether the cybersecurity/privacy program has achieved, is progressing toward, a target risk management level and/or a target maturity level. The combination of Gray and Heckman disclose a compliance management system to measure maturation management, risk register management, third-party and supplier risk management, policy management, and combines and quantifies the measurements using machine learning. Heckman also uses machine learning models to generate results for risk management level scores (Heckman Col. 8 Lines 36-54, Claim 1). The combination of Gray and Heckman fail to disclose a risk model utilized by the devices that is adapted based at least in part on the adaptive machine learning. Shivanna discloses implementing an adaptive machine learning platform for security penetration and risk assessment. Shivanna teaches: devices that utilize adaptive machine learning “Computer system 100 may comprise one or more processors 102 and one or more memories 104 for storing machine executable instructions in a computer readable medium 106 to perform operations for adaptive machine learning computer system for security penetration and risk assessment. Additional detail about one or more processors 102 and one or more memories 104 are provided with FIG. 7-8” (Shivanna Par. 0016). wherein a risk model utilized by the devices is adapted based at least in part on the adaptive machine learning. “FIG. 1 provides an adaptive machine learning computer system for security penetration and risk assessment, in accordance with an embodiment of the application” (Shivanna Par. 0015). “ML manager engine 116 may be configured to train and run a machine learning model. For example, the machine learning (ML) methods may identify security risks and potential exposure to security attacks using an algorithm that can classify the extracted security key features from the summarized document into a particular classification category of a plurality of classification categories (e.g. high, medium, or low exposure)” (Shivanna Par. 0035). It would have been obvious to one of ordinary skill in the art at the time of the claimed invention to have combined the risk management system of Gray and Heckman with adaptive machine learning of Shivanna since machine learning is continuously being trained, and it is old and well known in the art that machine learning requires training. Regarding Claim 10, Gray discloses, A method of implementing a system, comprising steps of: “The described techniques relate to improved methods, systems, devices, and apparatuses that support predictive assessments of vendor risk” (Gray Par. 0003). measuring maturation management; "The maturity level of each control family may also be considered through people, process, and technology. This information may be primarily binary information, with a value (e.g., 72) being ternary and another value (e.g., 35) being senary, confirming the existence of a cyber security control in place under the entity's program and may range upwards of 250 in total for some assessment levels" (Gray Par. 0043). measuring risk register management; "Since residual risk is an output of the scoring, predicted overall residual risk may be measured compared to the true overall residual risk. The residual risk is a way to quantify the reduction in risk from having certain cyber security controls in place, thus reducing the inherent risk of the threat landscape to a company. The MAE may be used as a measure of how far an estimating the residual risk is from the true residual risk in a test set" (Gray Par. 0066). measuring third-party and supplier risk management; "FIG. 4 illustrates an example of a security report 400 that supports predictive assessments of vendor risk in accordance with aspects of the present disclosure. The security report 400 may illustrate a GUI output of the system described herein via a user equipment, which may include a display, tab, screen shot, or dashboard view, among other examples. The security report 400 may include an indication of a predicted maturity (e.g., for a given entity, such as a vendor 110). Predicted Maturity is a prediction of the third party's responses to the capability maturity model section of the self-assessment questionnaire. The questions intend to measure the third party's people, process and technology across all control groups. The predicted value is shown in context of the most aggressive and conservative values" (Gray Par. 0072). Gray discloses measuring maturation management, risk register management, and third-party and supplier risk management by utilizing machine learning to produce the predictive risk profiles (Gray Par. 0004, 0013), but fails to disclose a method of implementing a compliance management system measuring policy management, and combining and quantifying the measurements using adaptive machine learning. Heckman, however, does disclose, A method of implementing a compliance management system, comprising steps of: “The computing system 102 may also include a business capability component 130 that is configured to provide particular assets and processes that a compliance manager may manage in the organization” (Heckman Col. 8 Lines 15-18). measuring policy management; and "The CS tool/component may be configured to use a maturity model and/or various maturity level determinations to develop an overall maturity factor, referred to as the maturity model score. The maturity model may consider and incorporate the effectiveness of the organization's cybersecurity/privacy program or project on a spectrum in which foundation levels ensure that the organization develops sound cybersecurity/privacy policies and procedures. The maturity model may include declarative statements and information that may be used to determine whether an organization's cybersecurity/privacy policies, processes, procedures, and associated behaviors support various levels across the core areas, as well as across a number of categories and subcategories (“domains”)" (Heckman Col. 6 Line 61 – Col. 7 Line 7). combining and quantifying the measurements. "The initial review component 204 may generate initial review results from the documentation review. The initial review results may be provided to the analysis and evaluation component 206. In various embodiments, the analysis and evaluation component 206 may utilize the CS tool/component as described to generate current and target cybersecurity/privacy risk framework profile or risk level (e.g., AI_OVERALL_RISK_VALUE, TB_OVERALL_RISK_VALUE, etc.) and maturity model scores (e.g., AI_OVERALL_MATURITY_VALUE, TB_OVERALL_MATURITY_VALUE, etc.). In various embodiments, generating the risk framework profile and maturity model may be based on computed risk management level values and maturity levels for each functional program at the core, category, and subcategory levels. In some embodiments, the analysis and evaluation component 206 may output a comprehensive report 210 containing these values, the overall current and target risk framework profile and maturity model scores, and set of cybersecurity/privacy organizational recommendations with specific mitigation strategies" (Heckman Col. 14 Lines 37-57). It would have been obvious to one of ordinary skill in the art at the time of the claimed invention to have combined the risk management system of Gray with compliance system that measures policy management, and combines and quantifies measurements of Heckman to monitor and/or track remediation activities and/or any resulting changes to current risk management level or current maturity level, and determine whether the changes are positive/negative and/or whether the cybersecurity/privacy program has achieved, is progressing toward, a target risk management level and/or a target maturity level. The combination of Gray and Heckman disclose a compliance management system to measure maturation management, risk register management, third-party and supplier risk management, policy management, and combines and quantifies the measurements using machine learning. Heckman also uses machine learning models to generate results for risk management level scores (Heckman Col. 8 Lines 36-54, Claim 1). The combination of Gray and Heckman fail to disclose a risk model utilized by the devices is adapted based at least in part on the adaptive machine learning. Shivanna discloses implementing an adaptive machine learning platform for security penetration and risk assessment. Shivanna teaches: utilizing adaptive machine learning “Computer system 100 may comprise one or more processors 102 and one or more memories 104 for storing machine executable instructions in a computer readable medium 106 to perform operations for adaptive machine learning computer system for security penetration and risk assessment. Additional detail about one or more processors 102 and one or more memories 104 are provided with FIG. 7-8” (Shivanna Par. 0016). wherein a risk model utilized by the method is adapted based at least in part on the adaptive machine learning. “FIG. 1 provides an adaptive machine learning computer system for security penetration and risk assessment, in accordance with an embodiment of the application” (Shivanna Par. 0015). “ML manager engine 116 may be configured to train and run a machine learning model. For example, the machine learning (ML) methods may identify security risks and potential exposure to security attacks using an algorithm that can classify the extracted security key features from the summarized document into a particular classification category of a plurality of classification categories (e.g. high, medium, or low exposure)” (Shivanna Par. 0035). It would have been obvious to one of ordinary skill in the art at the time of the claimed invention to have combined the risk management system of Gray and Heckman with adaptive machine learning of Shivanna since machine learning is continuously being trained, and it is old and well known in the art that machine learning requires training. Regarding Claim 2, and Claim 11 The combination of Gray, Heckman, and Shivanna disclose the system in claim 1, as shown above. Gray further discloses, The system as in claim 1, wherein one or more of the devices comprise at least part of a computing infrastructure. "FIG. 2 that supports predictive assessments of vendor risk in accordance with aspects of the present disclosure. Flow diagram 200 may be implemented by a modeling entity 115, as described with reference to FIG. 1. The modeling entity 115 may include one or more servers, processors, memories, or any combination thereof. In some examples, the flow diagram 200 may be implemented by a device, which may be referred to as an apparatus and one or more processors, or a non-transitory computer-readable medium, storing code for predictively assessing vendor risk. The code may include instructions executable by the processors. The techniques described herein may be performed by such a device, which may be an example of the device 905, or by various disparate elements of a system (e.g., including processors, memory, a GUI, electronic communications between the various elements, etc.)" (Gray Par. 0041). Regarding Claim 3, and Claim 12 The combination of Gray, Heckman, and Shivanna disclose the system in claim 1, as shown above. Heckman further discloses, The system as in claim 1, wherein the devices further provide a Cyber Maturity Index score based at least on combining and quantifying the measurements. "The initial review component 204 may generate initial review results from the documentation review. The initial review results may be provided to the analysis and evaluation component 206. In various embodiments, the analysis and evaluation component 206 may utilize the CS tool/component as described to generate current and target cybersecurity/privacy risk framework profile or risk level (e.g., AI_OVERALL_RISK_VALUE, TB_OVERALL_RISK_VALUE, etc.) and maturity model scores (e.g., AI_OVERALL_MATURITY_VALUE, TB_OVERALL_MATURITY_VALUE, etc.). In various embodiments, generating the risk framework profile and maturity model may be based on computed risk management level values and maturity levels for each functional program at the core, category, and subcategory levels. In some embodiments, the analysis and evaluation component 206 may output a comprehensive report 210 containing these values, the overall current and target risk framework profile and maturity model scores, and set of cybersecurity/privacy organizational recommendations with specific mitigation strategies" (Heckman Col. 14 Lines 37-57). It would have been obvious to one of ordinary skill in the art at the time of the claimed invention to have combined the risk management system of Gray, Heckman, and Shivanna with a Cyber Maturity Index score based at least on combining and quantifying the measurements of Heckman to monitor and/or track remediation activities and/or any resulting changes to current risk management level or current maturity level, and determine whether the changes are positive/negative and/or whether the cybersecurity/privacy program has achieved, is progressing toward, a target risk management level and/or a target maturity level. Regarding Claim 4, and Claim 13, The combination of Gray, Heckman, and Shivanna disclose the system in claim 1, as shown above. Gray further discloses, The system as in claim 1, wherein the devices make one or more additional measurements. "Having generated candidate questionnaire answers at 230, at 235 the device may determine, for each of the multiple sets of candidate response inputs for the cyber security questionnaire, a respective set of risk score values (e.g., may score the candidate response). At 240, the device may aggregate, by the one or more processors, each respective set of risk score values for each set of candidate response inputs for the cyber security questionnaire. At 245, the device may output, by the one or more processors for display to a user via a graphical user interface (GUI) on a user device, the set of predictive response outputs for the cyber security questionnaire. At 250, the device may calculate a set of confidence values for the set of predictive response outputs for the cyber security questionnaire" (Gray Par. 0054). "In some examples, the process to produce coverage and maturity scores at the group level begins by iterating through each assessment in the sample block and scoring that possible assessment for each group. Once all the sampled assessments have been scored, a histogram per group is created with the scores. The histogram may support displaying the median as the expected value of the scores and a confidence around the expected value for the control coverage" (Gray Par. 0056). Regarding Claim 5, and Claim 14, The combination of Gray, Heckman, and Shivanna disclose the system in claim 1, as shown above. Heckman further discloses, The system as in claim 1, wherein the devices apply one or more overlays to at least one of the measurements. “In block 718, the processor may perform risk assessment operations for each potential findings, develop formal findings and mitigation and/or remediation strategies, and develop initial draft report” (Heckman Col. 23 Lines 58-61). “For example, such tracking of remediation and changes may include collecting applicable artifacts/evidence, conducting and documenting applicable review and/or test activities to verify or validate remediation results, and modifying any roadmaps or corrective action plans as needed. To manage, document, and track remediation activities, the CS tool/component may include a reference document issued for each activity with an assigned severity level, assigned reference number, description of the finding, source of the finding, proposed solution, responsible person, resource requirements, target date, milestones, date completed, and next steps in the form of Plans of Actions and Milestones (POA&Ms). These remediation activities may be monitored based upon the selected finding and the associated corrective action plan. Thus, the CS tool/component in various embodiments may be used to assess the effectiveness of the organization's cybersecurity program or project by providing a high-level, strategic view of the lifecycle of the program or project, along with management of cybersecurity/privacy risks” (Heckman Col. 16 Lines 34-53). It would have been obvious to one of ordinary skill in the art at the time of the claimed invention to have combined the risk management system of Gray, Heckman, and Shivanna with applying one or more overlays to at least one of the measurements of Heckman to monitor and/or track remediation activities and/or any resulting changes to current risk management level or current maturity level, and determine whether the changes are positive/negative and/or whether the cybersecurity/privacy program has achieved, is progressing toward, a target risk management level and/or a target maturity level. Regarding Claim 6, and Claim 15, The combination of Gray, Heckman, and Shivanna disclose the system in claim 1, as shown above. Heckman further discloses, The system as in claim 1, wherein the devices utilize one or more adaptive processes to implement the compliance management system. "FIG. 3 illustrates illustrating a method 300 by which an organization may implement a CS tool/component according to an embodiment. The method 300 may be performed by a processor or processing core of one or more computing device within the organization (i.e., an enterprise system). In various embodiments, the processor or processing core may perform the method 300 by implementing component/module(s) of the analysis and monitoring system 200. In some embodiments, steps of the method 300 may be performed by the enterprise system through human operator input and/or machine learning (e.g., provided via the manager component 118 illustrated in FIG. 1)" (Heckman Col. 15 Lines 17-28). It would have been obvious to one of ordinary skill in the art at the time of the claimed invention to have combined the risk management system of Gray, Heckman, and Shivanna with devices that utilize one or more adaptive processes to implement the compliance management system of Heckman to monitor and/or track remediation activities and/or any resulting changes to current risk management level or current maturity level, and determine whether the changes are positive/negative and/or whether the cybersecurity/privacy program has achieved, is progressing toward, a target risk management level and/or a target maturity level. Regarding Claim 7, and Claim 16, The combination of Gray, Heckman, and Shivanna disclose the system in claim 6, as shown above. Gray further discloses, The system as in claim 6, wherein the one or more adaptive processes comprise machine learning. "Techniques described herein harnesses machine learning to produce predictive risk profiles. Techniques described herein may also produce unique insights across an entire portfolio of third parties using instant, predictive risk assessment results. Predictive risk profiles predict how a given vendor 110 will answer each question in a standardized assessment based on one or more parameters (e.g., firmographics), both outside-in data and inside-out data, and similar completed assessments on the exchange with a threshold accuracy rate (e.g., up to 85%)” (Gray Par. 0035). Regarding Claim 8, and Claim 17, The combination of Gray, Heckman, and Shivanna disclose the system in claim 7, as shown above. Gray further discloses, The system as in claim 7, wherein the machine learning involves plural clients. "A method for predictively assessing vendor risk is described. The method may include receiving, by one or more processors, one or more input parameter values for a cyber security questionnaire for a vendor, the one or more input parameter values comprising demographic data for the vendor, responsive input information for the cyber security questionnaire corresponding to at least a second vendor associated with the demographic data, rating information associated with the vendor, triggering event information associated with the vendor, or any combination thereof, generating, by the one or more processors, multiple sets of candidate response inputs for the cyber security questionnaire based at least in part on a machine learning model and the one or more input parameter values, determining, by the one or more processors for each of the multiple sets of candidate response inputs for the cyber security questionnaire, a respective set of risk score values, aggregating, by the one or more processors, each respective set of risk score values for each of the multiple sets of candidate response inputs for the cyber security questionnaire, producing, by the one or more processors, a set of predictive response outputs for the cyber security questionnaire based on a distribution of the aggregated set of risk score values for each of the multiple sets of candidate response inputs for the cyber security questionnaire, and outputting, by the one or more processors for display to a user via a graphical user interface on a user device, the set of predictive response outputs for the cyber security questionnaire" (Gray Par. 0004). Claim(s) 9 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Gray (US 20240169293 A1), in view of Heckman (US 11431740 B2), in view of Shivanna (US 20210400076 A1), and in further view of Integrating Machine Learning with Blockchain to Ensure Data Privacy. Regarding Claim 9, and Claim 18 The combination of Gray, Heckman, and Shivanna disclose the system in claim 8, as shown above. The combination of Gray, Heckman, and Shivanna fail to disclose the machine learning not exposing any information across clients. Integrating Machine Learning with Blockchain to Ensure Data Privacy, however, does disclose The system as in claim 8, wherein the machine learning does not expose any information across clients. "In the data analysis process, the 2nd level after defining the goal stage is the data collection stage. The data is collected in various manners randomly or directly from the users. When the data is collected randomly so it will not be possible to classify which data to be categorized as private and which not to be. The data which are collected directly from the users, where the users can classify by their-selves which data to be considered as private and which are not. So after the data collection stage, there are two streams of data generated: 1)Private & General data are categorised & classified. 2) Random data doesn't have any private & general classification. The 2nd stream of data is fed to the machine learning-1 module which is designed & trained to classify and categorize Private & General data from the initial random data stream. The 1st category of the data stream is directly fed to the blockchain module which is the just immediate next stage of the Machine Learning-1 stage. The details of the Blockchain module will be discussed later in this section. When data is collected from different users if the user is well versed about what is private data & what is general data then the user can identify which data to be considered as private & which to be general. So that data can be directly fed to the blockchain module. If the user is not enough aware to differentiate between private and general data, then these data to be fed to the Machine Learning-1 module. Machine Learning-1 module is designed to classify & categorized private data & general data. We can train the machine by using the 1st category of the data stream which is directly collected from responsible & well-versed users. After the data is fed to the Blockchain module, the users who classify their own private & public data will have given a choice to operate their node or a machine-generated node can be inserted in the blockchain network. Those who can't operate or create their node in the Blockchain network by themselves Machine Learning-1 Module will generate nodes and add them to the Blockchain network module. The private data of each node is encrypted and the owner identity of each node is just a hash a value which is almost impossible to know. All the data is store in the shared ledger. After this stage, the data analysis process will continue as described previously. After that the data is stored in the shared ledger it is fed to the next data cleaning stage" (Integrating Machine Learning with Blockchain to Ensure Data Privacy Page 5) It would have been obvious to one of ordinary skill in the art at the time of the claimed invention to have combined the system of measuring risk profiles of Gray, Heckman, and Shivanna with machine learning not exposing information of clients of Integrating Machine Learning with Blockchain to Ensure Data Privacy since when there are different parties involved in the analysis process & the data flow occurs between them, the trust issue arises. Blockchain solves that problem by creating a decentralized trust-less environment. The authors of this paper [10] discussed how a permissioned blockchain network can be developed to ensure data privacy, they also proposed a privacy aware PKI system (Integrating Machine Learning with Blockchain to Ensure Data Privacy). Response to Arguments Applicant's arguments filed 08/14/2025 with respect to 35 U.S.C. § 101, have been fully considered but they are not persuasive. Applicant argues that humans are not devices that “utilize adaptive machine learning”. The Examiner respectfully disagrees. MPEP 2106.04(a)(2)(II) states that a claimed invention is directed to certain methods of organizing human activity if the identified claim elements contain limitations that encompass fundamental economic principles or practices, commercial or legal interactions, or managing personal behavior or relationships or interactions between people (including social activities, teaching, and following rules or instructions). The Examiner submits that the identified claim elements represent a series of rules or instructions that a person or persons, with or without the aid of a computer, would follow to measure maturation management, measure risk register management, measure third-party supplier risk management, measure policy management, and quantify the measurements. Because the claim elements fall under a series of rules or instructions that a person or persons would follow to measure and quantify, the claimed invention is directed to an abstract idea. Therefore, the 101 Rejection is maintained. Applicant's arguments filed 08/14/2025 with respect to 35 U.S.C. § 103, have been fully considered but they are not persuasive. The Applicant argues that Gray and Heckman do not disclose adaptive machine learning. The Examiner agrees that Gray and Heckman do not explicitly teach adaptive machine learning, but Shivanna does teach adaptive machine learning as shown in the updated rejection above. The 103 Rejection is maintained. Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to Emily M Kraisinger whose telephone number is (703)756-4583. The examiner can normally be reached M-F 7:30 AM -4:30 PM. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jessica Lemieux can be reached at 571-270-3445. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /E.M.K./Examiner, Art Unit 3626 /JESSICA LEMIEUX/Supervisory Patent Examiner, Art Unit 3626