Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Status of the Claims
Claims 1-20 are all the claims pending in the application.
Claims 1, 2, 4, 6-11, 13, 15-17, 19 and 20 are amended.
Claims 1-20 are rejected.
The following is a Final Office Action in response to amendments and remarks filed April 13, 2026.
Response to Arguments
Regarding the 101 rejections, the rejections are maintained for the following reasons. First, Applicant assets the claims do not recite an abstract idea essentially because the claims relate to a physical asset. Examiner respectfully does not find this assertion persuasive because analyzing and complying with regulatory requirements is fundamental economic practice even if the analysis involves a physical asset.
Second, under Step 2A Prong 2, Applicant asserts the claims are integrated into a practical application because the claims require interaction with a physical asset. Examiner respectfully does not find this assertion persuasive because monitoring and overseeing a physical asset is still fundamental economic practice.
Third, Applicant asserts the claims reflect an improvement in monitoring and controlling infrastructure assets, similar to Examples 42 and 47. Examiner respectfully does not find this assertion persuasive because a bare assertion of an improvement without the detail necessary to be apparent is not sufficient to show an improvement, see MPEP 2106.04(d)(1) (discussing MPEP 2106.05(a)). That is, it is not clear how the claims are superior to existing systems or solve a technical problem.
Fourth, under step 2B, Applicant asserts the claims reflect significantly more than the abstract idea because the claims provide a concrete technical mechanism. Examiner respectfully does not find this assertion persuasive because the claims only generic computer components. A general recitation of computer components does not reflect a concrete technical mechanism or significantly more than the abstract idea.
Regarding the 102 and 103 rejections, the rejections are withdrawn in light of the amendments to the claims. Please see below for the new rejections of the claims as amended.
In response to arguments in reference to any depending claims that have not been individually addressed, all rejections made towards these dependent claims are maintained due to a lack of reply by Applicant in regards to distinctly and specifically pointing out the supposed errors in Examiner's prior office action (37 CFR 1.111). Examiner asserts that Applicant only argues that the dependent claims should be allowable because the independent claims are unobvious and patentable over the prior art.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.
Under Step 1 of the patent eligibility analysis, it must first be determined whether the claims are directed to one of the four statutory categories of invention. Applying Step 1 to the claims it is determined that: claims 1-9 are directed to a process; and claims 10-20 are directed to a machine.
Independent Claims
Under Step 2A Prong 1 of the patent eligibility analysis, it must be determined whether the claims recite an abstract idea that falls within one or more designated categories or “buckets” of patent ineligible subject matter that amount to a judicial exception to patentability.
The independent claims recite an abstract idea. Specifically, all the limitations of independent claim 1 recites an abstract idea because all the limitations of claim 1 recite fundamental economic principles or practices. That is, all of the limitations in claim 1 involve identifying and analyzing regulatory requirements for a regulated entity, complying with the regulatory requirements, and updating control processes based on the analysis. Analyzing and complying with regulatory requirements is fundamental economic practice. Claim 1 recites an abstract idea.
Claims 10 and 16 recite similar limitations as claim 11 and accordingly recite an abstract idea for similar reasons.
Under Step 2A Prong 2 of the patent eligibility analysis, it must be determined whether the identified, recited abstract idea includes additional elements that integrate the abstract idea into a practical application.
The additional elements of the independent claims do not integrate the abstract idea into a practical application. Claim 1 recites no additional elements. Claims 10 and 16 recite the additional elements "a memory for storing machine-readable instructions; and a processor for accessing the machine-readable instructions and executing the machine-readable instructions as operations" and a "non-transitory machine-readable medium having machine executable instructions for a virtual auditor causing a processor to execute operations", respectively. These additional elements, when considered individually or in combination, do not integrate the abstract idea into a practical application because the additional elements are recited at a high-level of generality such that it amounts to no more than mere instructions to apply the exception using generic computer components. Claims 1, 10 and 16 are directed to an abstract idea.
Under Step 2B of the patent eligibility analysis, the additional elements are evaluated to determine whether they amount to something “significantly more” than the recited abstract idea (i.e., an innovative concept).
The independent claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, claim 1 recites no additional elements and the additional elements in claims 10 and 16 amount to no more than mere instructions to apply the exception. Claims 1, 10 and 16 are not patent eligible.
Dependent Claims
The dependent claims are rejected under §101 as directed to an abstract idea for the following reasons.
Claims 2, 3, 11, 12, 17, and 18 recite the same abstract as the independent claims because monitoring operational data to identify suspicious anomalies is a part of complying with regulatory requirements.
Claims 4, 6, 7 and 13 recite the same abstract idea as the independent claims because assessing different amounts and overlaps of regulatory parameters is a part of analyzing regulatory requirements.
Claims 5 and 14 recite the additional elements of storing and accessing the inclusive evidentiary package in memory. These additional elements do not integrate the abstract idea into a practical application because the additional elements encompass a generic computer function of storing and sending data, see MPEP 2106.05(f)(2) (noting the use of computers in their ordinary capacity to receive, store, or transmit data does not integrate a judicial exception into a practical application).
Claims 8, 9, 15, 19, and 20 recite the same abstract idea as updating monitoring and control processes for CIP assets, including security functions, is a part of complying with regulatory requires (e.g., correcting issues that might not comply with regulations).
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Clark et al, US Pub. No. 2020/0050620, herein referred to as “Clark” in view of Ravi, US Pub. No. 2018/0189797, herein referred to as “Ravi”, further in view of Skare, US Pub. No. 2011/0039237, herein referred to as “Skare”.
Regarding claim 1, Clark teaches:
identifying a compliance standard for a regulated entity based on a regulatory compliance monitoring and enforcement program report (monitors rules and regulations to identify and map relevant regulations, e.g., ¶¶[0039], [0086]; see also ¶[0085] discussing Fig. 7 and creating a summary of requirements and associated tasks);
comparing evidentiary request packages to substantiate the compliance standard from a plurality of regulatory authorities including a first regulatory authority and a second regulatory authority, wherein each of the evidentiary request packages defines status indicators of parameters for the regulated entity to meet the compliance standard (determines requirements across multiple regulatory bodies and/or jurisdictions by taking a of requirements in one jurisdiction (first module) and comparing it to the requirements in a second jurisdiction (second module), ¶[0117]; see also e.g., ¶¶[0055], [0110] discussing generating regulatory reports),
and wherein a first evidentiary request package of the first regulatory authority is different than a second evidentiary request package of the second regulatory authority (determines similarity and differences between jurisdictional requirements, ¶[0117]);
generating an inclusive evidentiary package based on the comparison of the evidentiary request packages (generate a new list of compliance requirements covering the individual requirements from all jurisdictions, ¶[0117]; see also ¶[0118] discussing generating compliance steps that satisfy two or more compliance requirements from differing jurisdictions, ¶[0118]);
generating an evidentiary submittal package for the first regulatory authority based on the inclusive evidentiary package (generates reports that are specific to that regulatory body, ¶[0110]);
selecting asset of the regulated entity based on the evidentiary submittal package (takes operation data from business operations for generating report, e.g., ¶¶[0094], [0104], [0110]);
receiving operational data associated with the asset based on the evidentiary submittal package (extracts operational data, ¶[0101]);,
applying a compliance result to the compliance standard based on an analysis of the operational data (labels compliance tasks as opened, closed, etc., ¶¶[0087], [0110]).
and updating a control parameter of the asset based on the compliance result to alter at least one of a functioning, an operation, or an execution of the asset (generates alert when user is at risk of violating a regulatory compliance obligation, ¶[0109]).
However Clark does not teach but Ravi does teach:
receiving operational data associated with the asset based on the evidentiary submittal package (extracts raw data, ¶[0046] and Fig. 2)
the operational data comprising at least one status indicator corresponding to at least one parameter of the evidentiary submittal package (tags raw data with network boundaries, types of operating system employed, authentication mechanisms, and other such parameters, ¶[0046], and assigns relevant categories, ¶[0047]);
the analysis comprising comparing the at least one status indicator of the operational data to an expected operational value of the compliance standard (analyzes processed data against standard operation procedures to determine compliance, ¶[0051] and Fig. 2);
and updating a control parameter of the asset based on the compliance result to alter at least one of a functioning, an operation, or an execution of the asset (recommends preventative measures, ¶[0055] and Fig. 2).
Further, it would have been obvious before the effective filing date of the claimed invention, to combine the compliance monitoring of Clark with the compliance validation of Ravi because known work in one field of endeavor may prompt variations of it for use in the same field based on design incentives, see MPEP 2143.I.F. That is, one of ordinary skill would have recognized users of Clark would likely also be interested in validating compliance with regulations of their assets and accordingly would have modified Clark to incorporate the compliance validation of Ravi.
However the combination of Clark and Ravi does not teach but Skare does teach:
a critical infrastructure protection (CIP) asset (system is for industrial assets, e.g., Abstract, ¶[0012], including those governed by These actions of course align with the Utility's NERC Critical Infrastructure Protection (CIP) defined policy, ¶[0089])
receiving operational data associated with the CIP asset based on the evidentiary submittal package, the operational data comprising at least one status indicator corresponding to at least one parameter of the evidentiary submittal package (collects security related data with various alarms and visualizations, ¶[0031]-[0032]);
applying a compliance result to the compliance standard based on an analysis of the operational data, the analysis comprising comparing the at least one status indicator of the operational data to an expected operational value of the compliance standard (analyzes data based on various standards, ¶¶[0032]-[0033], [0053]);
and updating a control parameter of the CIP asset based on the compliance result to cause the CIP asset to alter at least one of a functioning, an operation, or an execution of the CIP asset (sets changes in the operational state, ¶¶[0036], [0043] and Fig. 7).
Further, it would have been obvious before the effective filing date of the claimed invention, to combine the compliance monitoring with validation of Clark and Ravi with the cyber security management of industrial control systems of Skare because known work in one field of endeavor may prompt variations of it for use in the same field based on design incentives, see MPEP 2143.I.F. That is, one of ordinary skill would have recognized the systems in Clark and Ravi may involve industrial control systems and accordingly would have modified Clark and Ravi to comply with requirements for industrial control systems, e.g., as in Skare.
Regarding claim 2, the combination of Clark, Ravi and Skare teaches all the limitations of claim 1 and Clark further teaches:
wherein the operational data is received from the CIP asset at a first time and from the CIP asset at a second time after the first time (extracts operational data, ¶[0101]; see also ¶[0112] discussing real-time monitoring).
However Clark does not teach but Ravi does teach:
the analysis includes analyzing the operational data of the CIP asset to identify an anomaly, the method further comprising (performs risk analysis, ¶[0051], to determine anomalous activities, ¶[0058]; see also e.g., ¶¶[0002], [0026] discussing regulated entities):
classifying the anomaly as system noise or suspicious based on an operational differential between the first time and the second time (determines categories of risk including suspicious, ¶[0058]; see also ¶[0042] discussing learning over time).
Further, it would have been obvious before the effective filing date of the claimed invention, to combine the compliance monitoring of Clark with the compliance validation of Ravi because known work in one field of endeavor may prompt variations of it for use in the same field based on design incentives, see MPEP 2143.I.F. That is, one of ordinary skill would have recognized users of Clark would likely also be interested in validating compliance with regulations of their assets and accordingly would have modified Clark to incorporate the compliance validation of Ravi.
Regarding claim 3, the combination of Clark, Ravi and Skare teaches all the limitations of claim 2 and Ravi further teaches:
wherein the compliance result applied is a vulnerable status in response to the anomaly being classified as suspicious (flags asset as non-compliant or suspicious ¶¶[0057]-[0059]).
Further, it would have been obvious before the effective filing date of the claimed invention, to combine the compliance monitoring of Clark with the compliance validation of Ravi because known work in one field of endeavor may prompt variations of it for use in the same field based on design incentives, see MPEP 2143.I.F. That is, one of ordinary skill would have recognized users of Clark would likely also be interested in validating compliance with regulations of their assets and accordingly would have modified Clark to incorporate the compliance validation of Ravi.
Regarding claim 4, the combination of Clark, Ravi and Skare teaches all the limitations of claim 1 and Clark further teaches:
wherein the first evidentiary request package has a first number of parameters and the second evidentiary request package has a second number of parameters, wherein the comparison of the evidentiary packages determines whether the first evidentiary request package or the second evidentiary request package has a larger number of parameters (determines differences between compliance requirements between jurisdictions, ¶[0119]).
Regarding claim 5, the combination of Clark, Ravi and Skare teaches all the limitations of claim 1 and Clark further teaches:
wherein the inclusive evidentiary package is stored in a memory (stores and tracks data related to compliance with regulatory obligations, ¶[0115]),
and generating the evidentiary submittal package includes accessing the memory (first and second modules used to create new list of compliance requirements are stored in system databases, ¶[0117]).
Regarding claim 6, the combination of Clark, Ravi and Skare teaches all the limitations of claim 1 and Clark further teaches:
wherein the first evidentiary request package includes a first set of parameters, the second evidentiary request package include a second set of parameters, and a third evidentiary request package includes a third set of parameters (processes rules and regulations from multiple jurisdictions, ¶[0117])
and wherein the comparison of the evidentiary packages determines whether the first evidentiary request package, the second evidentiary request package, or the third evidentiary request package has a set with this highest degree of overlapping parameters (determines similarity scores of jurisdictions, ¶¶[0117], [0119]).
Regarding claim 7, the combination of Clark, Ravi and Skare teaches all the limitations of claim 1 and Clark further teaches:
wherein generating the inclusive evidentiary package further comprises generating the inclusive evidentiary package with parameters from the first evidentiary request package and the second evidentiary request package (generates new list of compliance requirements covering the individual requirements from all jurisdictions, ¶[0117]).
Regarding claim 8, the combination of Clark, Ravi and Skare teaches all the limitations of claim 1 and Clark further teaches:
updating a monitoring parameter of the CIP asset based on the compliance result to cause the CIP asset to alter monitoring of the CIP asset (updates user’s workflow to include new tasks, rules and requirements, ¶[0104]).
However Clark does not teach but Ravi does teach:
wherein the CIP asset comprises at least one of a cyber asset, an electronic security perimeter asset, or a physical security perimeter asset (includes security subsystems, ¶¶[0016]-[0017]).
Further, it would have been obvious before the effective filing date of the claimed invention, to combine the compliance monitoring of Clark with the compliance validation of Ravi because known work in one field of endeavor may prompt variations of it for use in the same field based on design incentives, see MPEP 2143.I.F. That is, one of ordinary skill would have recognized users of Clark would likely also be interested in validating compliance with regulations of their assets and accordingly would have modified Clark to incorporate the compliance validation of Ravi.
Regarding claim 9, Clark, Ravi and Skare teaches all the limitations of claim 8 and further Clark teaches:
wherein the monitoring parameter causes the CIP asset to update security functions (tasks are assigned to cyber security, ¶[0106]).
Regarding claims 10 and 16, claims 10 and 16 recite similar limitations as claim 1 and further recite “a memory for storing machine-readable instructions; and a processor for accessing the machine-readable instructions and executing the machine-readable instructions as operations, the operations” and a “non-transitory machine-readable medium having machine executable instructions for a virtual auditor causing a processor to execute operations”, respectively. These limitations are taught by Clark, e.g., in ¶[0123]. Accordingly claim 10 and 16 are rejected for similar reasons as claim 1.
Regarding claims 11-15 and 17-20, claims 11-15 and 17-20 recite similar limitations as claims 2-5, 8 and 9 and accordingly are rejected for similar reasons as claims 2-5, 8 and 9.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BRENDAN S O'SHEA whose telephone number is (571)270-1064. The examiner can normally be reached Monday to Friday 10-6.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Nathan Uber can be reached at (571) 270-3923. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/BRENDAN S O'SHEA/Examiner, Art Unit 3626
1 Examiner notes claims 10 and 16 refer to regional authorities instead of regulatory authorities but does not find this difference significantly alters the eligibility analysis because the concepts are generally similar and so Examiner analyzes the claims concurrently here for the sake of brevity.