DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Specification
The specification has not been checked to the extent necessary to determine the presence of all possible minor errors. Applicant’s cooperation is requested in correcting any errors of which applicant may become aware in the specification.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The filing of a terminal disclaimer by itself is not a complete reply to a nonstatutory double patenting (NSDP) rejection. A complete reply requires that the terminal disclaimer be accompanied by a reply requesting reconsideration of the prior Office action. Even where the NSDP rejection is provisional the reply must be complete. See MPEP § 804, subsection I.B.1. For a reply to a non-final Office action, see 37 CFR 1.111(a). For a reply to final Office action, see 37 CFR 1.113(c). A request for reconsideration while not provided for in 37 CFR 1.113(c) may be filed after final for consideration. See MPEP §§ 706.07(e) and 714.13.
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The actual filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/apply/applying-online/eterminal-disclaimer.
Claim 1 is rejected on the ground of nonstatutory double patenting as being unpatentable over claims 25 and 32 of Williams et al., US 12,039,546.
Although the claims at issue are not identical, they are not patentably distinct from each other because rejected claim 1 achieves a non-distinct outcome using the same computing structures.
Rejected claim 1 Parent claims 25 & 32
A method for implementing a continuous attestation program, comprising:
A method for implementing a continuous attestation program, comprising:
establishing a buyer account for a buyer in a cloud-based system;
25. establishing a buyer account for a buyer in a cloud-based system;
creating a plurality of supplier groups through the buyer account;
32 (25). creating a number of supplier groups through the buyer account;
assigning a plurality of sets of security requirements to the plurality of supplier groups through the buyer account, such that each of the plurality of supplier groups is assigned a different one of the plurality of sets of security requirements;
25. specifying a first set of security requirements for attestation by the first supplier
specifying a second set of security requirements for attestation by the second supplier;
adding at least one supplier to each of the plurality of supplier groups through the buyer account; and
32 (25). adding one or more suppliers to the supplier groups through the buyer account;
generating and transmitting data defining
a buyer interface to a buyer computing device through the buyer account,
the buyer interface showing the plurality of supplier groups,
the plurality of sets of security requirements assigned to the plurality of supplier groups, and
the suppliers added to the plurality of supplier groups.
32 (25). generating and transmitting data defining a buyer interface to a buyer computing device through the buyer account,
the buyer interface showing how many supplier groups of the buyer
Recited above.
Recited above.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claim 1 is rejected under 35 USC 101 because the claimed invention is directed to an abstract idea without adding significantly more.
When considering subject matter eligibility under 35 U.S.C. 101, it must be determined whether the claim is directed to one of the four statutory categories of invention, i.e., process, machine, manufacture, or composition of matter. If the claim does fall within one of the statutory categories, it must then be determined whether the claim is directed to a judicial exception (i.e., law of nature, natural phenomenon, and abstract idea), and if so, it must additionally be determined whether the claim is a patent-eligible application of the exception. If an abstract idea is present in the claim, any element or combination of elements in the claim must be sufficient to ensure that the claim amounts to either a practical application of the abstract idea or significantly more than the abstract idea itself. Groupings of abstract ideas include: Mathematical Concepts, Mental Processes and Certain Methods of Organizing Human Activity.
Certain Methods of Organizing Human Activity include:
Fundamental economic principles or practices,
Commercial or legal interactions (including agreements in the form of contracts; legal obligations; advertising, marketing or sales activities or behaviors; business relations), and
Managing personal behavior or relationships or interaction between people (including social activities, teaching and following rules or instructions).
Mathematical Concepts
Mathematical relationships
Mathematical formulas
Mathematical calculations
Mental Processes
Concepts performed in the human mind (including an observation, evaluation, judgement, opinion)
Step 1
In the instant case, claim 1 is directed to a process.
Step 2A Revised (First Prong)
Determine whether claim 1 is directed to a judicial exception. Elements of an abstract idea are underlined. See Analysis.
Step 2A Revised (Second Prong)
Determine whether claim 1 has additional elements (in italics) integrated into a practical application:
a) requires an additional element or a combination of elements in the claim to apply, rely on, or use the judicial exception in a manger that imposes a meaningful limit on the judicial exception, such that the claim is more than a drafting effort designed to monopolize the exception; and
b) uses the considerations laid out by the Supreme Court and the Federal Circuit to evaluate whether the judicial exception is integrated into a practical application.
See Analysis.
Step 2B (Revised)
In Step 2B, evaluate whether claim 1 recites additional elements that amount to an inventive concept that adds significantly more than the recited judicial exception. See Analysis.
Analysis
In Claim 1:
A method for implementing a continuous attestation program, comprising:
establishing a buyer account for a buyer in a cloud-based system;
creating a plurality of supplier groups through the buyer account;
assigning a plurality of sets of security requirements to the plurality of supplier groups through the buyer account, such that each of the plurality of supplier groups is assigned a different one of the plurality of sets of security requirements;
adding at least one supplier to each of the plurality of supplier groups through the buyer account; and
“generating and transmitting data defining a buyer interface to a buyer computing device through the buyer account, the buyer interface showing the plurality of supplier groups, the plurality of sets of security requirements assigned to the plurality of supplier groups, and the suppliers added to the plurality of supplier groups.”
Claim 1 executes methods that are directed to abstract ideas comprising processes that can be executed by a human while following a procedure that organizes human activity related to commercial interactions using conventional computing elements.
No evidence of an improvement to the functioning of a computer, or to any other technology or technical field.
No evidence exists in the instant specification or claims of a particular machine.
No evidence exists of a transformation or reduction of a particular article to a different state or thing.
The claim does not go beyond generally linking the use of the judicial exception to a particular technological environment, e.g. processor, device.
Claim 1, “generating and transmitting data …,” does not recite additional elements that amount to inventive concepts that are “significantly more” than the recited judicial exception. Courts have routinely found conventional computer processing functions (e.g. sending/receiving data, formatting data, storing data, retrieving data, manipulating data, calculating, searching data, displaying data, organizing data) insignificant to transform an abstract idea into a patent-eligible invention. See Alice, 134 S. Ct. at 2360. As such, the claims amount to nothing significantly more than an instruction to implement the abstract idea across a generic computer network which is not enough to transform an abstract idea into a patent-eligible invention.
The elements of the instant process, when taken in combination, together do not offer substantially more than the sum of the functions of the steps when each is taken alone. That is, the steps involved in the recited process undertake their roles in performance of their activities according to their generic functionalities which are well-understood, routine and conventional. The elements together execute in routinely and conventionally accepted coordinated manners and interact with their partner elements to achieve an overall outcome which, similarly, is merely the combined and coordinated execution of generic computer functionalities which are well-understood, routine and conventional activities previously known to the industry.
Conclusion
Accordingly, the examiner concludes there are no meaningful limitations in claim 1 that transform the judicial exception into a patent eligible application such that the claims amount to significantly more than the judicial exception itself.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claim 1 is rejected under 35 USC 103 as being unpatentable over Ngo et al., US 2017/0223059 “Ngo,” in view of De Armas, US 2020/0234817.
In Ngo see at least (underlined text is for emphasis):
Regarding claim 1: A method for implementing a continuous attestation program, comprising:
establishing a buyer account for a buyer in a cloud-based system;
Rejection is based upon the teachings applied to claim 1 by Ngo and further upon the combination of Ngo-De Armas
In Ngo:
[Ngo: 0019] In one exemplary embodiment, the appliance 101 is a rack-mountable (e.g., 1U) network appliance that can be installed and deployed at customers' site; in this manner, data security is in the customers' full control.
[Ngo: 0026] … In one embodiment, all activities relating to vendor remote access and remote control through one or more vendor portals 111 are recorded and can be audited to ensure compliance with the predetermined regulations.
[Ngo: 0035] … The customer can create and administer multiple such teams for multiple vendors. The vendor support agents in this scenario must use access credentials, privileges, and security policies set forth by the customer (step 223 of FIG. 2B). Please note: a) Customer qualifies as a buyer, and b) evidence that the customer who can create and administer teams of multiple vendors via customer’s Network Appliance 101 has an account.
Although Ngo a) audits vendor remote access through a global network, e.g. internet, to a customer’s system to ensure compliance with predetermined regulations, and b) permit a customer having an account to create/administer vendor accounts for teams of vendors and assign each user vendor access privileges/permissions and security policy, Ngo does not expressly mention operating in a cloud environment. De Armas on the other hand would have taught Ngo such techniques.
In De Armas see at least:
[De Armas: 0007] In one illustrative embodiment, a method is provided in a data processing system comprising at least one processor and at least one memory, the at least one memory comprising instructions which are executed by the at least one processor and configure the processor to implement a healthcare blockchain framework for continuous compliance auditing readiness and attestation in healthcare cloud solutions. The method comprises providing a healthcare blockchain framework to create, read, update, and delete elements of a healthcare compliance model supporting a dynamic allocation of cloud resources to a healthcare business network. Compliance with one or more healthcare regulations is built into the blockchain framework. The method further comprises responsive to an attestation event, reviewing, by a compliance attestation component within the healthcare blockchain framework, asset contents, state, and properties of an asset in a compliance repository. The method further comprises creating, by the compliance attestation component, a bottom-up asset manifest for the asset. The method further comprises comparing, by the compliance attestation component, the asset manifest to a test case corresponding to an asset class of the asset. The method further comprises validating, by the compliance attestation component, the asset against evidence rules corresponding to the asset class of the asset based on the comparison. The method further comprises responsive to the compliance attestation component validating the asset, generating a proof-of-validation certification.
De Armas: [0024] Companies have made a commitment and investment to transform the healthcare industry during the current era of digitization and cognitive insight. Because healthcare is such a regulated industry due to privacy, security, and sensitivity of data handled by automated solutions, a cloud platform interested in hosting healthcare workloads must overcome difficult technological challenges. Some of the challenges involve innovation in data management and cognitive insights, but many others will be more behind-the-scenes challenges, such as in the security, operational, and compliance arena. These are less obvious but nevertheless very important to the success of any cloud platform built to support a sustainable business that is compliant and secure.
[De Armas: 0128] Measured service: cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported providing transparency for both the provider and consumer of the utilized service.
[De Armas: 0135] Community cloud: the cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party and may exist on-premises or off-premises.
One of ordinary skill in the art before the effective filing date would have recognized that applying the known techniques of De Armas, which support a) continuous compliance auditing readiness and attestation in healthcare cloud solutions, and b) active user accounts, would have yielded predictable results and resulted in an improved system. It would have been recognized that applying the techniques of De Armas to the teachings of Ngo would have yielded predictable results because the level of ordinary skill in the art demonstrated by the references applied shows the ability to incorporate such data processing features into similar systems. Obviousness under 35 USC 103 in view of the Supreme Court decision KSR International Co. vs. Teleflex Inc.
Rejection is based upon the teachings and rationale applied to claim 1 by Ngo-De Armas and further upon the combination of Ngo-De Armas:
creating a plurality of supplier groups through the buyer account; assigning a plurality of sets of security requirements to the plurality of supplier groups through the buyer account, such that each of the plurality of supplier groups is assigned a different one of the plurality of sets of security requirements;
[Ngo: 0026] In certain embodiments, vendor portals 111 are created for providing remote access and remote control by the remote vendor system 117 to internal customer systems 115 and customer applications 109. For example, vendor agents' security policies can then be administered to control access rights, remote control permissions, and other parameters and guidelines. Consequently, the vendor support agents are provided with only the level of access to the respective systems 113, 115, and/or 117 that is required to service the systems effectively. In one embodiment, all activities relating to vendor remote access and remote control through one or more vendor portals 111 are recorded and can be audited to ensure compliance with the predetermined regulations.
[Ngo: 0035] By way of example, two approaches are described. One approach provides vendor presence in a customer environment 201 that includes the customer remote support system (e.g., facilitated by the customer's own network appliance 101). In this scenario (depicted in FIG. 2A and described with respect to process 220 of FIG. 2B), the vendor support agent accounts and restrictions are managed and provisioned on the customer's appliance 101 (step 221 of FIG. 2B). The customer administers a team of vendor support agent accounts that are used only by a specific vendor within the customer environment 201. The customer can create and administer multiple such teams for multiple vendors. The vendor support agents in this scenario must use access credentials, privileges, and security policies set forth by the customer (step 223 of FIG. 2B). This team created for vendor support agents serves as a component of the vendor presence on the customer system or appliance 101. The combination of team, restrictions, and access interfaces are components that make up the vendor portal 111 in this scenario. Please note: a) security policies qualify as security requirements, and b) vendor teams qualify as supplier groups.
adding at least one supplier to each of the plurality of supplier groups through the buyer account; and
Please note: Customer who provisions/administers accounts for multiple vendor teams is adding one or more vendor users and/or teams through the customer’s account, see Ngo.
generating and transmitting data defining a buyer interface to a buyer computing device through the buyer account, the buyer interface showing the plurality of supplier groups, the plurality of sets of security requirements assigned to the plurality of supplier groups, and the suppliers added to the plurality of supplier groups.
[Ngo: 0023] In this example, the representative system 113 provides, in certain embodiments, a remote vendor support mechanism that is secure and implemented in a turnkey fashion to one or more remote customers systems 115 via one or more vendor systems 117 over a data network 125 using the network appliance 101. By way of example, the data network 125 can be an internetwork, such as the global Internet, or a private network. The traffic between the representative system 113, the vendor representative system 117, and any customer system 115 is handled and managed at the network appliance 101. In an exemplary embodiment, the network appliance 101 is managed by an administrator 127, who can access the network appliance 101 using a graphical user interface (GUI), such as a web interface 111.
[Ngo: 0057] In an exemplary embodiment, the web interface 811 includes the following: (1) a network configuration web interface; (2) a User/Admin web interface which includes but not limited to user profile configuration, log reporting interface, and administrative user interface; (3) a support portal that provides, in an exemplary embodiment, front end survey and session key submission components; and (4) a customer satisfaction (exit) survey. According to one embodiment, the web interface provides functions for configuring the appliance 801 to be deployed and integrated into the network infrastructure of the installer. In one embodiment, all other interfaces can communicate through the MRSm 801a or to a storage module 801e directly.
[Ngo: 0065] Under this example, the representative system 803 and customer system 805 include operating systems 803a, 805a; backend components 803b, 805b; and GUIs 803c, 805c.
[Ngo: 0066] As for the GUI 803c, the representative system 803 can provide a number of interfaces depending on the applications. For instance, the GUI 803c can include a chat interface 803j, a file transfer interface 803k, a queue interface 803l, and a viewer 803m. In this example, the customer system 805 utilizes a chat interface 805j and a viewer 805k. The GUI 803c can include other interfaces such as remote command shell, system diagnostics, and system information to name a few. The GUI 805c can include application specific chooser interface to only allow specific application viewing.
Examiner’s Comments
A preamble typically describes the type of claim and describes the nature of the invention. The preamble of claim 1 does not limit claim1.
The body of claim 1 lacks subject matter necessary to implement a continuous attestation program. The body of the claim following the preamble is a self-contained description of the processes and does not depend on the preamble for completeness;
The preamble language does not provide antecedent basis for terms in the body of the claim; and
The preamble is not essential to understanding limitations or terms in the body of the claim;
Pertinent Prior Art
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
US 2019/0138729 (Blundell) “Remote Attestation of Cloud Infrastructure,” discloses: [0130] In yet another embodiment, when white-lists (which represent particular SLAs or data protection regulations and which may specify software permitted to run on the VM or cloud infrastructure) are registered with the distributed attestation system, the system will support continuous SLAs/regulations compliance inspections by constant attestation of the cloud infrastructure. Cloud customers or third-party auditors can further register event handlers, so that any violations of the white-list will be immediately dealt with in the manner specified in the event handler e.g. shutting down the VM and notifying the user.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ROBERT M POND whose telephone number is (571)272-6760. The examiner can normally be reached M-F, 8:30 AM-6:30 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Smith can be reached at 571-272-6763. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at
866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/ROBERT M POND/Primary Examiner, Art Unit 3688 November 28, 2025