DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 1/28/26 has been entered.
Remarks
The request for continuation was received on 1/28/26. Claims 1-8, 11-19, and 21-23 are pending in the application. Claims 9, 10, and 20 have been canceled and claims 21-23 have been added. Applicants' arguments have been carefully and respectfully considered.
Claims 1-8, 11-19, and 21-23 are rejected under 35 U.S.C. 101.
Claims 1-4 and 22 are rejected under 35 U.S.C. 112.
Claim(s) 1, 3, and 4 are rejected under 35 U.S.C. 103 as being unpatentable over Bulut et al. (US 2021/0357392), and further in view of Girulat, Jr. (US 10,528,545).
Claim 2 is rejected under 35 U.S.C. 103 as being unpatentable over Bulut in view of Girulat, Jr., and further in view of Massand (US 2014/0372370).
Claim(s) 5 and 6 are rejected under 35 U.S.C. 103 as being unpatentable over Bulut et al. (US 2021/0357392), and further in view of Pondicherry Murugappan et al. (US 2020/0111023).
Claims 7-8, 11, and 15-17 are rejected under 35 U.S.C. 103 as being unpatentable over Bulut et al. (US 2021/0357392), and further in view of Lim (US 2008/0060051).
Claim(s) 12 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Bulut in view of Lim, and further in view of Halko et al. (US 2023/0334025).
Claim 14 is rejected under 35 U.S.C. 103 as being unpatentable over Bulut in view of Lim, and further in view of Straus (US 8,209,278).
Claim 18 is rejected under 35 U.S.C. 103 as being unpatentable over Bulut in view of Lim, and further in view of Milind et al. (US 2023/0306134).
Claim 19 is rejected under 35 U.S.C. 103 as being unpatentable over Bulut in view of Lim, and further in view of Gutierrez et al. (US 2022/0309037).
Claim 22 is rejected under 35 U.S.C. 103 as being unpatentable over Bulut in view of Pondicherry Murugappan, and further in view of Gates et al. (US 12,248,974).
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
Claims 1-4 and 22 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention.
Claim 1 recites the limitation "the one or more measures" in the “generating and outputting” limitation. There is insufficient antecedent basis for this limitation in the claim.
Claim 7 recites the limitation "the organization’s implementation database" in the step (a) limitation. There is insufficient antecedent basis for this limitation in the claim.
Claim 22 recites the limitation "the matching score." There is insufficient antecedent basis for this limitation in the claim. Claim 5, from which claim 22 depends, discusses “matching scores” and “the respective matching score,” however, it is unclear what "the matching score" of claim 22 refers to.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1-8, 11-19, and 21-23 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.
Step 2A, Prong One asks: Is the claim directed to a law of nature, a natural phenomenon (product of nature) or an abstract idea? See MPEP 2106.04 Part I. If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the “Mental Processes” grouping of abstract ideas. See MPEP 2106.04(a).
With respect to claim 1, the limitation of “identifying a second requirement record”, as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components. That is, nothing in the claim element precludes the step from practically being performed in the mind. For example, “identifying” in the context of this claim encompasses the user analyzing data. Similarly, the limitation of “comparing the first requirement portion and the second requirement portion”, as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components. For example, “comparing” in the context of this claim encompasses the user mentally evaluating data. The limitation of “calculating a respective score”, as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components. For example, “calculating” in the context of this claim encompasses the user mentally determining changes between data versions. If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the “Mental Processes” grouping of abstract ideas. Accordingly, the claim recites an abstract idea.
At step 2a, prong two, this judicial exception is not integrated into a practical application. The claim recites “receiving a selection”, “obtaining first and second directories”, “obtaining respective first requirement portion”, “obtaining second requirement portion”, and “generating and outputting a visualization.” These elements do not integrate the abstract idea into a practical application because they do not impose a meaningful limit on the judicial exception and provide only insignificant extra solution activity that is mere data gathering in conjunction with the abstract idea.
The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional elements amount to no more than mere instructions to apply an exception using generic computer components. Mere instructions to apply an exception using generic computer components cannot provide an inventive concept.
With respect to “receiving a selection”, “obtaining first and second directories”, “obtaining respective first requirement portion”, and “obtaining second requirement portion”, the courts have found limitations directed towards data gathering to be well-understood, routine, and conventional. See MPEP 2106.05(d)(II). Receiving or transmitting data over a network, e.g., using the Internet to gather data, Symantec, 838 F.3d at 1321, 120 USPQ2d at 1362 (utilizing an intermediary computer to forward information).
With respect to “generating and outputting a visualization”, the courts have found limitations directed towards presenting to be well-understood, routine, and conventional. See MPEP 2106.05(d)(II). Presenting offers and gathering statistics, OIP Techs., 788 F.3d at 1362-63, 115 USPQ2d at 1092-93.
Considering the additional elements individually and in combination and the claim as a whole, the additional elements do not provide significantly more than the abstract idea. The claim is not patent eligible.
With respect to claims 2-4, the limitations are directed towards the abstract ideas of “generating a redline version of the first requirement portion and the second requirement portion” of claim 2 and “determining first classifications” and “generating aggregated statistics” of claim 4. Under its broadest reasonable interpretation, these cover performance of the limitation in the mind but for the recitation of generic computer components. For example, with the assistance of pen and paper a human could generate a redline version of the first content and second content. Secondly, a user could review data in mentally determine first classifications and generate aggregated statistics.
The claims include additional elements including outputting data. The courts have found limitations directed towards presenting to be well-understood, routine, and conventional. See MPEP 2106.05(d)(II). Presenting offers and gathering statistics, OIP Techs., 788 F.3d at 1362-63, 115 USPQ2d at 1092-93. The additional elements include providing the first requirement portion in the second requirement portion to a fourth trained machine learning tool, receiving… a summary of changes, retrieving second classifications. These relate to data gathering which has been found by the courts to be well-understood, routine, and conventional. See MPEP 2106.05(d)(II). Receiving or transmitting data over a network, e.g., using the Internet to gather data, Symantec, 838 F.3d at 1321, 120 USPQ2d at 1362 (utilizing an intermediary computer to forward information).
Finally, the these claims include limitations directed towards outputting the redline version, outputting the summary, and outputting the aggregated statistics. The courts have found limitations directed towards presenting to be well-understood, routine, and conventional. See MPEP 2106.05(d)(II). Presenting offers and gathering statistics, OIP Techs., 788 F.3d at 1362-63, 115 USPQ2d at 1092-93.
Claim 3 recites a fourth trained machine learning tool. This is recited at a high level and comprises generic computer functions.
With respect to claim 5, Step 2A, Prong One asks: Is the claim directed to a law of nature, a natural phenomenon (product of nature) or an abstract idea? See MPEP 2106.04 Part I. If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the “Mental Processes” grouping of abstract ideas. See MPEP 2106.04(a).
The limitation of “identifying a plurality of the controls” and “identifying one or more of the sub controls”, as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components. That is, nothing in the claim element precludes the step from practically being performed in the mind. For example, “identifying” in the context of this claim encompasses the user analyzing data. The limitation of “mapping the requirements of the regulation to the organization’s implementation”, as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components. That is, nothing in the claim element precludes the step from practically being performed in the mind. For example, “mapping” in the context of this claim encompasses the user mentally deciding how the data matches. The limitation of “determining matching scores”, as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components. That is, nothing in the claim element precludes the step from practically being performed in the mind. For example, “determining” in the context of this claim encompasses the user mentally deciding the level of matching. The limitation of “ranking the entries”, as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components. For example, “ranking” in the context of this claim encompasses the user thinking that the certain entries should be ranked higher than others. The limitation of “selecting a highest-ranking subset of the entries”, as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components. That is, nothing in the claim element precludes the step from practically being performed in the mind. For example, “selecting” in the context of this claim encompasses the user mentally deciding on appropriate data.
If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the “Mental Processes” grouping of abstract ideas. Accordingly, the claim recites an abstract idea.
At step 2a, prong two, this judicial exception is not integrated into a practical application. The claim recites a processor to execute the operations, however, this is recited as a high-level of generality (i.e., as a generic processor performing a generic computer function) such that it amounts to no more than mere instructions to apply the exception using a generic computer component. Additionally, the claim recites “storing, in an extraction database, a respective first record”, “storing, in the extraction database, a respective second record”, “outputting the respective key” and “outputting … an identifier.” These elements do not integrate the abstract idea into a practical application because they do not impose a meaningful limit on the judicial exception and provide only insignificant extra solution activity that is mere data gathering in conjunction with the abstract idea.
The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional elements amount to no more than mere instructions to apply an exception using generic computer components. Mere instructions to apply an exception using generic computer components cannot provide an inventive concept.
With respect to “storing, in an extraction database, a respective first record” and “storing, in the extraction database, a respective second record”, the courts have found limitations directed towards storing to be well-understood, routine, and conventional. See MPEP 2106.05(d)(II). Electronic recordkeeping, Alice Corp. Pty. Ltd. v. CLS Bank Int'l, 573 U.S. 208, 225, 110 USPQ2d 1984 (2014) (creating and maintaining "shadow accounts") and “storing and retrieving information in memory, Versata Dev. Group, Inc. v. SAP Am., Inc., 793 F.3d 1306, 1334, 115 USPQ2d 1681, 1701 (Fed. Cir. 2015).
With respect to “outputting the respective key” and “outputting … an identifier”, the courts have found limitations directed towards storing and presenting to be well-understood, routine, and conventional. See MPEP 2106.05(d)(II). Electronic recordkeeping, Alice Corp. Pty. Ltd. v. CLS Bank Int'l, 573 U.S. 208, 225, 110 USPQ2d 1984 (2014) (creating and maintaining "shadow accounts") and “storing and retrieving information in memory, Versata Dev. Group, Inc. v. SAP Am., Inc., 793 F.3d 1306, 1334, 115 USPQ2d 1681, 1701 (Fed. Cir. 2015). Presenting offers and gathering statistics, OIP Techs., 788 F.3d at 1362-63, 115 USPQ2d at 1092-93.
Considering the additional elements individually and in combination and the claim as a whole, the additional elements do not provide significantly more than the abstract idea. The claim is not patent eligible.
With respect to claim 6, the limitations are directed towards calculating a first score, calculating a second score, and calculating the matching score of the given entries based on the first score and the second score. Under its broadest reasonable interpretation, this covers performance of the limitation in the mind but for the recitation of generic computer components. That is, nothing in the claim element precludes the step from practically being performed in the mind.
With respect to claim 7, Step 2A, Prong One asks: Is the claim directed to a law of nature, a natural phenomenon (product of nature) or an abstract idea? See MPEP 2106.04 Part I. If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the “Mental Processes” grouping of abstract ideas. See MPEP 2106.04(a).
The limitation of “analyzing coverage” and “identify gaps”, as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components. That is, nothing in the claim element precludes the step from practically being performed in the mind. For example, “analyzing” and “identify” in the context of this claim encompasses the user mentally analyzing the documents to determine how they are different. The limitation of “determining respective coverage scores” and “determining a classification of the coverage”, as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components. That is, nothing in the claim element precludes the step from practically being performed in the mind. For example, “determining” in the context of this claim encompasses the user mentally determining how much of the data has been previously stored.
If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the “Mental Processes” grouping of abstract ideas. Accordingly, the claim recites an abstract idea.
At step 2a, prong two, this judicial exception is not integrated into a practical application. The claim recites a processor to execute the operations, however, this is recited as a high-level of generality (i.e., as a generic processor performing a generic computer function) such that it amounts to no more than mere instructions to apply the exception using a generic computer component. Additionally, the claim recites “generating and outputting a visualization.” These elements do not integrate the abstract idea into a practical application because they do not impose a meaningful limit on the judicial exception and provide only insignificant extra solution activity that is mere data gathering in conjunction with the abstract idea.
The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional elements amount to no more than mere instructions to apply an exception using generic computer components. Mere instructions to apply an exception using generic computer components cannot provide an inventive concept.
With respect to “generating and outputting a visualization”, the courts have found limitations directed towards presenting to be well-understood, routine, and conventional. See MPEP 2106.05(d)(II). Presenting offers and gathering statistics, OIP Techs., 788 F.3d at 1362-63, 115 USPQ2d at 1092-93.
Considering the additional elements individually and in combination and the claim as a whole, the additional elements do not provide significantly more than the abstract idea. The claim is not patent eligible.
With respect to claim 8, the limitations are directed towards the mental process of “identifying those features which are not covered by the entries.” Under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components. That is, nothing in the claim element precludes the step from practically being performed in the mind. For example, “identifying” in the context of this claim encompasses the user mentally identifying data has not been previously stored.
At step 2a, prong two, this judicial exception is not integrated into a practical application. The claim recites “outputting data.” These elements do not integrate the abstract idea into a practical application because they do not impose a meaningful limit on the judicial exception and provide only insignificant extra solution activity that is mere data gathering in conjunction with the abstract idea.
With respect to “outputting data”, the courts have found limitations directed towards storing and presenting to be well-understood, routine, and conventional. See MPEP 2106.05(d)(II). Electronic recordkeeping, Alice Corp. Pty. Ltd. v. CLS Bank Int'l, 573 U.S. 208, 225, 110 USPQ2d 1984 (2014) (creating and maintaining "shadow accounts") and “storing and retrieving information in memory, Versata Dev. Group, Inc. v. SAP Am., Inc., 793 F.3d 1306, 1334, 115 USPQ2d 1681, 1701 (Fed. Cir. 2015). Presenting offers and gathering statistics, OIP Techs., 788 F.3d at 1362-63, 115 USPQ2d at 1092-93.
With respect to claims 11-15, the limitations are directed towards further defining the elements identified in the claim limitations above which have been previously addressed.
With respect to claim 16-18, the limitations are directed towards additional elements that do not integrate the abstract idea into a practical application because they do not impose a meaningful limit on the judicial exception and provide only insignificant extra solution activity that is mere data gathering in conjunction with the abstract idea.
For example, with respect to “generating and outputting a visualization”, the courts have found limitations directed towards presenting to be well-understood, routine, and conventional. See MPEP 2106.05(d)(II). Presenting offers and gathering statistics, OIP Techs., 788 F.3d at 1362-63, 115 USPQ2d at 1092-93.
With respect to “receiving… approval of the proposal”, “providing the at least one feature to 1/5 trains a machine learning tool,” and “receiving the proposal”, the courts have found limitations directed towards data gathering to be well-understood, routine, and conventional. See MPEP 2106.05(d)(II). Receiving or transmitting data over a network, e.g., using the Internet to gather data, Symantec, 838 F.3d at 1321, 120 USPQ2d at 1362 (utilizing an intermediary computer to forward information).
With respect to “applying the update to the implementation database”, the courts have found limitations directed towards storing to be well-understood, routine, and conventional. See MPEP 2106.05(d)(II). Electronic recordkeeping, Alice Corp. Pty. Ltd. v. CLS Bank Int'l, 573 U.S. 208, 225, 110 USPQ2d 1984 (2014) (creating and maintaining "shadow accounts") and “storing and retrieving information in memory, Versata Dev. Group, Inc. v. SAP Am., Inc., 793 F.3d 1306, 1334, 115 USPQ2d 1681, 1701 (Fed. Cir. 2015).
Claim 18 recites a fifth trained machine learning tool. This is recited at a high level and comprises generic computer functions.
With respect to claim 19, the limitation of “applying a regular expression pattern”, as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components. That is, nothing in the claim element precludes the step from practically being performed in the mind. For example, “applying” in the context of this claim encompasses the user mentally analyzing data. The limitation of “identifying text” and “identifying a respective content of the features”, as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components. That is, nothing in the claim element precludes the step from practically being performed in the mind. For example, “identifying” in the context of this claim encompasses the user analyzing data.
If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the “Mental Processes” grouping of abstract ideas. Accordingly, the claim recites an abstract idea.
At step 2a, prong two, this judicial exception is not integrated into a practical application. The claim recites “writing records to an auxiliary database.” These elements do not integrate the abstract idea into a practical application because they do not impose a meaningful limit on the judicial exception and provide only insignificant extra solution activity that is mere data gathering in conjunction with the abstract idea.
The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional elements amount to no more than mere instructions to apply an exception using generic computer components. Mere instructions to apply an exception using generic computer components cannot provide an inventive concept.
With respect to “writing records to an auxiliary database”, the courts have found limitations directed towards storing to be well-understood, routine, and conventional. See MPEP 2106.05(d)(II). Electronic recordkeeping, Alice Corp. Pty. Ltd. v. CLS Bank Int'l, 573 U.S. 208, 225, 110 USPQ2d 1984 (2014) (creating and maintaining "shadow accounts") and “storing and retrieving information in memory, Versata Dev. Group, Inc. v. SAP Am., Inc., 793 F.3d 1306, 1334, 115 USPQ2d 1681, 1701 (Fed. Cir. 2015).
With respect to claims 21 and 22, the limitations further define elements discussed in prior claims and do not include additional elements that are sufficient to amount to significantly more than the judicial exception.
With respect to claim 23, the limitations are directed to “determining… a subset of the entries providing optimal coverage” under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components. That is, nothing in the claim element precludes the step from practically being performed in the mind. For example, “determining” in the context of this claim encompasses the user analyzing data.
If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the “Mental Processes” grouping of abstract ideas. Accordingly, the claim recites an abstract idea.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1, 3, and 4 are rejected under 35 U.S.C. 103 as being unpatentable over Bulut et al. (US 2021/0357392), and further in view of Girulat, Jr. (US 10,528,545).
With respect to claim 1, Bulut teaches a computer-implemented method, comprising:
receiving a selection of a regulation having first and second versions, one of which is older than the other (Bulut, pa 0044, Document alignment aligns a current version of a regulation, such as NIST 800-53 Rev. 4, with an updated version of the regulation, such as NIST 800-53 Rev. 5.);
obtaining first and second directories of requirement records of the first and second versions respectively, each requirement record comprising respective data items for key and/or title (Bulut, pa 0054, Referring to the example of the system 100 of FIG. 4, the NIST Version 1 is retrieved from the mapping database 102. In the example of the system 150 of FIGS. 5 and 6, the NIST Version 1 is retrieved from the regulation repository 154, for example. The retrieved NIST Version 1 may be stored in the RAM 176 in FIG. 6 for processing in this and other processes described below, for example. When the mapping engine 162 learns that the NIST Version 2 is issued, such as from monitoring the NIST website, for example, it retrieves the NIST Version 2 from the website and stores it in the RAM 176 for processing in this and other processes described below, for example. It also stores the NIST Version 2 in the mapping database 102 in the system 100 of FIG. 4); and
for each first record of a group of the requirement records in the first directory, having respective first keys or first titles:
obtaining a respective first requirement portion of the first version (Bulut, pa 0055, A first set of control names in V1 and a second set of control names in V2, are collected from the first and second versions of the regulations, in Block 252 of FIG. 7A);
identifying a second requirement record in the second directory having: for a first case with the each first record having a respective first key, a second key matching the respective first key; or for a second case with the each first record having a respective first title, second title matching the respective first title (Bulut, pa 0054, When the mapping engine 162 learns that the NIST Version 2 is issued, such as from monitoring the NIST website, for example, it retrieves the NIST Version 2 from the website and stores it in the RAM 176 for processing in this and other processes described below, for example. It also stores the NIST Version 2 in the mapping database 102 in the system 100 of FIG. 4);
obtaining a second requirement portion of the second version from the second requirement record (Bulut, pa 0055, A first set of control names in V1 and a second set of control names in V2, are collected from the first and second versions of the regulations, in Block 252 of FIG. 7A. & pa 0063, The control descriptions in the first version V1 and the second version V2 are retrieved from the mapping database 102 in the system 100 of FIG. 4);
comparing the first requirement portion and the requirement portion (Bulut, pa 0055, An intersection of the first and second sets is computed, in Block 254. Intersecting elements, which are common to both sets, are marked as Retained and eliminated from the sets, in Block 256. Retained elements may be stored in a table in the RAM 176 or other such memory, for example & pa 0064, The texts of the corresponding control descriptions are compared, in Block 306.);
calculating, based on the comparing, a respective score indicating a quantitative amount of change between the first requirement portion and the second requirement portion (Bulut, pa 0065, Based on the comparison, in Block 306, it is determined whether there is a difference between the texts, in Block 308. If there is no difference (No in Block 308), then the control description in V2 is marked "0" for unchanged. If there is a difference (Yes in Block 308), then the control description is classified based on the magnitude of the difference as 1, 2, or 3, in Block 312, where "1" indicates a change with modified action (requirement of the control description is modified), "2" indicates a change with added action (the control description includes an added requirement), and "3" indicates a change with deleted actions (a requirement of the control description is deleted).); and
generating and outputting a visualization showing: for the first case, the first key or, for the second case, the first title; and the one or more measures (Bulut, pa 0097, Fig. 4 & 6, FIG. 14 is a flowchart 900 of an example of risk analysis, as performed in the risk analyzer block 116 of FIG. 4 by the risk analyzer module 200 in FIG. 6 … risk map is prepared for each control description of each mapped regulation and each baseline regulation that could impact a respective service owner 158, in Block 904, by an SME, for example. The risk mapping may quantify the risk on a scale, such as a scale from 1-10, for example. The mapping of control descriptions to the risk scale may be stored in the mapping reconstruction database 152, the regulation repository database 154, or another database, for example. After receiving an update to a mapped regulation or a baseline regulation, the risks due to the changed control descriptions are quantified and aggregated by considering the maximum risk of each changed control description, by the risk analyzer module 200, based on the risk mapping, in Block 906. The service owner is notified of the aggregated risk and the changed control descriptions, in Block 908.).
Bulut doesn't expressly discuss each requirement record comprising respective data items for key and/or title, and for one or more additional requirement portions for each of a group of the requirement records in the first directory, having respective first keys or first titles: obtaining respective first content of the first version; identifying a second requirement record in the second directory having a matching second key or a matching second title; obtaining second content of the second version from the second requirement record.
Girulat, Jr. teaches obtaining … requirement records of the first and second versions respectively, each requirement record comprising respective data items for key and/or title, and for one or more additional requirement portions (Girulat, Jr., Col. 6 Li. 12-16, the database record may represent a person, and may include the person's name, address, and phone number. Further, the database record may be associated with a unique identifier (e.g., a key value and/or index value).);
for each first record of a group of the requirement records…, having respective first keys or first titles (Girulat, Jr., Col. 6 Li. 16-20, The system may determine that the received update data item is associated with the database record because the update data item includes information that associates the update data item with the database record. For example, the update data item may include the unique identifier):
obtaining a respective first requirement portion of the first version (Girulat, Jr., Col. 6 Li. 1-4, At block 1002, the system receives update data items. Such update data items may include, for example, any changes to database records stored by the system in records database 162.);
identifying a second requirement record having:
for a first case with the each first record having a respective first key, a second key matching the respective first key; or for a second case with the each first record having a respective first title, second title matching the respective first title (Girulat, Jr., Col. 6 Li. 16-20, The system may determine that the received update data item is associated with the database record because the update data item includes information that associates the update data item with the database record. For example, the update data item may include the unique identifier);
obtaining second a requirement portion of the second version from the second requirement record (Girulat, Jr., Col. 6 Li. 23-26, The system may then determine that the update data item includes a new phone number for the person);
comparing the first requirement portion and the second requirement portion (Girulat, Jr., Col. 6 Li. 5-9, The system implements these update data items in the records database 162. For example, the system may compare information of the update data item to information of a corresponding database record of the records database 162.)
It would have been obvious at the effective filing date of the invention to a person having ordinary skill in the art to which said subject matter pertains to have modified Bulut with the teachings of Girulat, Jr. because it assists in identifying important data changes (Girulat, Jr., Col. 2 Li. 2-3).
With respect to claim 3, Bulut in view of Girulat, Jr. teaches the computer-implemented method of claim 2, further comprising: providing the first requirement portion and the second requirement portion to a fourth trained machine-learning tool; receiving, from the fourth trained machine-learning tool, a summary of the change between the first requirement portion and the second requirement portion; and outputting the summary for the given first requirement record (Bulut, pa 0066, Changes in control descriptions may also be identified and quantified by a semantic technique using machine learning. A machine learning model may be trained to capture whether a change from a first control description t; to a second control description 1t by using examples oft; and 1t that are converted into vectors that have previously been mapped to classifications described above, where 0 indicates no semantic change, I indicates change with modified action, 2 indicates a change with added actions, and 3 indicates a change with deleted actions.).
With respect to claim 4, Bulut in view of Girulat, Jr. teaches the computer-implemented method of claim 1, further comprising: retrieving second classifications of each of the requirement records in the second directory as new, updated, or unchanged over a third version of the regulation; determining first classifications of each of the requirement records in the first directory as new, updated, or unchanged over the second version, wherein the updated and the unchanged classifications are based on the comparing (Bulut, pa 0062, Changes in control descriptions, or the text of the regulation, may be determined by lexical and/or semantic textual comparison techniques, for example. In accordance with an embodiment of the disclosure, the changes may be classified based on whether there is a change and if so, the magnitude of the change. & pa 0065, If there is no difference (No in Block 308), then the control description in V2 is marked "0" for unchanged. If there is a difference (Yes in Block 308), then the control description is classified based on the magnitude of the difference as 1, 2, or 3, in Block 312, where "1" indicates a change with modified action (requirement of the control description is modified), "2" indicates a change with added action (the control description includes an added requirement), and "3" indicates a change with deleted actions (a requirement of the control description is deleted). & pa 0097, After receiving an update to a mapped regulation or a baseline regulation, the risks due to the changed control descriptions are quantified and aggregated by considering the maximum risk of each changed control description, by the risk analyzer module 200, based on the risk mapping, in Block 906. The service owner is notified of the aggregated risk and the changed control descriptions, in Block 908.); generating aggregated statistics correlating the first classifications and the second classifications; and outputting the aggregated statistics (Bulut, pa 0097, Fig. 4 & 6, FIG. 14 is a flowchart 900 of an example of risk analysis, as performed in the risk analyzer block 116 of FIG. 4 by the risk analyzer module 200 in FIG. 6 … risk map is prepared for each control description of each mapped regulation and each baseline regulation that could impact a respective service owner 158, in Block 904, by an SME, for example. The risk mapping may quantify the risk on a scale, such as a scale from 1-10, for example. The mapping of control descriptions to the risk scale may be stored in the mapping reconstruction database 152, the regulation repository database 154, or another database, for example. After receiving an update to a mapped regulation or a baseline regulation, the risks due to the changed control descriptions are quantified and aggregated by considering the maximum risk of each changed control description, by the risk analyzer module 200, based on the risk mapping, in Block 906. The service owner is notified of the aggregated risk and the changed control descriptions, in Block 908.).
With respect to claim 21, Bulut in view of Girulat, Jr. teaches the computer-implemented method of claim 1, wherein the respective score is calculated based on a first count of words in the first requirement portion, a second count of words added to the second requirement portion relative to the first requirement portion, and a third count of words deleted in the second requirement portion from the first requirement portion (Bulut, pa 0065, Based on the comparison, in Block 306, it is determined whether there is a difference between the texts, in Block 308. If there is no difference (No in Block 308), then the control description in V2 is marked "0" for unchanged. If there is a difference (Yes in Block 308), then the control description is classified based on the magnitude of the difference as 1, 2, or 3, in Block 312, where "1" indicates a change with modified action (requirement of the control description is modified), "2" indicates a change with added action (the control description includes an added requirement), and "3" indicates a change with deleted actions (a requirement of the control description is deleted).).
Claim 2 is rejected under 35 U.S.C. 103 as being unpatentable over Bulut in view of Girulat, Jr., and further in view of Massand (US 2014/0372370).
With respect to claim 2, Bulut in view of Girulat, Jr. teaches the computer-implemented method of claim 1, as discussed above. Bulut in view of Girulat, Jr. doesn't expressly discuss for a given first requirement record of the group: based on the comparing, generating a red-line version of the first requirement portion and the second requirement portion; and outputting the red-line version.
Massand teaches for a given first requirement record of the group: based on the comparing, generating a red-line version of the first requirement portion and the second requirement portion; and outputting the red-line version (Massand, pa 0055, display window 410 may be configured such that it displays comparison information (e.g., redline changes) between a section of content in document version 212 and the corresponding section of content in one or more of versions 214).
It would have been obvious at the effective filing date of the invention to a person having ordinary skill in the art to which said subject matter pertains to have modified Bulut in view of Girulat, Jr. because assists users (e.g., reviewer users) in identifying and reviewing different versions of documents (Massand, pa 0044).
Claims 5 and 6 are rejected under 35 U.S.C. 103 as being unpatentable over Bulut et al. (US 2021/0357392), and further in view of Pondicherry Murugappan et al. (US 2020/0111023).
With respect to claim 5, Bulut teaches one or more computer-readable media storing instructions which, when executed on one or more hardware processors, cause the one or more hardware processors to perform operations for mapping a regulation to an organization’s implementation database, wherein the regulation comprises a plurality of requirements including: controls; and sub-controls of respective controls (Bulut, pa 0026, the regulations are mapped to the security framework, which is mapped to the control set. The control set is mapped to the implementations. & pa 0029, example of a portion of a regulation version 1 or V1, including Paragraph 1A and sub-paragraphs 1A-1-1A5. Sub paragraphs 1A-5 includes sections 1A-5(1)-1A-5(3). Section 1A-5(1) includes sub-sections 1A-5(1) a-1A-5(1) c. Examiner note: sub-paragraphs are sub controls); wherein entries of the implementation database describe the organization’s implementation of items relevant to the requirements (Bulut, pa 0031, A mapping database 102 includes one or more current mappings including one or more baseline regulations and regulatory implementations. The mapping database 102 or another database may include a library of regulations and standards, and a listing of service owners subscribing to a service for receiving updated mappings); and wherein the operations comprise:
(a) identifying a plurality of the controls within the regulation (Bulut, Fig. 3A & pa 0029, FIG. 3A is a schematic representation of an example of a portion of a regulation version 1 or V1, including Paragraph 1A and sub-paragraphs 1A-1-1A5. Sub paragraphs 1A-5 includes sections 1A-5(1)-1A-5(3). Section 1A-5(1) includes sub-sections 1A-5(1) a-1A-5(1) c.);
(b) for each of the identified controls, storing, in an extraction database (Bulut, pa 0037, A regulation repository 154 is configured to store and maintain past and present regulations that are included in the mappings in the mapping database 152. The regulation repository 154 is also configured to store updated versions of the regulations already stored in the regulation repository.), a respective first record comprising: a first key, a title, and a first content data item (Bulut, pa 0053-0054, identifying changes in control names between a first set of control names in a first regulation, such as NIST Version 1 ("V1"), … the NIST Version 1 is retrieved from the regulation repository 154);
(c) identifying one or more of the sub-controls (Bulut, pa 0029, example of a portion of a regulation version 1 or V1, including Paragraph 1A and sub-paragraphs 1A-1-1A5. Sub paragraphs 1A-5 includes sections 1A-5(1)-1A-5(3). Section 1A-5(1) includes sub-sections 1A-5(1) a-1A-5(1) c. Examiner note: sub-paragraphs are sub controls);
(d) for each of the identified sub-controls, storing, in the extraction database (Bulut, pa 0037, A regulation repository 154 is configured to store and maintain past and present regulations that are included in the mappings in the mapping database 152. The regulation repository 154 is also configured to store updated versions of the regulations already stored in the regulation repository.), a respective second record comprising:
a second key and a second content data item (Bulut, Fig. 3A & pa 0029, FIG. 3A is a schematic representation of an example of a portion of a regulation version 1 or V1, including Paragraph 1A and sub-paragraphs 1A-1-1A5. Sub paragraphs 1A-5 includes sections 1A-5(1)-1A-5(3). Section 1A-5(1) includes sub-sections 1A-5(1) a-1A-5(1) c.); and
mapping the requirements of the regulation to the organization’s implementation, by:
for each of a plurality of the requirements having a respective key among the first keys and the second keys (Bulut, pa 0054, When the mapping engine 162 learns that the NIST Version 2 is issued, such as from monitoring the NIST website, for example, it retrieves the NIST Version 2 from the website and stores it in the RAM 176 for processing in this and other processes described below, for example. It also stores the NIST Version 2 in the mapping database 102 in the system 100 of FIG. 4 or the regulation repository 154 in the system 150 of FIG. 5. & pa 0076, The numerical representations are then compared to numerical representations of each unmapped control description of the mapped regulations, in Block 404.):
(e) determining matching scores of respective entries in the implementation database; (f) ranking the entries according to the matching scores; (g) selecting a highest-ranking subset of the entries (Bulut, pa 0077, The top N matches are selected as potential links from the added control description in the baseline to the unmapped control descriptions of the mapped regulations in the compliance mapping, in Block 406);
(h) outputting the respective key (Bulut, pa 0078, Top N selections are reviewed by an SME who confirms which potential links should be added to the compliance mapping).
Bulut doesn't expressly discuss outputting, for each entry in the highest-ranking subset, an identifier of the entry and the respective matching score.
Pondicherry Murugappan teaches outputting, for each entry in the highest-ranking subset, an identifier of the entry and the respective matching score (Pondicherry Murugappan, pa 0050, the GUI 900 shows the confidence levels between a received input document and the various Foreign Account Tax Compliance Act (FATCA) regulation documents.).
It would have been obvious at the effective filing date of the invention to a person having ordinary skill in the art to which said subject matter pertains to have modified Bulut with the teachings of Pondicherry Murugappan because it identifies documents from the regulatory text corpus that are relevant to the received domain-specific document (Pondicherry Murugappan, pa 0020).
With respect to claim 6, Bulut in view of Pondicherry Murugappan teaches the one or more computer-readable media of claim 5, wherein operation (e) comprises: calculating a second score between the content of the respective requirement and the given entry using a semantic search procedure; calculating a first score between content of the respective requirement and a given one of the entries using a keyword search procedure; calculating the matching score of the given entry based on the first score and the second score (Bulut, pa 0062, Changes in control descriptions, or the text of the regulation, may be determined by lexical and/or semantic textual comparison techniques & pa 0065, If there is no difference (No in Block 308), then the control description in V2 is marked "0" for unchanged. If there is a difference (Yes in Block 308), then the control description is classified based on the magnitude of the difference as 1, 2, or 3, in Block 312, where "1" indicates a change with modified action (requirement of the control description is modified), "2" indicates a change with added action (the control description includes an added requirement), and "3" indicates a change with deleted actions (a requirement of the control description is deleted). & Pondicherry Murugappan, Fig. 9 & pa 0050, the GUI 900 shows the confidence levels between a received input document and the various Foreign Account Tax Compliance Act (FATCA) regulation documents. The data processing system 100 can be employed for analyzing a new regulatory document for a new jurisdiction and to identify relationships between the documents and similarities between the regulations and commonalities. Such similarities can be used to identify patterns in regulations issued in different jurisdictions across the globe.).
It would have been obvious at the effective filing date of the invention to a person having ordinary skill in the art to which said subject matter pertains to have modified Bulut with the teachings of Pondicherry Murugappan because it identifies related documents (Pondicherry Murugappan, pa 0050).
Claims 7-9, 11, and 15-17 are rejected under 35 U.S.C. 103 as being unpatentable over Bulut et al. (US 2021/0357392), and further in view of Lim (US 2008/0060051).
With respect to claim 7, Bulut teaches a system, comprising: one or more hardware processors, with memory coupled thereto; and computer-readable media storing instructions which, when executed by the one or more hardware processors, causes the one or more hardware processors to perform operations comprising:
analyzing coverage of a regulation by an organization (Bulut, pa 0047, A risk analyzer module 200 may be provided to determine a compliance risk associated with each change in the mapping and gaps in the mapping due to changes in regulations, as in block 116 of FIG. 4. The risk analyzer module walks through the compliance mapping to find such gaps, which may be caused by controls being missing after the change), the system thereby configured to identify gaps between the regulation in the organization’s implementation, by:
(a) determining respective coverage scores between a plurality of features of the regulation and a plurality of entries of the organization’s implementation database (Bulut, pa 0065, Based on the comparison, in Block 306, it is determined whether there is a difference between the texts, in Block 308. If there is no difference (No in Block 308), then the control description in V2 is marked "0" for unchanged. If there is a difference (Yes in Block 308), then the control description is classified based on the magnitude of the difference as 1, 2, or 3, in Block 312, where "1" indicates a change with modified action (requirement of the control description is modified), "2" indicates a change with added action (the control description includes an added requirement), and "3" indicates a change with deleted actions (a requirement of the control description is deleted).);
for each of the features:
(b) determining a classification indicating a degree of coverage of the respective feature by one or more of the entries of the implementation database (Bulut, pa 0062, Changes in control descriptions, or the text of the regulation, may be determined by lexical and/or semantic textual comparison techniques, for example. In accordance with an embodiment of the disclosure, the changes may be classified based on whether there is a change and if so, the magnitude of the change. & pa 0065, If there is no difference (No in Block 308), then the control description in V2 is marked "0" for unchanged. If there is a difference (Yes in Block 308), then the control description is classified based on the magnitude of the difference as 1, 2, or 3, in Block 312, where "1" indicates a change with modified action (requirement of the control description is modified), "2" indicates a change with added action (the control description includes an added requirement), and "3" indicates a change with deleted actions (a requirement of the control description is deleted). & pa 0097, After receiving an update to a mapped regulation or a baseline regulation, the risks due to the changed control descriptions are quantified and aggregated by considering the maximum risk of each changed control description, by the risk analyzer module 200, based on the risk mapping, in Block 906. The service owner is notified of the aggregated risk and the changed control descriptions, in Block 908.); and (c) generating and outputting a visualization based on the classifications of the features (Bulut, pa 0097, Fig. 4 & 6, FIG. 14 is a flowchart 900 of an example of risk analysis, as performed in the risk analyzer block 116 of FIG. 4 by the risk analyzer module 200 in FIG. 6 … risk map is prepared for each control description of each mapped regulation and each baseline regulation that could impact a respective service owner 158, in Block 904, by an SME, for example. The risk mapping may quantify the risk on a scale, such as a scale from 1-10, for example. The mapping of control descriptions to the risk scale may be stored in the mapping reconstruction database 152, the regulation repository database 154, or another database, for example. After receiving an update to a mapped regulation or a baseline regulation, the risks due to the changed control descriptions are quantified and aggregated by considering the maximum risk of each changed control description, by the risk analyzer module 200, based on the risk mapping, in Block 906. The service owner is notified of the aggregated risk and the changed control descriptions, in Block 908.).
Bulut doesn't expressly discuss wherein the entries of the implementation database describe the organizations implementation of items relevant to the features of the regulation.
Lim teaches the entries of the implementation database describe the organizations implementation of items relevant to the features of the regulation (Lim, pa 0330, a plurality of policy objects in the policy object layer implements information usage control on a computer system, where a policy enforcer (discussed elsewhere in this application) detects usage of information, evaluates policies (or rules) specified by the policy objects, and enforces policies according to outcomes of policy evaluation., pa 0413, a policy rule can also contain directives that provide instructions to a policy engine (e.g., a policy engine in a policy enforcer or a policy engine in a policy decision server) to assist in policy evaluation and provide instructions to policy deployment module (typically a part of a policy server) to assist in policy deployment. & pa 0415, the rules may be managed using the policy server and held in the policy repository.)
It would have been obvious at the effective filing date of the invention to a person having ordinary skill in the art to which said subject matter pertains to have modified Bulut with the teachings of Lim because it provides overall control and synchronization of policy objects (Lim, pa 0064 & 0417).
With respect to claim 8, Bulut in view of Lim teaches the system of claim 7, wherein the features encompass all identified features of the regulations and the operations further comprise: based on the coverage scores, identifying those features which are not covered by the entries (Bulut, pa 0057, Control names in the second set V2 that are not in the first set are marked as Potentially Added and put in a second bucket or list, in Block 260); and outputting data of the identified features (Bulut, pa 0057, The second bucket or list may be stored in the RAM 176 or other such memory, for example).
With respect to claim 11, Bulut in view of Lim teaches the system of claim 7, wherein the regulation is a second version, and the features of operation (a) encompass all features of the second version which are new or augmented from an earlier first version of the regulation (Bulut, pa 0055, A first set of control names in V1 and a second set of control names in V2, are collected from the first and second versions of the regulations & pa 0057, Control names in the second set V2 that are not in the first set are marked as Potentially Added and put in a second bucket or list, in Block 260).
With respect to claim 15, Bulut in view of Lim teaches the system of claim 7, wherein the classifications of the features are selected from a set of available classifications, and the visualization provides, for each classification in the set, an aggregate measure of the features assigned that classification (Bulut, pa 0080, The added control descriptions are classified by the machine learning model by classifying or identifying potential links to the baseline regulation, in Block 430. The classifications are confirmed by an SME, in Block 432.).
With respect to claim 16, Bulut in view of Lim teaches the system of claim 7, wherein the operations further comprise, for at least one feature not classified as covered: generating and outputting a proposal for an update to the implementation database to provide coverage for the at least one feature (Bulut, pa 0097, The service owner is notified of the aggregated risk and the changed control descriptions, in Block 908. & pa 0098, auto-remediation on a system of a respective service owner 122 may also optionally be performed. Whether to perform auto-remediation may be determined based on the results of the risk analysis, if requested by a respective service owner. Examiner note: this indicates auto-remediation may not always be performed, requiring further input by a user to provide coverage for the feature).
With respect to claim 17, Bulut in view of Lim teaches the system of claim 16, wherein the operations further comprise: receiving, on a graphical user interface, approval of the proposal; and applying the update to the implementation database (Bulut, pa 0036, A respective service owner may have a policy that auto-remediation is to be performed with respect to updated baseline regulations 54 and/or updated mapped regulations 52 if the update presents a high risk, as defined in the risk analyzer block 124, for example. What is considered to be a high risk may also be determined by the service owner. Examiner note: this shows that anything not considered as high risk can be remediated according to the service owner specifications).
With respect to claim 23, Bulut in view of Lim teaches the system of claim 7, further comprising:
determining, based on at least some of the classifications, a subset of the entries providing optimal coverage of a given one of the features (Bulut, pa 0097, After receiving an update to a mapped regulation or a baseline regulation, the risks due to the changed control descriptions are quantified and aggregated by considering the maximum risk of each changed control description, by the risk analyzer module 200, based on the risk mapping, in Block 906. The service owner is notified of the aggregated risk and the changed control descriptions, in Block 908.).
Claim(s) 12 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Bulut in view of Lim, and further in view of Halko et al. (US 2023/0334025).
With respect to claim 12, Bulut in view of Lim teaches the system of claim 7, as discussed above. Bulut in view of Lim doesn't expressly discuss wherein the classification is selected from a group comprising: a first class, indicating that the coverage is greater than or equal to a first threshold; a second class, indicating that the coverage is less than the first threshold and greater than or equal to a second threshold; and a third class, indicating that the coverage is less than the second threshold.
Halko teaches wherein the classification is selected from a group comprising: a first class, indicating that the coverage is greater than or equal to a first threshold; a second class, indicating that the coverage is less than the first threshold and greater than or equal to a second threshold; and a third class, indicating that the coverage is less than the second threshold (Halko, pa 0025, exact match, fuzzy match, no match, the matching rules 124 define the subsets of fields of data records 110 in the database 106 that need to match in order for the two or more records to match, and whether those fields must be matched exactly or fuzzy. For example, a matching rule to identify related records 110 associated with the same person or contact may be defined to require a fuzzy match on a first name field of the records 110, a fuzzy match on a last name field of the records 110, and an exact match on an email field of the records 110. The matching rules 124 may also define fuzzy match criteria for the fuzzy matched fields, that is, what degree of similarity is required between two different values to be a fuzzy match (e.g., similarity in spelling, pronunciation or homophones, and/or the like).).
It would have been obvious at the effective filing date of the invention to a person having ordinary skill in the art to which said subject matter pertains to have modified Bulut in view of Lim with the teachings of Halko because it identifies data that are likely to be related to the same entity (Halko, pa 0017).
With respect to claim 13, Bulut in view of Lim and Halko teaches the system of claim 12, wherein the first threshold is 100% (Halko, pa 0025, exact match).
Claim 14 is rejected under 35 U.S.C. 103 as being unpatentable over Bulut in view of Lim, and further in view of Straus (US 8,209,278).
With respect to claim 14, Bulut in view of Lim teaches the system of claim 7, as discussed above. Bulut in view of Lim doesn't expressly discuss wherein the visualization individually lists each of the features and its highest coverage score.
Straus teaches wherein the visualization individually lists each of the features and its highest coverage score (Straus, Fig. 3, feature is document name, coverage score is frequency of document type in kind of project and document kind in project).
It would have been obvious at the effective filing date of the invention to a person having ordinary skill in the art to which said subject matter pertains to have modified Bulut in view of Lim with the teachings of Straus because it can be useful in determining what data needs added or omitted (Straus, Col. 7 Li. 9-48).
Claim 18 is rejected under 35 U.S.C. 103 as being unpatentable over Bulut in view of Lim, and further in view of Milind et al. (US 2023/0306134).
With respect to claim 18 , Bulut in view of Lim teaches the system of claim 16, wherein the generating comprises: providing the at least one feature to a fifth trained machine-learning tool (Bulut, pa 0066, Changes in control descriptions may also be identified and quantified by a semantic technique using machine learning. A machine learning model may be trained to capture whether a change from a first control description t; to a second control description 1t by using examples oft; and 1t that are converted into vectors that have previously been mapped to classifications). Bulut doesn't expressly discuss receiving the proposal from the fifth trained machine-learning tool.
Milind teaches receiving the proposal from the fifth trained machine-learning tool (Milind, pa 0096, At Operation 415, the process change module 130 processes the plurality of tags (e.g., the output generated by the first machine-learning model) using a second machine-learning model to generate one or more additional tags identifying applicable domains and/or applicable jurisdictions in which the change to the regulatory framework applies. & pa 0098, Once the process change module 130 has identified the various tags for the change to the regulatory framework, the process change module 130 outputs the tags in Operation 420. As previously noted, the change detection computing system 100 can then use the tags in identifying computing systems 180 of various entities that are affected by the change to the regulatory framework.)
It would have been obvious at the effective filing date of the invention to a person having ordinary skill in the art to which said subject matter pertains to have modified Bulut in view of Lim with the teachings of Milind because it provides data that indicates the subject matter of the change (Milind, pa 0095).
Claim 19 is rejected under 35 U.S.C. 103 as being unpatentable over Bulut in view of Lim, and further in view of Gutierrez et al. (US 2022/0309037).
With respect to claim 19, Bulut in view of Lim teaches the system of claim 7, as discussed above. Bulut in view of Lim doesn't expressly discuss prior to operation (a), extracting at least some of the features by: applying a regular expression pattern to identify keys of the features; identifying text following the keys as respective titles of the features; identifying respective content of the features following the respective titles; and writing records to an auxiliary database, each record comprising: the key, the title, and a content data item of a respective feature.
Gutierrez teaches prior to operation (a), extracting at least some of the features by: applying a regular expression pattern to identify keys of the features; identifying text following the keys as respective titles of the features; identifying respective content of the features following the respective titles; and writing records to an auxiliary database, each record comprising: the key, the title, and a content data item of a respective feature (Gutierrez, pa 0422, The analytics server parses the words displayed within the GUI 2300. The analytics server may execute various analytical protocols (e.g., computer vision, natural language processing, regex protocols, etc.) to identify the physical address 2310 as a physical address. The analytics server may then use the physical address as, or generate a new, unique ID for the physical address 2310. The analytics server may then query the nodal data structure to identify context data related to the unique ID corresponding to the physical address 2310.).
It would have been obvious at the effective filing date of the invention to a person having ordinary skill in the art to which said subject matter pertains to have modified Bulut in view of Lim with the teachings of Gutierrez because it does not require users to manually identify related data (Gutierrez, pa 0006).
Claim 22 is rejected under 35 U.S.C. 103 as being unpatentable over Bulut in view of Pondicherry Murugappan, and further in view of Gates et al. (US 12,248,974).
With respect to claim 22, Bulut in view of Pondicherry Murugappan teaches the one or more computer-readable media of claim 6, as discussed above. Bulut in view of Pondicherry Murugappan doesn't expressly discuss wherein the matching score is calculated as a reciprocal rank fusion of a plurality of individual scores including at least the first score and the second score.
Gates teaches wherein the matching score is calculated as a reciprocal rank fusion of a plurality of individual scores including at least the first score and the second score (Gates, Col. 12 Li. 15-17, Traditional methods require the integration of diverse ranking factors, … through the use of a rank-fusion algorithm (e.g., reciprocal rank fusion)).
It would have been obvious at the effective filing date of the invention to a person having ordinary skill in the art to which said subject matter pertains to have modified Bulut in view of Pondicherry Murugappan with the teachings of Gates because it combines multiple ranking criteria into a unified ranking score (Gates, Col. 12 Li. 15-21).
Response to Arguments
35 U.S.C. 101
Applicant argues that the present claims are eligible because they are applications of artificial intelligence that apply innovative technical approaches to reduce labor required to develop an understanding and reach decisions. The Examiner respectfully disagrees. Applicant has pointed to portions of the specification, however, it is not clear how these elements are reflected in the claim language.
Applicant argues that claim 7 is not directed to an abstract idea because the recited features of (a)-(c) provide the rationale relied on by the Federal Circuit in McRO, improving the relevant technology. The Examiner respectfully disagrees. McRO’s specific rules were rules that enabled modification of specific automation tasks that previously could not be automated. These rules “improved the existing technological process”, rather than merely using the computer as a tool to automate conventional activity. See MPEP 2106.04(a). Analyzing data and outputting a visualization, as in steps (a)-(c), does not improve existing technological processes.
Applicant argues, on pg. 10 part II B, that the previous OA errs in using a "mental process" rationale to deny eligibility as a practical application at step 2A Prong Two because the limitation “analyzing coverage” is not a mental process. The Examiner respectfully disagrees. The previous OA 10/31/25 discusses the mental process elements and states that it does not provide additional elements under step 2A Prong Two that integrate the abstract idea into a practical application. See Final Office action 10/31/25 page 39. In order to be eligible under 35 U.S.C. 101, there must be additional limitations in the claim that integrate the abstract idea into a practical application.
With respect to the intended use recitation, the amendment has resolved this issue, however, to “identify” is a further mental process step, as explained above.
Applicant argues that claim 7 is not considered as a whole as required by the PEG Oct 19. The Examiner respectfully disagrees. The Office's current eligibility guidance is found in the Manual of Patent Examination Procedure (MPEP) Sections 2103 through 2106.07(c). The Ninth Edition, Revision 10.2019 of the MPEP (revised June 2020) incorporated the October 2019 Patent Eligibility Guidance Update. The limitations containing the judicial exception as well as the additional elements in the claim besides the judicial exception do not provide limitations that integrate the judicial exception into a practical application. The way in which the additional elements use or interact with the exception do not integrate the judicial exception into a practical application. The identified additional elements provided by the generated and output visualization does not appear integrate the mental process into a practical application beyond mere outputting data found to be well-understood, routine, and conventional by the courts.
35 U.S.C. 103
With respect to claim 1, Applicant seems to argue a newly amended limitation. With respect to the amendment specifying “one or more additional requirement portions” that later requires first and second keys, Applicant’s amendment has rendered the previous rejection moot. Upon further consideration of the amendment, a new grounds of rejection is made in view of Girulat, Jr. (US 10,528,545).
Applicant argues that Bulut fails to teach "calculating, based on the comparing, a respective score indicating a quantitative amount of change between the first requirement portion and the second requirement portion" because Bulut does not indicate a quantitative amount of change. The Examiner respectfully disagrees. Bullet states that the if there is no difference, the control description is marked with the zero for unchanged. In contrast if there is a change it is marked 1, 2, or 3. This alone provides information that there was a quantitative change from nothing to something. Bullet goes on to say that the control description is classified based on the magnitude of the difference which is provided by the indications 1, 2, or 3. These correspond to the modified action, and added action, or a deleted action, to the control description. These different changes have been assigned the magnitude of the 1, 2, or 3, because the number in itself represents how important the change is to the control description requirement. Further, bullet discloses quantifying risks due to the changed control descriptions that consider the maximum risk of each changed control description (pa 0097). This further provides a score indicating a quantitative measure of change between the control description and the changed control description.
With respect to claim 5, Applicant argues that Bulut fails to teach “mapping the requirements of the regulation to the organizations implementation” because Bulut’s “regulation” and claimed “organizations implementation” of the claims are different. The Examiner respectfully disagrees. A mapping database 102 includes one or more current mappings including one or more baseline regulations and regulatory implementations. The mapping database 102 or another database may include a library of regulations and standards, and a listing of service owners subscribing to a service for receiving updated mappings (Bulut, pa 0031). The listing of service owners provides an organization that implements the regulation because the service owners are sent to the notifications about changes to this regulation (Bulut, pa 0035). The system knows where to send a notification about an update to a particular regulation because of the mapping between the service owner and the particular regulation. The system also knows how to apply auto-remediation for updated control descriptions by checking actual states in a respective regulation against an expected state to determine if the update has been implemented (pa 0036). The correspondence between the particular regulation and the service owner provide the claimed “mapping.”
With respect to claim 7, Applicant argues that Bulut fails to teach “gaps between the regulatory document and the organizations implementation” because the previous action conflates a regulatory document with an organization’s implementation. The Examiner respectfully disagrees. A mapping database 102 includes one or more current mappings including one or more baseline regulations and regulatory implementations. The mapping database 102 or another database may include a library of regulations and standards, and a listing of service owners subscribing to a service for receiving updated mappings (Bulut, pa 0031). The listing of service owners provides an organization that implements the regulation because the service owners are sent to the notifications about changes to this regulation (Bulut, pa 0035).
Applicant argues that Bulut fails to teach “analyzing coverage of a regulation by an organization” and associated limitations (a) and (b) because Bulut’s updating of a compliance mapping deals only with regulations and not with any organizations implementation. The Examiner respectfully disagrees. At a time prior to a current update, control descriptions corresponding to respective service owners 158 (FIG. 5) that are impacted by the changes are identified by the risk analyzer module 200, in Block 902 (Bulut, pa 0097). Since control descriptions describe regulations (Bulut, pa 0062), the analysis of control descriptions corresponding the respective service owners impacted by changes provides an analysis of coverage of a regulation by an organization.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BRITTANY N ALLEN whose telephone number is (571)270-3566. The examiner can normally be reached M-F 9 am - 5:00 pm EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Sherief Badawi can be reached at 571-272-9782. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/BRITTANY N ALLEN/ Primary Examiner, Art Unit 2169