DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Election/Restrictions
Applicant’s election without traverse of Group I (Claims 1-10) in the reply filed on 12/19/2025 is acknowledged.
Claims 11-15, 16-20 withdrawn from further consideration pursuant to 37 CFR 1.142(b) as being drawn to a nonelected (Group II and III), there being no allowable generic or linking claim. Election was made without traverse in the reply filed on 12/19/2025.
Claim Rejections – 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1-10 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. The claim recites
receive, from a user device, a request to onboard the SaaS platform;
generate, using a machine learning model, a form with a set of questions associated with the SaaS platform, wherein a portion of the form is populated with at least one suggested answer;
transmit, to an administrator device associated with the SaaS platform, a link to the form;
receive, from the administrator device, a set of responses to the set of questions in the form;
provide the set of responses to an assessment model, in order to receive a set of risk scores associated with the SaaS platform;
transmit, to the user device, a report including the set of risk scores;
monitor a configuration associated with the SaaS platform for a detected change;
transmit, to the administrator device, an additional question in response to the detected change;
receive, from the administrator device, an additional response to the additional question;
provide the additional response to the assessment model, in order to receive an updated set of risk scores associated with the SaaS platform; and
transmit, to the user device, a report including the updated set of risk scores.
These limitations, as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components. That is, other than reciting “a user device, an administrator device” nothing in the claim element precludes the step from practically being performed in the mind. If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the “Mental Processes” grouping of abstract ideas. Accordingly, the claim recites an abstract idea.
This judicial exception is not integrated into a practical application. In particular, the claim recites transmit, to the user device, a report…; transmit, to the administrator device, an additional question…; receive, an additional response; provide the additional response to the assessment model. These steps are recited at a high-level of generality such that it amounts no more than mere instructions to apply the exception using a generic computer component. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claim is directed to an abstract idea.
The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional elements mentioned above, amounts to no more than mere instructions to apply the exception using a generic computer component. Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept. Claims 1-10 are not patent eligible.
Examiner’s note
Claims 1-10 are not rejected under prior art(s).
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
Claim 5 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention.
Claim 5 recites “…wherein the assessment model comprises a set of rules that map answers to risk scores”. There is insufficient antecedent basis for this limitation in the claim. Examiner suggests changing “risk scores” to “the set of risk scores”. Appropriate correction is required.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure (see PTO-form 892).
The following Patents and Papers are cited to further show the state of the art at the time of Applicant’s invention with respect to automatically assessing a SaaS platform.
Mullins et al (Pub. No. US 2021/0241192); “Policy-Based Completion of Third-Party Risk Assessments”;
-Teaches a risk assessment creator can specify one or more policies, such as rule-based policies, that annotate the created risk assessments with metadata specifying one or more conditions that influence the completion of the risk assessment…see par. 22.
Eshman et al (Pub. No. US 2024/0039946); “Cybersecurity Risk Assessment and Remediation Tool”;
-Teaches the cybersecurity system can be configured to generate recommendations to improve the score and cybersecurity readiness…see par. 24-25
Gabay et al (Pub. No. US 2020/0184847); “A System and Method for On-Premise Cyber Training”;
-Teaches the assessment system can provide the feedback based on analysis of a form comprising questions to be answered by the security analyst, during, or after finalizing, a training exercise…see par. 103.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to GHAZAL B SHEHNI whose telephone number is (571)270-7479. The examiner can normally be reached Mon-Fri 9am-5pm PCT.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Philip Chea can be reached at 5712723951. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/GHAZAL B SHEHNI/ Primary Examiner, Art Unit 2499