Notice of Pre-AIA or AIA Status
1. The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
2. This is the initial office action based on the application filed on October 16th, 2023, which claims 1-28 are presented for examination.
Status of Claims
3. Claims 1-28 are pending, of which claims, of which claim 1, 11 and 19 are in independent form.
Priority
4. The instant application has a priority INDIA 202341048929 07/20/2023
The Office's Note:
5. The Office has cited particular paragraphs / columns and line numbers in the reference(s) applied to the claims above for the convenience of the Applicant. Although the specified citations are representative of the teachings of the art and are applied to specific limitations within the individual claim(s), other passages and figures may apply as well. It is respectfully requested from the Applicant in preparing responses, to fully consider the references in entirety as potentially teaching all or part of the claimed invention, as well as the context of the cited passages as taught by the prior art or relied upon by the Examiner.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
6. Claims 1-28 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.
Claim 1, 11 and 19 recites limitations of
update a compliance rule based on a target compliance definition to generate a target compliance rule, the compliance rule corresponding to a resource in a software defined data center; and
output configuration update information based on a comparison of the target compliance rule with a current resource configuration, the current resource configuration corresponding to the resource in the software defined data center.
Step 2A Prong One: the limitation of claim 1, “update a compliance rule based on a target compliance definition to generate a target compliance rule, the compliance rule corresponding to a resource in a software defined data center”, as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the human mind. That is nothing in the claim element precludes the step from practically being performed in the human mind (see specification paragraph 0077 - "....For example, an administrator or user 112 (FIG. 1) may update or add new compliance controls based on updated regulatory standards, updated industry standards, updated customer policies, updated enterprise policies, etc...." ). If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind, then it falls within the “Mental Processes” grouping of abstract ideas. Accordingly, the claim recites an abstract idea.
Step 2A Prong Two: The judicial exception is not integrated into a practical application. In particular, the claim recites additional elements “output configuration update information based on a comparison of the target compliance rule with a current resource configuration, the current resource configuration corresponding to the resource in the software defined data center” are recited at a high-level of generality such that it amounts no more than mere instructions to apply the exception using generic computer, and/or mere computer components do nothing more than add insignificant extra solution activity to the judicial exception of merely output configuration update information. Accordingly, the additional elements do not integrate the recited judicial exception into a practical application and the claim is therefore directed to the judicial exception. See MPEP 2106.05(d).
Step 2B: The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. The limitation “output configuration update information based on a comparison of the target compliance rule with a current resource configuration, the current resource configuration corresponding to the resource in the software defined data center” is recognized by the courts as well-understood, routine, and conventional activities when they are claimed in a merely generic manner (see MPEP 2106.05(d))). Accordingly, the claims 1-28 are not patent eligible under 35 USC 101.
Claim Rejections - 35 USC § 102
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.
6. Claims 1-28 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Calvo et al. (US 10949406).
Claim 1 is rejected, Calvo teaches a system comprising:
interface circuitry (fig. 8, processors 3010A-310N);
instructions (column 14, line 16-64, instructions); and
programmable circuitry to at least one of instantiate or execute the instructions (column 14, line 16-64, processors and instructions) to:
update a compliance rule based on a target compliance definition to generate a target compliance rule, the compliance rule corresponding to a resource in a software defined data center (Calvo, US 10949406, column 4, line 47-67, the selected compliance pack 171A may be deployed to the selected resources 185 using a package deployment component 140. In deploying a compliance pack to a set of resources, the package deployment 140 may store an association between the selected compliance pack 171A and the target resources 185. For each of the target resources 185, the system 100 may perform rule evaluation 150 for all the rules 172A in the compliance pack 171A. Column 13, line 8-37, FIG. 6 may be executed when a client publishes a custom compliance pack. The client 10 may request to publish a new template or an update to an existing template. In the latter case, the existing compliance pack may have been previously deployed in some accounts or organizations. A template create/update request handler 643 may receive the publishing request. The request handler 643 may check whether the approval status 610 of the pack. If not approved, the publishing request may be rejected. If the pack has been approved, the request handler 643 may fetch the related artifacts and determine which compliance pack components should be updated for the request. For creation of a new pack, the settings, artifacts, rules, and actions may be updated. For an update to an existing pack, only the modified settings, artifacts, rules, and actions may be updated, as identified using a template diff generator 641. The request handler 643 may create a cloud resource management template 642 and call the cloud resource manager 360 to deploy the latest changes to the target accounts 380A and 380B through 380Z. If the stack creation fails, the cloud resource manager 360 may roll back the intermediate changes. If the stack creation succeeds, the request handler 643 may update the information in various compliance pack tables. Using the notification service 390, the workflow may inform the client 10 or other user(s) of the results of the publishing.); and
output configuration update information based on a comparison of the target compliance rule with a current resource configuration, the current resource configuration corresponding to the resource in the software defined data center(Calvo, column 4, line 47-67, For each of the target resources 185, the system 100 may perform rule evaluation 150 for all the rules 172A in the compliance pack 171A. Rule evaluation 150 may include gathering relevant data that the rules 172A require as input and then determining whether the resource is compliant or noncompliant with the rule. For resources found to be noncompliant, the system 100 may perform automated remediation 160. The automated remediation 160 may include performing one or more of the remedial actions 175A as associated with the relevant rule(s) in the compliance pack 171A. Remedial actions 175A may result in notification of noncompliance to relevant users or other notification targets. Remedial actions 175A may place a previously noncompliant resource in compliance with the rules 172A.).
Claim 2 is rejected for the reasons set forth hereinabove for claim 1, Calvo teaches the system of claim 1, wherein the compliance rule corresponds to a first compliance pack, the first compliance pack including a plurality of second compliance rules, the first compliance pack corresponding to a non-cloud resource, the programmable circuitry to access a second compliance pack including a plurality of third compliance rules, the second compliance pack corresponding to a cloud resource (Calvo, column 7, line 64 to column 8, line 12, As shown in the example of FIG. 1A, the target resources may be hosted in a single provider network 190. In one embodiment, the provider network 190 may be the same entity that offers the system 100 as well as the target resources 185. As shown in the example of FIG. 1B, the target resources 185 and 186 may be hosted in the provider network 190 and one or more other environments 191, such as other multi-tenant provider networks and/or customer premises. The environment illustrated in FIG. 1B may be referred to as a hybrid cloud environment. External resources 186 hosted in other provider networks or on customer premises may be managed by the system 100 using wrappers or intermediate layers that permit the system 100 to issue commands to and receive data from the external resources.).
Claim 3 is rejected for the reasons set forth hereinabove for claim 1, Calvo teaches the system of claim 1, wherein programmable circuitry is to implement a compliance service for a cloud resource and a dark site resource, the programmable circuitry to perform the comparison of the target compliance rule with the current resource configuration(Calvo, column 7, line 64 to column 8, line 12, As shown in the example of FIG. 1A, the target resources may be hosted in a single provider network 190. In one embodiment, the provider network 190 may be the same entity that offers the system 100 as well as the target resources 185. As shown in the example of FIG. 1B, the target resources 185 and 186 may be hosted in the provider network 190 and one or more other environments 191, such as other multi-tenant provider networks and/or customer premises. The environment illustrated in FIG. 1B may be referred to as a hybrid cloud environment. External resources 186 hosted in other provider networks or on customer premises may be managed by the system 100 using wrappers or intermediate layers that permit the system 100 to issue commands to and receive data from the external resources.).
Claim 4 is rejected for the reasons set forth hereinabove for claim 3, Calvo teaches the system of claim 3, wherein the programmable circuitry is to configure the cloud resource based on the configuration update information (Calvo, column, line, Remedial actions 175A in a compliance pack 171A may include automated tasks or workflows to be performed for resources found to be noncompliant. Remedial actions for noncompliance may include notifying relevant users, modifying a configuration of a resource, isolating a resource, and so on. For example, a rule in an InfoSec compliance pack may be used to ensure that port 22 on any firewall or security group (cloud-based or on-premises) is not accessible to the Internet, and the port may be closed if it is found to be noncompliant with the relevant rule. Using a single compliance pack, such rules may be applied to disparate resources throughout an enterprise in a consistent manner. In one embodiment, a data structure for a compliance pack action may indicate a CompliancePackID, ActionName, ActionResourceNumber, ActionArtifactsRepositoryLocation, CreationTime, LastUpdatedTime, and UpdatedBy.).
Claim 5 is rejected for the reasons set forth hereinabove for claim 3, Calvo teaches the system of claim 3, wherein the programmable circuitry is to cause sending of the configuration update information to a compliance agent for a non-cloud resource, the compliance agent to modify a current non-cloud resource configuration to satisfy the target compliance rule(Calvo, column, line, Remedial actions 175A in a compliance pack 171A may include automated tasks or workflows to be performed for resources found to be noncompliant. Remedial actions for noncompliance may include notifying relevant users, modifying a configuration of a resource, isolating a resource, and so on. For example, a rule in an InfoSec compliance pack may be used to ensure that port 22 on any firewall or security group (cloud-based or on-premises) is not accessible to the Internet, and the port may be closed if it is found to be noncompliant with the relevant rule. Using a single compliance pack, such rules may be applied to disparate resources throughout an enterprise in a consistent manner. In one embodiment, a data structure for a compliance pack action may indicate a CompliancePackID, ActionName, ActionResourceNumber, ActionArtifactsRepositoryLocation, CreationTime, LastUpdatedTime, and UpdatedBy.).
Claim 6 is rejected for the reasons set forth hereinabove for claim 5, Calvo teaches the system of claim 5, further including the compliance agent to:
compare the current non-cloud resource configuration to the target compliance rule, the target compliance rule obtained from the compliance service(Calvo, column 7, line 64 to column 8, line 12, As shown in the example of FIG. 1A, the target resources may be hosted in a single provider network 190. In one embodiment, the provider network 190 may be the same entity that offers the system 100 as well as the target resources 185. As shown in the example of FIG. 1B, the target resources 185 and 186 may be hosted in the provider network 190 and one or more other environments 191, such as other multi-tenant provider networks and/or customer premises. The environment illustrated in FIG. 1B may be referred to as a hybrid cloud environment. External resources 186 hosted in other provider networks or on customer premises may be managed by the system 100 using wrappers or intermediate layers that permit the system 100 to issue commands to and receive data from the external resources. Calvo, column 4, line 47-67, For each of the target resources 185, the system 100 may perform rule evaluation 150 for all the rules 172A in the compliance pack 171A. Rule evaluation 150 may include gathering relevant data that the rules 172A require as input and then determining whether the resource is compliant or noncompliant with the rule. For resources found to be noncompliant, the system 100 may perform automated remediation 160. The automated remediation 160 may include performing one or more of the remedial actions 175A as associated with the relevant rule(s) in the compliance pack 171A. Remedial actions 175A may result in notification of noncompliance to relevant users or other notification targets. Remedial actions 175A may place a previously noncompliant resource in compliance with the rules 172A.); and
modify the current non-cloud resource configuration based on the comparison to cause the non-cloud resource to satisfy the target compliance rule(Calvo, column, line, Remedial actions 175A in a compliance pack 171A may include automated tasks or workflows to be performed for resources found to be noncompliant. Remedial actions for noncompliance may include notifying relevant users, modifying a configuration of a resource, isolating a resource, and so on. For example, a rule in an InfoSec compliance pack may be used to ensure that port 22 on any firewall or security group (cloud-based or on-premises) is not accessible to the Internet, and the port may be closed if it is found to be noncompliant with the relevant rule. Using a single compliance pack, such rules may be applied to disparate resources throughout an enterprise in a consistent manner. In one embodiment, a data structure for a compliance pack action may indicate a CompliancePackID, ActionName, ActionResourceNumber, ActionArtifactsRepositoryLocation, CreationTime, LastUpdatedTime, and UpdatedBy.).
Claim 7 is rejected for the reasons set forth hereinabove for claim 6, Calvo teaches the system of claim 6, wherein the non-cloud resource is an on-premises resource or a resource on a dark site(Calvo, column 7, line 64 to column 8, line 12, As shown in the example of FIG. 1A, the target resources may be hosted in a single provider network 190. In one embodiment, the provider network 190 may be the same entity that offers the system 100 as well as the target resources 185. As shown in the example of FIG. 1B, the target resources 185 and 186 may be hosted in the provider network 190 and one or more other environments 191, such as other multi-tenant provider networks and/or customer premises. The environment illustrated in FIG. 1B may be referred to as a hybrid cloud environment. External resources 186 hosted in other provider networks or on customer premises may be managed by the system 100 using wrappers or intermediate layers that permit the system 100 to issue commands to and receive data from the external resources.).
Claim 8 is rejected for the reasons set forth hereinabove for claim 6, Calvo teaches the system of claim 6, wherein the compliance agent is to register the resource with the compliance service (Calvo, column 7, line 19-50, Using the compliance management system 100 described herein, clients (users) may easily select and deploy compliance packages to cloud-based resources to determine the policy compliance of those resources. In some embodiments, a user may deploy a compliance package with a single click (or other operation) in a user interface 110, even across an entire enterprise, and have access to a unified view of compliance across the target resources. Results of the deployment and evaluation may be provided to the user in a console (e.g., in the user interface 110) and/or via notifications. The results may include compliance scores or statuses for individual resources (e.g., compliant or noncompliant) for an individual rule. The results may include aggregate compliance scores or statuses for individual resources (e.g., compliant or noncompliant) across a set of rules. The results may include an aggregate compliance score or status for multiple resources (e.g., 80% of resources are compliant and 20% are noncompliant) for an individual rule. The results may include an aggregate compliance score or status for multiple resources (e.g., 80% of resources are compliant and 20% are noncompliant) across a set of rules. The results may indicate any remedial actions taken for noncompliant resources. For example, an instance of policy noncompliance may be remediated according to a remedial action in the corresponding compliance pack by changing the configuration of the resource to ensure compliance. In one embodiment, the results of deployment and evaluation may include one or more output artifacts that capture the compliance status of resources. The output artifact(s) may be usable by external systems or users, e.g., such that policy compliance auditors can certify the policy compliance of resources.).
Claim 9 is rejected for the reasons set forth hereinabove for claim 6, Calvo teaches the system of claim 6, wherein the compliance agent is to send a compliance report to the compliance service through a message broker agent (Calvo, column 12, line 4-31, The deployment status checker 365 may use the notification service 390 to inform the client 10 or other relevant user(s) about the updated status of the deployment.).
Claim 10 is rejected for the reasons set forth hereinabove for claim 9, Calvo teaches the system of claim 9, wherein the compliance report includes at least one of a resource name, a resource status, a resource configuration state, a deviation between a current parameter and a target parameter in the target compliance rule, or a resource identifier (Calvo, column, line, In some embodiments, a control plane associated with the compliance management system 100 may include APIs such as GetCompliancePackTemplate, PutCompliancePackTemplate, DeleteCompliancePackTemplate, PutCompliancePack, DeleteCompliancePack, and/or DescribeCompliancePack. In some embodiments, a data plane associated with the compliance management system 100 may include an API such as DescribePackLevelCompliance that reports the compliance of the target resources against the applicable rules of the compliance pack (e.g., whether a particular database instance is compliant for a set of HIPAA rules), the evaluation results of each resource type for the compliance pack (e.g., all virtual compute instances that are not HIPAA compliant), the compliance status of the requested compliance pack broken down by individual rules, and/or the compliance status of a specified list of rules within the compliance pack. In some embodiments, a data plane associated with the compliance management system 100 may include an API such as GetPackLevelComplianceDetails that reports which resources are leading to the noncompliance of the account with respect to a particular compliance pack (e.g., which resources are noncompliant with HIPAA rules), which rules within a compliance pack are non-compliant with respect to a given account (e.g., which rules are not met by the account), the reason behind the non-compliance of particular resources, and/or the resources that are non-compliant for a given compliance pack.).
As per claim 11, this is the medium claim to system claim 1. Therefore, it is rejected for the same reasons as above.
As per claim 12, this is the medium claim to system claim 2. Therefore, it is rejected for the same reasons as above.
As per claim 13, this is the medium claim to system claim 3. Therefore, it is rejected for the same reasons as above.
As per claim 14, this is the medium claim to system claim 4. Therefore, it is rejected for the same reasons as above.
As per claim 15, this is the medium claim to system claim 5. Therefore, it is rejected for the same reasons as above.
As per claim 16, this is the medium claim to system claim 8. Therefore, it is rejected for the same reasons as above.
As per claim 17, this is the medium claim to system claim 9. Therefore, it is rejected for the same reasons as above.
As per claim 18, this is the medium claim to system claim 10. Therefore, it is rejected for the same reasons as above.
As per claim 19, this is the method claim to system claim 1. Therefore, it is rejected for the same reasons as above.
As per claim 20, this is the method claim to system claim 2. Therefore, it is rejected for the same reasons as above.
As per claim 21, this is the method claim to system claim 3. Therefore, it is rejected for the same reasons as above.
As per claim 22, this is the method claim to system claim 4. Therefore, it is rejected for the same reasons as above.
As per claim 23, this is the method claim to system claim 5. Therefore, it is rejected for the same reasons as above.
As per claim 24, this is the method claim to system claim 6. Therefore, it is rejected for the same reasons as above.
As per claim 25, this is the method claim to system claim 7. Therefore, it is rejected for the same reasons as above.
As per claim 26, this is the method claim to system claim 8. Therefore, it is rejected for the same reasons as above.
As per claim 27, this is the method claim to system claim 9. Therefore, it is rejected for the same reasons as above.
As per claim 28, this is the medium claim to system claim 10. Therefore, it is rejected for the same reasons as above.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DUY KHUONG THANH NGUYEN whose telephone number is (571)270-7139. The examiner can normally be reached Monday - Friday 0800-1630.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lewis Bullock can be reached at 5712723759. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/DUY KHUONG T NGUYEN/Primary Examiner, Art Unit 2199