Notice of Pre-AIA or AIA Status
1. The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
2. EXAMINER’S NOTE: The claims have been reviewed and considered under the new guidance pursuant to the 2019 Revised Patent Subject Matter Eligibility Guidance (PEG 2019) issued January 7, 2019.
3. This communication is in response to Applicant’s Preliminary Amendment filed on 03 July 2025 has been reviewed and considered by the Examiner. Claims 1-20 have been cancelled. Claims 21-40 have been added. Claims 21-22, 27-30, 34-35 and 38-40 remain pending.
Continued Prosecution Application
4. This application is a continuation of Serial No. 18/079,396 filed on 12 December 2022, which is now US Patent No. 12,218,979, issued on 04 February 2025.
Double Patenting
5. The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The filing of a terminal disclaimer by itself is not a complete reply to a nonstatutory double patenting (NSDP) rejection. A complete reply requires that the terminal disclaimer be accompanied by a reply requesting reconsideration of the prior Office action. Even where the NSDP rejection is provisional the reply must be complete. See MPEP § 804, subsection I.B.1. For a reply to a non-final Office action, see 37 CFR 1.111(a). For a reply to final Office action, see 37 CFR 1.113(c). A request for reconsideration while not provided for in 37 CFR 1.113(c) may be filed after final for consideration. See MPEP §§ 706.07(e) and 714.13.
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The actual filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/apply/applying-online/eterminal-disclaimer.
Instant Application 19/043,399
Issued Application 12,218,979
21. A server system comprising: a memory resource; and a processing resource operably intercoupled with the memory resource and configured to instantiate an instance of software configured to: receive, as input from a client-side system, an information security standards policy; transmit a request including an organization identifier associated with the client-side system to a server-side data store to retrieve a vendor information set; for each vendor indicated by the vendor information set: querying a respective vendor data store to retrieve a respective security configuration state for the respective vendor; evaluating a respective security configuration requirement of the information security standards policy against the respective security configuration state to determine a respective set of security compliance statuses; aggregating, based on each respective set of security compliance statuses for each respective vendor, a current security compliance score; querying the server-side data store to obtain a set of previous security compliance scores; generating a time series compliance score visualization including the current security compliance score and the set of previous security compliance scores; and causing the time series compliance score visualization to be rendered in a display device that is communicably coupled to the client-side system.
22. The server system of claim 21, wherein: the input from the client-side system is received via a centralized management interface provided by the server system; and causing the time series compliance score visualization to be rendered in the display device that is communicably coupled to the client-side system includes causing the time series compliance score visualization to be rendered in the centralized management interface provided by the server system.
23. The server system of claim 21, wherein: querying the respective vendor data store to retrieve the respective security configuration state for the respective vendor includes querying the respective vendor data store to retrieve a respective usage data; and evaluating the respective security configuration requirement of the information security standards policy against the respective security configuration state to determine the respective set of security compliance statuses includes evaluating the respective security configuration requirement against the respective usage data.
24. The server system of claim 23, wherein in response to a determination, based on the respective usage data for a particular respective vendor, that a particular license for the particular respective vendor is not actively used, the server system is configured to terminate the particular license.
25. The server system of claim 21, wherein generating the time series compliance score visualization includes graduating, in accordance with a user-defined scale, the current security compliance score and the set of previous security compliance scores to obtain a graduated set of compliance scores; and the time series compliance score visualization includes the graduated set of compliance scores.
26. The server system of claim 25, wherein subsequent to generating the time series compliance score visualization, the time series compliance score visualization is provided to an authenticated third-party system associated with the information security standards policy.
27. The server system of claim 21, wherein transmitting the request including the organization identifier is in accordance with a scheduled time interval; and the set of previous security compliance scores were previously generated in accordance with the scheduled time interval.
28. The server system of claim 21, wherein querying the respective vendor data store to retrieve the respective security configuration state for the respective vendor comprises: generating, by the server system, a set of application programming interface (API) calls to the respective vendor data store; and receiving the respective security configuration state for the respective vendor via a response API communication from the respective vendor data store.
29. The server system of claim 21, wherein the information security standards policy includes at least one of: a multi-factor authentication requirement; a network configuration requirement; a backup interval requirement; a backend database encryption requirement; or a minimum software version requirement.
30. A method of auditing an information security posture of a policyholder, the method comprising: receiving an information security standards policy for a policyholder; transmitting a request including an organization identifier associated with the policyholder to a server-side data store to retrieve software license data comprising a set of identifiers corresponding to respective software licenses held by the policyholder; for each identifier of the set of identifiers: querying a respective vendor data store using the identifier to obtain a respective security configuration state for the respective software license; evaluating the information security standards policy against the respective security configuration state to determine a respective set of security compliance statuses; aggregating, based on each respective set of security compliance statuses for each respective identifier, a current security compliance score; querying the server-side data store to obtain a set of previous security compliance scores; and causing to be rendered, as output, a time series compliance score visualization including the current security compliance score and the set of previous security compliance scores.
31. The method of claim 30, further comprising: subsequent to querying the respective data store to obtain the respective security configuration state for the respective software license, querying the respective data store to obtain a respective usage data for the respective software license; evaluating the respective usage data to determine that the respective software license is not actively being used; and terminating the respective software license.
32. The method of claim 30, wherein evaluating the information security standards policy against the respective security configuration state includes: determining a deficiency in the respective configuration state with respect to the information security standards policy; generating a reconfiguration suggestion for curing the deficiency.
33. The method of claim 32, wherein the output is a first output, and the method further comprises: causing to be rendered, as second output, the reconfiguration suggestion for curing the deficiency.
34. The method of claim 30, wherein the information security standards policy includes at least one of: a multi-factor authentication requirement; a network configuration requirement; a backup interval requirement; a backend database encryption requirement; or a minimum software version requirement.
35. A method of auditing an information security posture of a policyholder, the method comprising: receiving an information security standards policy for a policyholder; transmitting a request including an organization identifier associated with the policyholder to a server-side data store to retrieve software license data comprising a set of identifiers corresponding to respective software licenses held by the policyholder; for each identifier of the set of identifiers: querying a respective vendor data store using the identifier to obtain a respective usage data for the respective software license; evaluating the information security standards policy against the respective usage data to determine a respective set of security compliance statuses; generating respective suggestion list comprising cures for deficiencies indicated by the respective set of security compliance statuses; causing to be rendered, as output and for a particular respective software license, the respective suggestion list for at least a subset of the deficiencies indicated by the respective set of security compliance statuses.
36. The method of claim 35, wherein evaluating the information security standards policy against the respective usage data for at least one respective software license includes: determining, based on the respective usage data, that the at least one respective software license is not actively used; and causing the at least one respective software license to be terminated.
37. The method of claim 35, wherein the output is a first output, and the method further comprises: causing to be rendered, as second output and for each respective software license, a respective in-use version number for the respective software license, and a respective recommended version number for the respective software license.
38. The method of claim 35, wherein the information security standards policy includes at least one of: a multi-factor authentication requirement; a network configuration requirement; a backup interval requirement; a backend database encryption requirement; or a minimum software version requirement.
39. The method of claim 35, wherein the information security standards policy is received via an instance of a centralized management interface; and causing the respective suggestion list for the particular respective software license to be rendered as output includes causing the respective suggestion list to be rendered in a content view area of the centralized management interface.
40. (New) The method of claim 35, wherein the information security standards policy comprises a set of required security configurations for each respective software license held by the policyholder.
1. A server system comprising: a memory resource; and a processing resource operably intercoupled with the memory resource and configured to instantiate an instance of software configured to: receive, as input, first information identifying an organization; receive, as input, second information identifying an information security standard; query a first data store, with the first information, to retrieve a set of third-party software licensed by and deployed by the organization; generate a set of structured data representations by: for each third-party software of the set of third-party software, query a second data store to retrieve a respective structured data representation of a respective configuration of the respective third-party software as deployed by the organization as of receiving the first information; query a third data store, with the second information, to retrieve a data object comprising attributes corresponding to software configuration requirements imposed by the information security standard; for each respective attribute of the data object, determine whether the respective software configuration requirement imposed by the information security standard is satisfied by at least one structured data representation of the set of structured data representations and: in response to determining that the respective software configuration requirement is not satisfied by any structured data representation of the set of structured data representations, provide a first output asserting that the organization fails to comply with the information security standard; and in response to determining that the respective software configuration requirement is satisfied by at least one structured data representation of the set of structured data representations, provide a second output asserting that the organization at least partially complies with the information security standard; and in response to determining that each software configuration of each respective attribute of the data object is satisfied by at least one structured data representation of the set of structured data representations, provide a third output asserting that the organization fully complies with the information security standard.
2. The server system of claim 1, wherein: the instance of software is a backend application instance configured to communicably couple to a frontend application instance instantiated by a client device communicably coupled to the server system; the first information is received from the frontend application instance; the second information is received form the frontend application instance; and the first, second, and third outputs are provided to the frontend application instance to cause the frontend application instance to display, in a graphical user interface thereof, a visual indication corresponding to the first, second, or third outputs respectively.
3. The server system of claim 2, wherein the visual indication comprises a numerical score.
4. The server system of claim 3, wherein the numerical score corresponds to a number of attributes of the data object satisfied by at least one structured data representation of the set of structured data representations.
5. The server system of claim 1, comprising: a database comprising: the first data store; and the second data store.
6. The server system of claim 1, wherein at least one structured data representation of the set of structured data representations comprises a version of the respective third-party software.
7. The server system of claim 1, wherein the instance of software is configured to: receive a request comprising: the first information; and the second information; and provide a response to the request comprising one of: the first output; the second output; and the third output.
8. The server system of claim 7, wherein the response comprises a numerical score corresponding to one of the first output, the second output, and the third output.
9. The server system of claim 8, wherein the numerical score is normalized to a graduated scale.
10. The server system of claim 7, wherein the response comprises a nonnumerical score corresponding to one of the first output, the second output, and the third output.
11. A method of auditing compliance of an organization with one or more security policies, the method comprising: receiving from a frontend instance of software instantized at a client device, at a backend instance of software instantiated by cooperation of processing resources and memory resources, a request comprising: first information identifying an organization; and second information identifying at least one information security standard; in response to the request, querying a first database to determine whether a compliance score exists in respect of the organization and the information security standard; in accordance with a first determination that the compliance score exists, generating a response to the request, the response comprising the compliances score; or in accordance with a second determination that the compliance score does not exist: querying a first data store, with the first information, to retrieve a set of third-party software licensed by and deployed by the organization; generating a set of structured data representations by querying a second data store with each respective third-party software to, for each respective third-party software, retrieve a respective structured data representation of a respective configuration of the respective third-party software as deployed by the organization as of receiving the request; querying a third data store, with the second information, to retrieve a data object comprising attributes corresponding to software configuration requirements imposed by the information security standard; for each respective attribute of the data object, determine whether the respective software configuration requirement imposed by the information security standard is satisfied by at least one structured data representation of the set of structured data representations and: in response to determining that the respective software configuration requirement is not satisfied by any structured data representation of the set of structured data representations, providing a first output asserting that the organization fails to comply with the information security standard; and in response to determining that the respective software configuration requirement is satisfied by at least one structured data representation of the set of structured data representations, providing a second output asserting that the organization at least partially complies with the information security standard; in response to determining that each software configuration of each respective attribute of the data object is satisfied by at least one structured data representation of the set of structured data representations, providing a third output asserting that the organization fully complies with the information security standard; generating the compliance score from at least one of the first output, the second output, or the third output; and generating the response to the request, the response comprising the compliance score; and transmitting the response to the frontend instance to cause a graphical user interface of the frontend instance to display the compliance score.
12. The method of claim 11, wherein the compliance score is normalized to a graduated scale.
13. The method of claim 11, wherein the compliance score is a numeric value within a range of numeric values.
14. The method of claim 11, wherein: the second information identifies at least two information security standards; and the response comprises at least two compliances scores, each in respect of a respective one information security standards of the at least two information security standards.
15. A method of auditing compliance of an organization with one or more security policies, the method comprising: receiving from a frontend instance of software instantized at a client device, at a backend instance of software instantiated by cooperation of processing resources and memory resources, a request comprising: first information identifying an organization; second information identifying a selected information security standard; third information comprising a date range; and receiving fourth information comprising a formula for determining compliance scores; querying a database with the first information, the second information, and the third information to retrieve a set of historical compliance scores generated in respect of the organization and the selected information security standard at different times within the date range, each historical compliance score of the set of historical compliances score calculated according to the formula by the backend instance of software by determining which third-party software licensed by the organization through the backend instance and deployed by the organization complied with the selected information security standard; generating a response to the request, the response comprising the set of historical compliances scores; and communicating the response to the frontend instance.
16. The method of claim 15, wherein the second information is selected from a set of information security standards.
17. The method of claim 15, wherein each of the compliances scores of set of historical compliances scores comprise a numerical value.
18. The method of claim 15, wherein the second information identifies a version of the information security standard.
19. The method of claim 15, wherein communicating the response to the frontend instance causes a graphical user interface of the frontend instance to display a graph corresponding to the set of historical compliances scores over time.
6. Claims 21-40 are rejected on the ground of non-statutory double patenting as being unpatentable over claims 1-19 of U.S. Patent No. 12,218,979. Although the claims at issue are not identical, they are not patentably distinct from each other because in both instances, the claims are drawn towards methods and systems for leveraging a data and service access management system architecture to provide security policy compliance verification and certification as a service. The omission of “retrieve a set of third-party software licensed by and deployed by the organization; generate a set of structured data representations by: for each third-party software of the set of third-party software” does not change the scope of the claims for the instant application and the issued application. Similarly, in both instances, a similarity measure may be attained wherein retrieving data can be used to evaluate compliance with one or more information security policies.
Claim Rejections - 35 USC § 102
7. In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.
8. Claims 21-22, 27-30, 34-35, and 38-40 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Freeman et al. (Pub No. 2021/0295223).
Referring to the rejection of claim 21, Freeman et al. discloses a server system comprising:
a memory resource; (See Freeman et al., Fig. 1B, i.e., memory, item 112)
and a processing resource operably intercoupled with the memory resource and configured to instantiate an instance of software configured to: (See Freeman et al., Fig. 1B, i.e., processor, item 111)
receive, as input from a client-side system, an information security standards policy; (See Freeman et al., para. 50-51)
transmit a request including an organization identifier associated with the client- side system to a server-side data store to retrieve a vendor information set; (See Freeman et al., para. 46 and 49)
for each vendor indicated by the vendor information set: (See Freeman et al., para. 46)
querying a respective vendor data store to retrieve a respective security configuration state for the respective vendor; (See Freeman et al., para. 46)
evaluating a respective security configuration requirement of the information security standards policy against the respective security configuration state to determine a respective set of security compliance statuses; (See Freeman et al., para. 46-47)
aggregating, based on each respective set of security compliance statuses for each respective vendor, a current security compliance score; (See Freeman et al., para. 47-48 and 67-68)
querying the server-side data store to obtain a set of previous security compliance scores; (See Freeman et al., para. 46-49)
generating a time series compliance score visualization including the current security compliance score and the set of previous security compliance scores; (See Freeman et al., para. 50-54)
and causing the time series compliance score visualization to be rendered in a display device that is communicably coupled to the client-side system. (See Freeman et al., para. 45, 83-84 and 440)
Referring to the rejection of claim 22, Freeman et al. discloses wherein: the input from the client-side system is received via a centralized management interface provided by the server system; and causing the time series compliance score visualization to be rendered in the display device that is communicably coupled to the client-side system includes causing the time series compliance score visualization to be rendered in the centralized management interface provided by the server system. (See Freeman et al., para. 45, 83-84 and 440)
Referring to the rejection of claim 27, Freeman et al. discloses wherein transmitting the request including the organization identifier is in accordance with a scheduled time interval; and the set of previous security compliance scores were previously generated in accordance with the scheduled time interval. (See Freeman et al., para. 46 and 48)
Referring to the rejection of claim 28, Freeman et al. discloses wherein querying the respective vendor data store to retrieve the respective security configuration state for the respective vendor comprises: generating, by the server system, a set of application programming interface (API) calls to the respective vendor data store; and receiving the respective security configuration state for the respective vendor via a response API communication from the respective vendor data store. (See Freeman et al., para. 74-76)
Referring to the rejection of claim 29, Freeman et al. discloses wherein the information security standards policy includes at least one of: a multi-factor authentication requirement; a network configuration requirement; a backup interval requirement; a backend database encryption requirement; or a minimum software version requirement. (See Freeman et al., para. 50)
Referring to the rejection of claim 30, Freeman et al. discloses a method of auditing an information security posture of a policyholder, the method comprising:
receiving an information security standards policy for a policyholder; (See Freeman et al., para. 50-51)
transmitting a request including an organization identifier associated with the policyholder to a server-side data store to retrieve software license data comprising a set of identifiers corresponding to respective software licenses held by the policyholder; (See Freeman et al., para. 46 and 49)
for each identifier of the set of identifiers: querying a respective vendor data store using the identifier to obtain a respective security configuration state for the respective software license; (See Freeman et al., para. 46)
evaluating the information security standards policy against the respective security configuration state to determine a respective set of security compliance statuses; (See Freeman et al., para. 46-47)
aggregating, based on each respective set of security compliance statuses for each respective identifier, a current security compliance score; (See Freeman et al., para. 47-48 and 67-68)
querying the server-side data store to obtain a set of previous security compliance scores; (See Freeman et al., para. 46-49)
and causing to be rendered, as output, a time series compliance score visualization including the current security compliance score and the set of previous security compliance scores. (See Freeman et al., para. 45, 83-84 and 440)
Referring to the rejection of claim 34, Freeman et al. discloses wherein the information security standards policy includes at least one of: a multi-factor authentication requirement; a network configuration requirement; a backup interval requirement; a backend database encryption requirement; or a minimum software version requirement. (See Freeman et al., para. 50)
Referring to the rejection of claim 35, Freeman et al. discloses a method of auditing an information security posture of a policyholder, the method comprising:
receiving an information security standards policy for a policyholder; (See Freeman et al., para. 50-51)
transmitting a request including an organization identifier associated with the policyholder to a server-side data store to retrieve software license data comprising a set of identifiers corresponding to respective software licenses held by the policyholder; (See Freeman et al., para. 46 and 49)
for each identifier of the set of identifiers: querying a respective vendor data store using the identifier to obtain a respective usage data for the respective software license; (See Freeman et al., para. 46)
evaluating the information security standards policy against the respective usage data to determine a respective set of security compliance statuses; (See Freeman et al., para. 46-47)
generating respective suggestion list comprising cures for deficiencies indicated by the respective set of security compliance statuses; (See Freeman et al., para. 50-54)
causing to be rendered, as output and for a particular respective software license, the respective suggestion list for at least a subset of the deficiencies indicated by the respective set of security compliance statuses. (See Freeman et al., para. 45, 83-84 and 440)
Referring to the rejection of claim 38, Freeman et al. discloses wherein the information security standards policy includes at least one of: a multi-factor authentication requirement; a network configuration requirement; a backup interval requirement; a backend database encryption requirement; or a minimum software version requirement. (See Freeman et al., para. 50)
Referring to the rejection of claim 39, Freeman et al. discloses wherein the information security standards policy is received via an instance of a centralized management interface; and causing the respective suggestion list for the particular respective software license to be rendered as output includes causing the respective suggestion list to be rendered in a content view area of the centralized management interface. (See Freeman et al., para. 83-85)
Referring to the rejection of claim 40, Freeman et al. discloses wherein the information security standards policy comprises a set of required security configurations for each respective software license held by the policyholder. (See Freeman et al., para. 66)
Allowable Subject Matter
9. Claims 23-26, 31-33, and 36-37 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims and overcoming the obviousness double patenting rejection.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to COURTNEY D FIELDS whose telephone number is (571)272-3871. The examiner can normally be reached IFP M-F 8am-4:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, SHEWAYE GELAGAY can be reached at (571)272-4219. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/COURTNEY D FIELDS/Examiner, Art Unit 2436 June 26, 2026
/SHEWAYE GELAGAY/Supervisory Patent Examiner, Art Unit 2436