Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
This is in response the original filing of 10/31/2024. Claims 1-19 are pending and have been considered below.
Priority
18932808 filed 10/31/2024 is a Continuation of 18649484, filed 04/29/2024, now U.S. Patent # 12223062; 18649484 Claims Priority from Provisional Application 63570547, filed 03/27/2024.
Drawings
The drawings filed on 10/31/2024 are accepted.
Specification
The specification filed on 10/31/2024 is accepted.
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 10/31/2024 and 07/17/2025 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The filing of a terminal disclaimer by itself is not a complete reply to a nonstatutory double patenting (NSDP) rejection. A complete reply requires that the terminal disclaimer be accompanied by a reply requesting reconsideration of the prior Office action. Even where the NSDP rejection is provisional the reply must be complete. See MPEP § 804, subsection I.B.1. For a reply to a non-final Office action, see 37 CFR 1.111(a). For a reply to final Office action, see 37 CFR 1.113(c). A request for reconsideration while not provided for in 37 CFR 1.113(c) may be filed after final for consideration. See MPEP §§ 706.07(e) and 714.13.
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The actual filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/apply/applying-online/eterminal-disclaimer.
Claims 1-19 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-21 of U.S. Patent No. 12,223,062 B1. Although the claims at issue are not identical, they are not patentably distinct from each other because: claims 1.19 of the present application are anticipated by claims 1-21 of the patent.
A side-by-side comparison of the independent claims of the pending application and the ’12,223,062 patent is given in the following table to show their similarities and differences:
18/932,808
12,223,062 B1
1. A method for security control gap identification, comprising:
integrating with a set of security controls deployed with respect to a computing environment, wherein integrating with the set of security controls further comprises deploying an artifact in the computing environment, wherein the artifact is configured to record a plurality of activities performed in the computing environment by the set of controls, wherein integrating with the set of security controls further comprises enforcing at least one policy requiring code releases in the computing environment to be signed using an instance of the artifact; and
identifying at least one security control gap in the computing environment based on a configuration of the set of security controls.
2. The method of claim 1, further comprising: performing at least one remediation action with respect to the identified at least one security control gap.
3. The method of claim 2, wherein performing the at least one remediation action includes reconfiguring at least one security control of the set of security controls.
10. A non-transitory computer readable medium having stored thereon instructions for causing a processing circuitry to execute a process, the process comprising: integrating with a set of security controls deployed with respect to a computing environment, wherein integrating with the set of security controls further comprises deploying an artifact in the computing environment, wherein the artifact is configured to record a plurality of activities performed in the computing environment by the set of controls, wherein integrating with the set of security controls further comprises enforcing at least one policy requiring code releases in the computing environment to be signed using an instance of the artifact; and
identifying at least one security control gap in the computing environment based on a configuration of the set of security controls.
11. A system for security control gap identification, comprising: a processing circuitry; and a memory, the memory containing instructions that, when executed by the processing circuitry, configure the system to: integrate with a set of security controls deployed with respect to a computing environment, wherein integrating with the set of security controls further comprises deploying an artifact in the computing environment, wherein the artifact is configured to record a plurality of activities performed in the computing environment by the set of controls, wherein integrating with the set of security controls further comprises enforcing at least one policy requiring code releases in the computing environment to be signed using an instance of the artifact; and
identify at least one security control gap in the computing environment based on a configuration of the set of security controls.
1. A method for identifying security control gaps, comprising:
integrating with a set of security controls deployed with respect to a computing environment, wherein integrating with the set of security controls further comprises deploying an artifact in the computing environment, wherein the artifact is configured to record a plurality of activities performed in the computing environment by the set of controls, wherein integrating with the set of security controls further comprises enforcing at least one policy requiring code releases in the computing environment to be signed using an instance of the artifact;
identifying at least one computing asset to be protected by the set of security controls; identifying at least one security control gap in the computing environment based on a configuration of the set of security controls, wherein each security control gap is defined with respect to one of the identified at least one computing asset; and
performing at least one remediation action with respect to the identified at least one security control gap.
11. A non-transitory computer readable medium having stored thereon instructions for causing a processing circuitry to execute a process, the process comprising: integrating with a set of security controls deployed with respect to a computing environment, wherein integrating with the set of security controls further comprises deploying an artifact in the computing environment, wherein the artifact is configured to record a plurality of activities performed in the computing environment by the set of controls, wherein integrating with the set of security controls further comprises enforcing at least one policy requiring code releases in the computing environment to be signed using an instance of the artifact;
identifying at least one computing asset to be protected by the set of security controls;
identifying at least one security control gap in the computing environment based on a configuration of the set of security controls, wherein each security control gap is defined with respect to one of the identified at least one computing asset; and
performing at least one remediation action with respect to the identified at least one security control gap.
12. A system for identifying security control gaps, comprising: a processing circuitry; and a memory, the memory containing instructions that, when executed by the processing circuitry, configure the system to: integrate with a set of security controls deployed with respect to a computing environment, wherein integrating with the set of security controls further comprises deploying an artifact in the computing environment, wherein the artifact is configured to record a plurality of activities performed in the computing environment by the set of controls, wherein the system is further configured to enforce at least one policy requiring code releases in the computing environment to be signed using an instance of the artifact;
identify at least one computing asset to be protected by the set of security controls;
identify at least one security control gap in the computing environment based on a configuration of the set of security controls, wherein each security control gap is defined with respect to one of the identified at least one computing asset; and
perform at least one remediation action with respect to the identified at least one security control gap.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1, 10 and 11 are rejected under 35 U.S.C. 103 as being unpatentable over Sloan et al. U.S. 2019/0034639 A1 in view of Bronk U.S. 2022/0021546 A1.
Claims 1, 10 and 11: Sloan et al teaches a method for security control gap identification (par.4, 25, identify a gap or risk in information-security coverage (e.g., determine that the environment does not comply with one or more controls) , comprising:
A non-transitory computer readable medium having stored thereon instructions for causing a processing circuitry to execute a process(par.32 The information-security measurement module 124a can include one or more instructions stored on a computer-readable storage medium (e.g., the memory 116a) and executable by the processor 112a), the process comprising:
A system for security control gap identification (par.4, 25, identify a gap or risk in information-security coverage (e.g., determine that the environment does not comply with one or more controls), comprising:
a processing circuitry (Fig. 1, item 112a, 138b, par.32); and
a memory, the memory containing instructions that, when executed by the processing circuitry (par.32, The information-security measurement module 124a can include one or more instructions stored on a computer-readable storage medium (e.g., the memory 116a) and executable by the processor 112a. when executed by the processor 112a, the computer-executable instructions cause the processor 112a to monitor the network 110, the computing device 104a, the information-security server 102, the database 106, or any other device in the environment 100), configure the system to
integrating with a set of security controls deployed with respect to a computing environment, wherein integrating with the set of security controls further comprises deploying an artifact in the computing environment, wherein the artifact is configured to record a plurality of activities performed in the computing environment by the set of controls (par. 73, determines an information-security metric that indicates that none of the computing devices 104a-c complies with a particular control, which may indicate a risk or exploitable weakness of information-security coverage in the environment 100. Par. 54, 57, 80-84, 90,information-security activity on a computing device 104a-c, a network 110, an information-security server 102, or a database 106 is detected over a period of time. An information-security measurement module 124a-c stored on, or executed by, the computing device 104a-c can detect the information-security activity. Par. 54, 80-84, 90, An interactive user interface can align a framework with corresponding controls, metrics, and information-security measurement modules 124a-c, which can allow the user to identify an exploitable weakness, a gap or risk in information-security coverage and modify the information-security measurement module 124a-c, the computing devices 104a-c, or the network 110 such that the environment 100 is in compliance with the framework or the one or more controls), wherein integrating with the set of security controls further comprises enforcing at least one policy requiring code releases in the computing environment to be signed using an instance of the artifact; and
identifying at least one security control gap in the computing environment based on a configuration of the set of security controls (par.25, 91,95 to identify a gap or risk in information-security coverage (e.g., determine that the environment does not comply with one or more controls.) and modify the information-security measurement modules, the computing system, or the network such that the environment is in compliance with the framework or one or more controls).
Sloan et al. fail to teach, however Bronk. in the same field of endeavor teaches
wherein integrating with the set of security controls further comprises enforcing at least one policy requiring code releases in the computing environment to be signed using an instance of the artifact (par. 68,77, sign each code artifact in a signing session with a TKP.sub.priv; embed a TCA.sub.cert in the software package; approve production release of a production version of the software package.).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the disclosure of Sloan et al. with the additional features of Bronk. for software vendors to ensure that only vetted, legitimate releases are signed with company's so-called production identity. Signing a potentially malicious package may lead to serious consequences (consider, for example, supply chain attacks, loss of credibility, etc.), as suggested by Bronk. par.3.
Claims 2-7, 9, 12-17 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Sloan et al. U.S. 2019/0034639 A1 in view of Bronk U.S. 2022/0021546 A1 in further view of Sweeney et al. US. 2019/0207981 A1.
Claims 2 and 12: the combination fails to teach, however Sweeney et al in the same field of endeavor teaches further comprising:
performing at least one remediation action with respect to the identified at least one security control gap (par. 78, dashboard system 114 can be initiate actions to correct or remediate control gaps identified in the assessments of control maturity or framework compliance of the security controls implemented in IT environment 130).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the disclosure of Sloan et al. with the additional features of Sweeney et al. for assessing security controls in an Information Technology environment and, more specifically, for assessing security control maturity, as suggested by Sweeney et al. par.2.
Claims 3 and 13: the combination teaches
wherein performing the at least one remediation action includes reconfiguring at least one security control of the set of security controls (Sweeney et al., par.6-8, 23-24, 68).
The same motivation to modify Sloan et al. in view of Sweeney et al. applied to claims 2 and 12 above applies here.
Claims 4 and 14: the combination teaches
wherein the set of security controls is a set of first security controls, wherein performing the at least one remediation action includes deploying at least one second security control based on the identified at least one security control gap (Sweeney et al., par.7, 23-24, 68).
The same motivation to modify Sloan et al. in view of Sweeney et al. applied to claims 2 and 12 above applies here.
Claims 5 and 15: the combination teaches
correlating between sets of asset-identifying data generated by the set of security controls (Sloan et al., par.83-84, 91); and
the combination fails to teach, however Sweeney et al in the same field of endeavor teaches
deduplicating a plurality of asset instances represented in the asset-identifying data generated by the set of security controls deployed with respect to the computing environment in order to create a set of deduplicated asset instances, wherein deduplicating the plurality of asset instances includes uniquely identifying each of the plurality of asset instances as corresponding to a respective protected computing asset of the at least one computing asset based on the correlation between the sets of asset-identifying data generated by the set of security controls, wherein the at least one security control gap is identified based further on the set of deduplicated asset instances(Sweeney et al., par.43-44, 67-68, 194).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the disclosure of Sloan et al. with the additional features of Sweeney et al. for assessing security controls in an Information Technology environment and, more specifically, for assessing security control maturity, as suggested by Sweeney et al. par.2.
Claims 6 and 16: the combination teaches wherein the set of security controls is a set of first security controls, wherein identifying the at least one security control gap (Sloan et al. par.25) further comprises:
determining at least one path of exploitation, wherein each path of exploitation is a path of communication between one of the at least one computing asset and at least one computing component, wherein the at least one security control gap includes a lack of a second security control at a deployment location defined with respect to the at least one path of exploitation (Sloan et al. par.17, 20, 25 52).
Claims 7 and 17: the combination teaches wherein identifying the at least one security control gap further comprises:
determining, for each security control of the set of security controls, a corresponding set of predetermined features to be used by the security control (Sloan et al., par.60-61); and
the combination fails to teach, however Sweeney et al in the same field of endeavor teaches
determining whether each security control of the set of security controls is configured to utilize each feature of the corresponding set of predetermined features, wherein the at least one security control gap includes a first security control of the set of security controls lacking configuration to perform at least one feature of the corresponding set of predetermined features (Sloan et al. par.52-54).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the disclosure of Sloan et al. with the additional features of Sweeney et al. for assessing security controls in an Information Technology environment and, more specifically, for assessing security control maturity, as suggested by Sweeney et al. par.2.
Claims 9 and 19: the combination fails to teach, however Sweeney et al in the same field of endeavor teaches wherein identifying the at least one security control gap further comprises:
determining, for each security control of the set of security controls, a corresponding set of predetermined software components to be used by the security control, wherein each predetermined software component to be used by the security control has a corresponding version (Sweeney et al., par.47, 71-72); and
determining that a first security control of the set of security controls has an outdated version of at least one first software component of the set of predetermined software components, wherein the at least one security control gap includes a lack of the at least one first software component by the first security control (Sweeney et al., par.43-44, 67-68, 194).
Claims 8 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Sloan et al. U.S. 2019/0034639 A1 in view of in view of Bronk U.S. 2022/0021546 A1 in further view of Shivanna et al. U.S. 2021/0336992 A1.
Claims 8 and 18: the combination fails to teach, however Shivanna et al. in the same field of endeavor teaches wherein identifying the at least one security control gap further comprises:
analyzing a pair of security controls from among the set of security controls, the pair of security controls including a first security control and a second security control of the set of security controls, wherein at least one first security control policy is applied to the first security control, wherein at least one second security control policy is applied to the second security control, wherein analyzing the pair of security controls further comprises analyzing the at least one first security control policy and the at least one second security control policy based on a set of predetermined security control policy conflicts (par.16-17, 25-30, 55-56); and
identifying at least one conflict between the at least one first security control policy and the at least one second security control policy based on the analysis, wherein the at least one security control gap includes the identified at least one conflict between the at least one first security control policy and the at least one second security control policy (par.16-17, 25-30, 55-56).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the disclosure of Sloan et al. with the additional features of Sweeney et al. in order to provide the ability to receive input information relating to a security level for an information technology (IT) stack, where the input information is technology and product agnostic. and to access a knowledge base that maps the security level and the discovered components to configuration instructions relating to security controls, and configure the IT stack with the security controls using the configuration instructions, as suggested by Sweeney et al. abstract.
The following prior art are cited to further show the state of the art at the time of applicant’s invention.
Tedeschi. U.S. 10,339321 B2 teaches Cybersecurity Maturity Forecasting Tool/Dashboard.
Yaron et al. U.S. 2023/0376603 A1 teaches Techniques for identifying and validating security control steps in software development pipelines.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to FATOUMATA TRAORE whose telephone number is (571)270-1685. The examiner can normally be reached 6:30-3:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, SHEWAYE GELAGAY can be reached at 5712724219. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
Monday, March 16, 2026
/FATOUMATA TRAORE/Primary Examiner, Art Unit 2436