Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This action is in response to the claims filed 10/09/2024. Claims 1-20 are pending. Claims 1 (a machine), 11 (a method), and 20 (a non-transitory CRM) are independent.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. The claim(s) recite(s) a mental process of formulating an opinion, see MPEP 2106.04(a).
As to claims 1, 11, and 20:
The claimed steps constitute the mental process of forming an opinion about ‘protection’:
…
map one or more portions of the plurality of documents to parameters for protecting the entity corresponding with a third party; (comparing data)
identify, based on the parameters for protecting the entity, one or more actionable tasks corresponding with at least one of the entity or the third party, wherein the one or more actionable tasks correspond with proof of one or more security postures of the entity; (thinking about problems)
generate,
The following steps constitute additional elements that implicate a generic computer:
one or more processing circuits comprising executable instructions to: MPEP 2106.04(a)(2).III.C.1: “performing a mental process on a generic computer”
receive, via at least one of a graphical user interface (GUI), an application programming interface (API), and one or more digital communication channels, a plurality of documents corresponding to an entity;
a GUI
provide, via at least one of the GUI, the API, or the one or more digital communication channels, the one or more user interface elements to at least one of an entity computing system or a third party computing system.
MPEP 2106.05(a).I a generic “graphical user interface” being insufficient to show an improvement to computing. MPEP 2106.05(d) receiving and transmitting data, electronic recordkeeping, and web browser (GUI) functionality, are well-understood, routine, and conventional.
This judicial exception is not integrated into a practical application because the claimed elements individually and as a whole, do not improve the functioning of the computer, apply the determined actionable tasks, or utilize a particular machine. MPEP 2106.04(d). Thus, the claim as a whole, merely applies the concept of ‘protection’ to a generic computer.
The claim(s) does/do not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional limitations, i.e. a GUI, are both well understood in the art and analogous to pen and paper presentations/correspondence and do not transform the mental process into an eligible one.
Examiner notes that several dependent claims indicate that the abstract idea of claims 1, 11, and 20 is more abstract than they appear. For example, claims 2 and 12, require the protection to be related to insurance, regulatory or contractual parameters; human concepts that are distinct from management of technology. Additionally, claims 8 and 18 require that the “documents” are “response plan of the entity”. I.e. written text for human consumption and mental processing.
As to the remainder of the dependent claims 2-7, 9, 10, 12-17, and 19, the claims further illustrate what information is to be presented in the ‘GUI’ or what is to be considered in the mental process and do not constitute significantly more than the abstract idea or a practical application thereof. Note as to claims 5 and 15 that “store … on a ledger” is merely a well-understood, routine, and conventional transmission of data as the claim does not implement the ledger itself.
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.
Claim(s) 1-4, 7-14, and 17-20 is/are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Costin et al., US 2017/0034200 (published 2017).
As to claims 1, 11, and 20, Costin discloses a machine/method/CRM comprising:
one or more processing circuits comprising executable instructions to: (“a memory 320 coupled to the processor 322. The memory 320 may be non-transitory storage medium,” Costin ¶ 50)
receive, via at least one of a graphical user interface (GUI), an application programming interface (API), and one or more digital communication channels, a plurality of documents corresponding to an entity; (“In operation 402, the flaw server 102 may receive flaw data from a plurality of flaw sources 104. The plurality of flaw sources 104 may include proprietary and/or commercial flaw identification sources that are configured to identify flaws in one or more assets of an enterprise's IT system.” Costin ¶ 73)
map one or more portions of the plurality of documents to parameters for protecting the entity corresponding with a third party; (“upon receiving the flaw data, in operation 404, the flaw server 102 analyzes and correlates the flaw data to generate one flaw record per flaw for each asset of the enterprise's IT system based on correlation criteria.” Costin ¶ 74. See also ¶ 75-79)
identify, based on the parameters for protecting the entity, one or more actionable tasks corresponding with at least one of the entity or the third party, wherein the one or more actionable tasks correspond with proof of one or more security postures of the entity; (“the flaw server 102 can assign business rules, flaw related exceptions and/or remediation information (e.g., PoAM's) to each flaw record. Then, the flaw server 102 returns the flaw records, the flaw priority score of each flaw record, and/or flaw assignment information (exception, compliance, asset owner, stakeholder, service provider, etc.) of the flaw record to operation 406 of FIG. 4.” Costin ¶ 79. See Costin Fig. 6 discussing remediation tickets.)
generate, via the GUI, one or more user interface elements corresponding with the one or more actionable tasks; and (See Costin Figs. 7-8. “the ticketing system 108 may be configured to notify one or more users 110 regarding the various ticketing operations, escalate a remediation ticket, and/or remind a user 110 (e.g., service provider) about a remediation ticket based on a service level agreement.” Costin ¶ 89)
provide, via at least one of the GUI, the API, or the one or more digital communication channels, the one or more user interface elements to at least one of an entity computing system or a third party (“the term ‘stakeholder’ as used herein may generally refer to any informed third party who has security interest in an IT asset but does not own or maintain the IT asset. For example, the stakeholder may be a business partner or a customer.” Costin ¶ 34. See Costin ¶ 35) computing system. (“the dashboard 700 may be dynamically updated as and when new data associated with the flaw remediation management system is available at the flaw server 102.” Costin ¶ 91)
As to claims 2 and 12, Costin discloses the machine/method of claims 1 and 11 and further discloses: wherein the parameters for protecting the entity comprise at least one of insurability parameters, regulatory parameters, or contractual parameters. (“the term ‘stakeholder’ as used herein may generally refer to any informed third party who has security interest in an IT asset but does not own or maintain the IT asset. For example, the stakeholder may be a business partner or a customer.” Costin ¶ 34. Establishing ‘compliance’ as discussed throughout Costin.)
As to claims 3 and 13, Costin discloses the machine/method of claims 1 and 11 and further discloses:
determine, based on the one or more actionable tasks, a status corresponding with the entity being in compliance with the parameters for protecting; and (“the flaw server 102 can assign business rules, flaw related exceptions and/or remediation information (e.g., PoAM's) to each flaw record. Then, the flaw server 102 returns the flaw records, the flaw priority score of each flaw record, and/or flaw assignment information (exception, compliance, asset owner, stakeholder, service provider, etc.) of the flaw record to operation 406 of FIG. 4.” Costin ¶ 79. See Costin Fig. 6 discussing remediation tickets.)
update, via the GUI, at least one of the one or more user interface elements to display the status to at least one of the entity computing system and the third party computing system, (See Costin Fig. 7, status tracking with the PoAM as the top bullet point.) wherein updating occurs in real-time or near real time. (“as illustrated in FIG. 7, the dashboard 700 may be dynamically updated as and when new data associated with the flaw remediation management system is available at the flaw server 102.” Costin ¶ 91)
As to claims 4 and 14, Costin discloses the machine/method of claims 3 and 13, and further discloses:
identify a plurality of milestones corresponding with the entity being in compliance with a portion of the parameters for protecting; and (“as illustrated in FIG. 7, the dashboard 700 may be dynamically updated as and when new data associated with the flaw remediation management system is available at the flaw server 102.” Costin ¶ 91. See Costin Fig. 7, status tracking with the PoAM as the top bullet point.)
responsive to determining the entity being in compliance with the portion of the parameters for protecting, update, via the GUI, at least one of the one or more user interface elements to display at least one of the plurality of milestones. (“a remediation ticket is created, updated, and/or cancelled, the ticketing engine 325 updates the flaw database to indicate that a status of a remediation ticket assigned to flaw records associated with the work item.” Costin ¶ 69. “a work item may include flaw records for flaws 1-4 reported by the plurality of flaw sources 104. Accordingly, a work priority score of the work item may be calculated based on flaws 1-4. Later, flaws 1 and 2 may be remediated and the plurality of flaw sources 104 stop reporting flaws 1 and 2. In response, the work item is updated to remove flaw records associated with flaws 1 and 2. Further, the work priority score of the work item may be modified to reflect the removal of flaws 1 and 2. In said example, if the modified work priority score of the work item falls below the threshold score, a remediation ticket associated with the work item may be cancelled.” Costin ¶ 87)
As to claims 7 and 17, Costin discloses the machine/method of claims 1 and 11 and further discloses:
provide, via at least one of the GUI, the API, or the one or more digital communication channels, the one or more actionable tasks to the entity computing system of the entity or the third party computing system of the third party. (See Costin Figs. 7-8. “the ticketing system 108 may be configured to notify one or more users 110 regarding the various ticketing operations, escalate a remediation ticket, and/or remind a user 110 (e.g., service provider) about a remediation ticket based on a service level agreement.” Costin ¶ 89)
As to claims 8 and 18, Costin discloses the machine/method of claims 1 and 11 and further discloses:
wherein the plurality of documents comprise at least one response plan of the entity, and the one or more processing circuits further comprising executable instructions to: (“the different types of flaw intelligence sources 106 may include, but are not limited to, databases that maintain an updated list of cyber threats, asset information databases, databases that maintain an updated list of exceptions and plan of action Milestones (PoAM's), and so on.” Costin ¶ 43)
identify, based on the parameters for protecting and the one or more actionable tasks, one or more protection gaps of the at least one response plan; and (“Responsive to receiving the flaw data and/or the intelligence information, the flaw server 102 may analyze and correlate the flaw data across the plurality of flaw sources to generate one flaw record per flaw for each IT asset of the enterprise's IT system…. the flaw server 102 may generate API calls to invoke an instance of the ticketing system 108 for generating, updating, and/or canceling the remediation tickets.” Costin ¶ 44)
provide the one or more protection gaps to at least one of the entity and the third party. (See Costin Figs. 7-8. “the ticketing system 108 may be configured to notify one or more users 110 regarding the various ticketing operations, escalate a remediation ticket, and/or remind a user 110 (e.g., service provider) about a remediation ticket based on a service level agreement.” Costin ¶ 89)
As to claims 9 and 19, Costin discloses the machine/method of claims 8 and 18 and further discloses:
update, via the GUI, at least one user interface element of the one or more user interface elements based on the one or more protection gaps; and (“the dashboard 700 may be dynamically updated as and when new data associated with the flaw remediation management system is available at the flaw server 102.” Costin ¶ 91)
provide, via the GUI, the at least one user interface element to the entity and to the third party. (See Costin Figs. 7-8. “the ticketing system 108 may be configured to notify one or more users 110 regarding the various ticketing operations, escalate a remediation ticket, and/or remind a user 110 (e.g., service provider) about a remediation ticket based on a service level agreement.” Costin ¶ 89)
As to claim 10, Costin discloses the machine of claim 1 and further discloses:
receive, via at least one of the GUI, the API, or the one or more digital communication channels, at least one additional document corresponding with the entity; (“the work priority score of a work item may be updated continuously or at discrete time intervals based on the flaw data from the plurality of flaw sources 104 and/or intelligence information from the plurality of intelligence sources 106.” Costin ¶ 87)
map one or more portions of the at least one additional document to the parameters for protecting the entity, wherein the one or more portions correspond with at least one additional actionable task; and (“the flaw server 102 checks if a remediation ticket has been previously created for the work item. If a remediation ticket has been previously created, in operation 606, the flaw server 102 generates an API call requesting a ticketing system 108 to provide an update on a current status of the previously created remediation ticket. Responsive to receiving the current status of the remediation ticket the flaw server 102 may update the flaw database 334 with the current status of the remediation ticket.” Costin ¶ 85)
update, via the GUI, at least one user interface element of the one or more user interface elements based on the at least one additional actionable task. (“as illustrated in FIG. 7, the dashboard 700 may be dynamically updated as and when new data associated with the flaw remediation management system is available at the flaw server 102.” Costin ¶ 91.)
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 5-6 and 15-16 is/are rejected under 35 U.S.C. 103 as being unpatentable over Costin et al., US 2017/0034200 (published 2017), in view of Li, US 2022/0329630 (filed 2021).
As to claims 5 and 15, Costin discloses the machine/method of claims 3 and 13, but does not further disclose:
the one or more processing circuits further comprising executable instructions to: store the one or more actionable tasks or the status on a ledger or a distributed ledger.
Li discloses:
the one or more processing circuits further comprising executable instructions to: store the one or more actionable tasks or the status on a ledger or a distributed ledger.
(“a user is required to comply with the General Data Protection Regulation (GDPR) in Hong Kong.” Li ¶ 49)
(“the AI engine 202 may determine one or more resolution methods corresponding to the one or more security alerts based at least on the received the user security profile, the user compliance requirements, and the user personalized security preferences.” Li ¶ 47. “the user portal and control management module 108 may be configured to store the selected options related to the user account, security alerts, and the resolution methods in the database 102. Further, the user portal and control management module 108 may be explained in conjunction with FIG. 3.” Li ¶ 52)
(“Additionally, the database 102 may provide an additional layer of security with tokenization for users to control the metadata and inputted data. In one embodiment, a web 3.0 (i.e. a Semantic Architecture) with a Blockchain Database may reside in a Blockchain Data Lake distributing the database in regional data centers to satisfy data sovereignty and related regulatory compliance.” Li ¶ 43. Also ¶ 44)
A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Costin with Li by utilizing the blockchain ledger of Li to store the selected resolution methods. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Costin with Li in order to provide security and governance controls to the analysis data of the system while providing replication and localization for regulatory compliance, Li ¶¶ 18 and 43.
As to claims 6 and 16, Costin in view of Li discloses the machine/method of claims 5 and 15, and further discloses:
determine, based on the status, the entity being in compliance with the parameters for protecting; and (“the flaw server 102 can assign business rules, flaw related exceptions and/or remediation information (e.g., PoAM's) to each flaw record. Then, the flaw server 102 returns the flaw records, the flaw priority score of each flaw record, and/or flaw assignment information (exception, compliance, asset owner, stakeholder, service provider, etc.) of the flaw record to operation 406 of FIG. 4.” Costin ¶ 79. See Costin Fig. 6 discussing remediation tickets.)
generate one or more plans corresponding with the parameters for protecting, (“the flaw server 102 can assign business rules, flaw related exceptions and/or remediation information (e.g., PoAM's) to each flaw record. Then, the flaw server 102 returns the flaw records, the flaw priority score of each flaw record, and/or flaw assignment information (exception, compliance, asset owner, stakeholder, service provider, etc.) of the flaw record to operation 406 of FIG. 4.” Costin ¶ 79. See Costin Fig. 6 discussing remediation tickets.)wherein the one or more plans comprise one or more of a cybersecurity plan, an insurance plan, or a protection plan. (Costin ¶ 79, Li ¶¶ 47 and 49.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See PTO-892, particularly:
Choudhary et al., US 2010/0198636, discloses a method for auditing governance, risk, and compliance using a pluggable correlation architecture.
Chait, US 2014/0222521, discloses management and compliance verification in distributed work flow environments.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL W CHAO whose telephone number is (571)272-5165. The examiner can normally be reached M, W-F 8-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Rupal Dharia can be reached at (571) 272-3880. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/MICHAEL W CHAO/Primary Examiner, Art Unit 2492
Prosecution Insights