CLOUD COMPUTING CYBERSECURITY MATRIX WITH OVERLAID MATURITY MODEL

DETAILED ACTION Response to Amendment This action is in response to amendment filed October 03, 2025 for the application # 18/356,299 filed on July 21, 2023. Claims 1, 6-11, and 16-20 are pending and are directed toward CLOUD COMPUTING CYBERSECURITY MATRIX WITH OVERLAID MATURITY MODEL. Any claim objection/rejection not repeated below is withdrawn due to Applicant's amendment. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. Response to Arguments Applicant’s arguments with regards to claims 1, 6-11, and 16-20 have been fully considered, but they are moot because of new grounds of rejection. Claim Rejections - 35 USC § 102 The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention. Claims 1, 6-11, and 16-20 are rejected under 35 U.S.C. 102(a)(1) as being unpatentable over ORZECHOWSKI et al. (US 2022/0092510, Pub. Date: Mar. 24, 2022), hereinafter referred to as ORZECHOWSKI. As per claim 1, ORZECHOWSKI teaches a computer system for providing a maturity model (FIG. 6 illustrates an example of the maturity score/scoring compartments used in assessing the maturity of an organization, ORZECHOWSKI, [0027]), comprising: one or more processors; and non-transitory computer-readable storage media encoding instructions which, when executed by the one or more processors (An apparatus for practicing various embodiments of the present invention may involve one or more computers ( or one or more processors within the single computer) and storage systems containing or having network access to computer program(s) coded in accordance with various methods described herein, and the method steps of the invention could be accomplished by modules, routines, subroutines, or subparts of a computer program product. ORZECHOWSKI, [0044]), causes the computer system to: use a cloud computing cybersecurity matrix that organizes a suite of cybersecurity capabilities associated with a cloud computing environment, wherein the cloud computing cybersecurity matrix includes technology tiers specific to the cloud computing environment (ORZECHOWSKI, FIG. 5A -5C), the technology tiers including identity, data, applications and workloads, services, and infrastructure (Table-I illustrates an example list of technology stacks, products, and vendors for which custom rules for data collection may be defined in the spirit of representing the data type, ORZECHOWSKI, [0056]); and overlay the maturity model onto the cloud computing cybersecurity matrix having the technology tiers specific to the cloud computing environment, the maturity model measuring a maturity level of cloud security capabilities and enabling technologies associated with the cloud computing environment, wherein the maturity level includes a maturity scale to rate each of the cloud security capabilities and enabling technologies associated with the cloud computing environment , and wherein the maturity scale has maturity tiers including: traditional_ with capabilities leveraging manual processes with minimal integration, static security, and limited visibility; advanced, with capabilities leveraging some automation and integration of processes, conditional policies, and centralized visibility; and optimal, with fully automated processes, conditional and dynamic policies, and comprehensive visibility (ORZECHOWSKI, [0057] –[0065], FIG.2). As per claim 6, ORZECHOWSKI teaches the computer system of claim 1, comprising further instructions which, when executed by the one or more processors, causes the computer system to display a dashboard showing the cloud computing cybersecurity matrix with the maturity model overlaid thereon (FIG. 9 is an example dashboard illustrating security maturity overview of an organization in accordance with an embodiment of the present disclosure. ORZECHOWSKI, [0030]). As per claim 7, ORZECHOWSKI teaches the computer system of claim 6, wherein the dashboard further includes: a current maturity; and a percentage completion for each maturity level (FIG. 12 is an example dashboard illustrating a maturity score of the organization and maturity score against each of the individual attributes in accordance with an embodiment of the present disclosure. A user can access the dashboard 1200 to see the potential maturity score and live maturity score of an organization. The user may track the maturity score against each component through the dashboard 1200. ORZECHOWSKI, [0092]). As per claim 8, ORZECHOWSKI teaches the computer system of claim 6, wherein the dashboard is configured to receive an automated feed of current prioritizations and capabilities for the cloud computing environment (The system may generate security recommendation 1206, such as add CASB, add network, and add firewall and present the recommendation through the interface 1200. The recommendations 1206 demonstrates the top data source recommendations as outputs based on the maturity model and gaps in an organization's security operations visibility. The interface 1200 may present a maturity score leaderboard 1208 to show the comparative industry vertical maturity score for baselining maturity against peer organizations. The interface 1200 provides to a user to check its organization's maturity score and compare it against the industry averages. A user through interface 1200 may initiate calculation of the actual maturity score of the organization based active data sources by clicking the button 1210. Once a user has modeled all data sources for their organization, they can then "request my actual score" through the interface 1210. On click of the button 1208, the system starts collecting, storing, and analyzing the maturity score and can provide the actual score vs. the potential score through the dashboard. ORZECHOWSKI, [0093]). As per claim 9, ORZECHOWSKI teaches the computer system of claim 1, comprising further instructions which, when executed by the one or more processors, causes the computer system to use one or more benchmarks to rate the maturity level of the cloud security capabilities and enabling technologies associated with the cloud computing environment (the processor may be configured to perform operations that further include tracking any remediation activities based on the integrated result and monitoring any changes to the current risk management level or the current maturity level for the cybersecurity/review program. ORZECHOWSKI, [0006]). As per claim 10, ORZECHOWSKI teaches the computer system of claim 9, wherein the one or more benchmarks are based upon one or more of: industry standards; competitor standard; and priorities and risks (Security maturity assessment system 104 may perform compliance maturity assessment to determine a compliance score of the organization against different compliance frameworks 110. Applicable compliance framework (s) for an organization may differ depending on the location of its IT resources, size of the organization, nature of the business, type of data that it processes, and other such factors. System 104 may find one or more applicable compliance requirements and suitable compliance frameworks against which the compliance maturity assessment 118 may be performed. Example compliance frameworks may include but are not limited to MITRE ATT &CK, Center for Internet (CIS) Benchmark, Lockheed Killchain, and National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF). System 104 may determine compliance coverage based on active use cases. ORZECHOWSKI, [0064]). Claims 11, and 16-20 have limitations similar to those treated in the above rejection, and are met by the references as discussed above, and are rejected for the same reasons of anticipation as used above. Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to OLEG KORSAK whose telephone number is (571)270-1938. The examiner can normally be reached on 5:00 AM- 4:00 PM. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Rupal Dharia can be reached on (571) 272-3880. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /OLEG KORSAK/Primary Examiner, Art Unit 2492