Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
This action is in response to the communication filed on 02/03/2025.
Claims 1-20 are under examination.
The Information Disclosure Statements filed on 02/03/2025, 07/24/2025, 10/06/2025, 12/08/2025 and 05/12/2026 have been entered and considered.
Allowable Subject Matter
Claims 7-8, 13-14 and 16-17 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-2, 10-11 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Jagannathan et al. (US 2022/0094596 A1) and Sharifi (US 11,595,372 B1).
Regarding claim 1, Jagannathan et al. discloses A system, comprising: one or more processing circuits comprising memory and at least one processor configured to: determine a cybersecurity posture of at least one entity based at least on a protection request comprising data of the at least one entity [abs, “receiving data indicating a current security posture of the network”, par. 0040, “the process may be triggered based on a determination that a configuration change has occurred or has been requested in the network”]; and provide an acceptance of the at least one cybersecurity data structure to a data source or ledger [par. 0061, “ compliance component 140 of FIG. 1 may record the decision and associated information, such as details of the configuration change and the user that issued the decision, for future reference”].
Jagannathan et al. does not explicitly disclose identify one or more tokens corresponding to at least one of (i) a verified or authenticated state of the cybersecurity posture or (ii) at least one digital representation of the cybersecurity posture or compliance of the at least one entity with one or more cybersecurity measures, technologies, or configurations; determine at least one cybersecurity data structure corresponding to a cybersecurity attribute to protect at least one computing system based at least on the one or more tokens.
However Sharifi teaches identify one or more tokens corresponding to at least one of (i) a verified or authenticated state of the cybersecurity posture or (ii) at least one digital representation of the cybersecurity posture or compliance of the at least one entity with one or more cybersecurity measures, technologies, or configurations [col. 4, line 65-col. 5, line 2, “the policy enforcement service determines a security posture related to the current and/or previous configuration of the calling user's resources by analyzing security data (e.g., tokens) provided with the request”, col. 11, lines 50-53, “The token(s) 314A-314X can be data of a variety of types of formats that describes one or more aspects of something (e.g., a virtual network, a compute instance, a set of access control policies, a set of firewall rules)”, col. 7, lines 62-65, “a token is generated that includes one or more values that describe or identify a current and/or previous security posture associated with the calling user's virtual network”]; determine at least one cybersecurity data structure corresponding to a cybersecurity attribute to protect at least one computing system based at least on the one or more tokens [col. 8, lines 1-7, “if the value of a token with an identifier of “SecurityPostureToken” (e.g., a value that is a “security score” indicating an amount of adherence to a set of security standards from the perspective of a security service) is exactly “100,” a request to access the resource may be allowed, provided that the other sub-condition 215B is also satisfied”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Sharifi into the teaching of Jagannathan et al. with the motivation to implement robust security controls for data by being able to guarantee that a calling user's resources adhere to current and/or previous security requirements to increased system security, reduced data leakage, increased system scalability, etc. as taught by Sharifi [Sgarifi: col. 5, lines 19-25].
Regarding claim 2, the rejection of claim 1 is incorporated.
Jagannathan et al. further discloses receive or collect environmental data from computing and networking structures of the at least one entity; and record the environmental data in the data source or ledger [par. 0012, “compliance component that maintains a baseline security view of all systems and services in an SDN environment… the compliance component monitors for security compliance of the systems and services on an ongoing basis”, par. 0061, “ compliance component 140 of FIG. 1 may record the decision and associated information, such as details of the configuration change and the user that issued the decision, for future reference”].
Regarding claim 10, it recites limitations like claim 1, the reason for the rejection of claim 1 is incorporated.
Sharifi further discloses identifying, by the one or more processing circuits, one or more identifiers corresponding to at least one of (i) a verified or authenticated state of the cybersecurity posture or (ii) at least one digital representation of the cybersecurity posture or compliance of the at least one entity with one or more cybersecurity measures, technologies, or configurations [col. 4, line 65-col. 5, line 2, “the policy enforcement service determines a security posture related to the current and/or previous configuration of the calling user's resources by analyzing security data (e.g., tokens) provided with the request”, col. 11, lines 50-53, “The token(s) 314A-314X can be data of a variety of types of formats that describes one or more aspects of something (e.g., a virtual network, a compute instance, a set of access control policies, a set of firewall rules)”, col. 7, lines 62-65, “a token is generated that includes one or more values that describe or identify a current and/or previous security posture associated with the calling user's virtual network”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Sharifi into the teaching of Jagannathan et al. with the motivation to implement robust security controls for data by being able to guarantee that a calling user's resources adhere to current and/or previous security requirements to increased system security, reduced data leakage, increased system scalability, etc. as taught by Sharifi [Sgarifi: col. 5, lines 19-25].
Regarding claim 11, it recites limitations like claim 2, the reason for the rejection of claim 2 is incorporated.
Regarding claim 19, it recites limitations like claim 10, the reason for the rejection of claim 10 is incorporated.
Claims 3, 12 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Jagannathan et al. (US 2022/0094596 A1) and Sharifi (US 11,595,372 B1) as applied to claims 1-2, 10-11 and 19 above, and further in view of Vetas (US 2022/0051261 A1).
Regarding claim 3, the rejection of claim 1 is incorporated.
Sharifi discloses determine at least one cybersecurity data structure.
They do not explicitly disclose executing a Zero-Knowledge Proof (ZKP) model to determine the cybersecurity posture against one or more insurance parameters, wherein the ZKP model maintains anonymity of all or a portion of data used in determining the at least one cybersecurity data structure, and wherein anonymity of the at least one entity is maintained until the acceptance.
However Vetas teaches executing a Zero-Knowledge Proof (ZKP) model to determine the cybersecurity posture against one or more insurance parameters, wherein the ZKP model maintains anonymity of all or a portion of data used in determining the at least one cybersecurity data structure, and wherein anonymity of the at least one entity is maintained until the acceptance [par. 0056, “an overview of the data, traceability and compliance configurations within the system. The regulators can verify compliance with the regulations and participants can use the system to grant licenses… Many high quality, open source audited contracts are available, for ZKP, Traceability, DeFi and ERP integration (baseline)”, par. 0058, insurance, par. 0079, “Know Your Customer (KYC) and Certificate validators can be specialized Digital Asset management service providers that facilitate anonymized Zero-Knowledge Proof (ZKP) of on chain identity. The Legal Identity Identifier (LEI) is verified and stored off-chain. This service issues an anonymized on-chain transaction ID containing the Zero Knowledge Proof of Set membership (ZKSMP) and Zero Knowledge Range Proofs (Merkle Root/ZKRP) of the backing KYC data”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Vetas into the teaching of Jagannathan et al. and Sharifi with the motivation to provide accessible tools for regulatory compliance and certifications as taught by Vetas [Vetas: par. 0057].
Regarding claim 12, it recites limitations like claim 3, the reason for the rejection of claim 3 is incorporated.
Regarding claim 20, it recites limitations like claim 12, the reason for the rejection of claim 12 is incorporated.
Claim 4 is rejected under 35 U.S.C. 103 as being unpatentable over Jagannathan et al. (US 2022/0094596 A1) and Sharifi (US 11,595,372 B1) as applied to claims 1-2, 10-11 and 19 above, and further in view of Collins et al. (US 2012/0166229 A1).
Regarding claim 4, the rejection of claim 1 is incorporated.
Jagannathan et al. and Sharifi discloses determining the at least one cybersecurity data structure and providing the acceptance of the at least one cybersecurity data structure.
They do not explicitly disclose determining the at least one cybersecurity data structure and providing the acceptance of the at least one cybersecurity data structure corresponds to quoting, binding, and issuing (QBI) of the at least one cybersecurity data structure.
However, Collins et al. teaches determining the at least one cybersecurity data structure and providing the acceptance of the at least one cybersecurity data structure corresponds to quoting, binding, and issuing (QBI) of the at least one cybersecurity data structure [par. 0030, “The other risk zone data device 120f may comprise any other type and/or configuration of device that may be utilized to make and/or facilitate decision making processes based at least in part on risk zone information… risk zone devices comprise… security system”, par. 0042, “the process 200 may also or alternatively comprise one or more actions associated with insurance policy quote and/or issuance 250. Once a policy has been rated, priced or quoted and the client has accepted the coverage terms, the insurance company may, for example, bind and issue the policy by hard copy and/or electronically to the client/insured”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Collins et al. into the teaching of Jagannathan et al. and Sharifi with the motivation such that risk zone information may be utilized to select, price, and/or manage an insurance policy as taught by Collins et al. [Collins et al.: abs.].
Claim 5 is rejected under 35 U.S.C. 103 as being unpatentable over Jagannathan et al. (US 2022/0094596 A1) and Sharifi (US 11,595,372 B1) and Collins et al. (US 2012/0166229 A1) as applied to claim 4 above, and further in view of Sweeney et al. (US 2019/0207981 A1).
Regarding claim 5, the rejection of claim 4 is incorporated.
Jagannathan et al. and Sharifi discloses determining the at least one cybersecurity data structure and providing the acceptance of the at least one cybersecurity data structure.
They do not explicitly disclose automatically renew the at least one cybersecurity data structure based on the cybersecurity posture and a cybersecurity resilience.
However, Sweeney et al. teaches automatically renew the at least one cybersecurity data structure based on the cybersecurity posture and a cybersecurity resilience [par. 0196, “security analytics service 1428 can be configured to initiate automated security orchestration actions to change the posture of IT environment… security analytics service 1428 can be configured to change the security posture of IT environment 130 to decrease risk and improve security resilience”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Sweeney et al. into the teaching of Jagannathan et al., Sharifi and Collins et al. with the motivation to decrease risk and improve security resilience of the IT environment as taught by Sweeney et al. [Sweeney et al.: par. 0026.].
Claims 6 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Jagannathan et al. (US 2022/0094596 A1) and Sharifi (US 11,595,372 B1) as applied to claims 1-2, 10-11 and 19 above, and further in view of Sweeney et al. (US 2019/0207981 A1).
Regarding claim 6, the rejection of claim 1 is incorporated.
Jagannathan et al. and Sharifi discloses determining the at least one cybersecurity data structure.
They do not explicitly disclose dynamically update the at least one cybersecurity data structure based at least on an update in a cybersecurity landscape or a change in one or more insurance protection preferences of one or more entities.
However, Sweeney et al. teaches dynamically update the at least one cybersecurity data structure based at least on an update in a cybersecurity landscape or a change in one or more insurance protection preferences of one or more entities [par. 0192, “ security analytics service 1428 can detect an indication of an abnormal change in the control maturity or compliance conformance based on a plurality of rules”, par. 0196, “security analytics service 1428 can be configured to initiate automated security orchestration actions to change the posture of IT environment… security analytics service 1428 can be configured to change the security posture of IT environment 130 to decrease risk and improve security resilience”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Sweeney et al. into the teaching of Jagannathan et al. and Sharifi with the motivation to decrease risk and improve security resilience of the IT environment as taught by Sweeney et al. [Sweeney et al.: par. 0026.].
Regarding claim 15, it recites limitations like claim 6, the reason for the rejection of claim 6 is incorporated.
Claims 9 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Jagannathan et al. (US 2022/0094596 A1) and Sharifi (US 11,595,372 B1) as applied to claims 1-2, 10-11 and 19 above, and further in view of Ng et al. (US 2022/0006840 A1).
Regarding claim 9, the rejection of claim 1 is incorporated.
Jagannathan et al. and Sharifi discloses determining the at least one cybersecurity data structure.
They do not explicitly disclose the at least one cybersecurity data structure provided is based on the cybersecurity posture, and wherein the at least one cybersecurity data structure corresponds to one or more coverage options aligning with a protection preference of the at least one entity.
However, Ng et al. teaches the at least one cybersecurity data structure provided is based on the cybersecurity posture, and wherein the at least one cybersecurity data structure corresponds to one or more coverage options aligning with a protection preference of the at least one entity [abs, “assessing risk of a cyber security failure in a computer network of an entity, using a computer agent configured to collect information from at least one accessible Internet elements, automatically determining, based on the assessed risk, a change or a setting to at least one element of policy criteria of a cyber security policy”, par. 0090, “the at least one element of policy criteria of the cyber security policy is a term and/or a condition. For example, a term and a condition may include a retention amount, a deductible, a premium, a coverage limit, a future valuation, a term length, and so forth”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Ng et al. into the teaching of Jagannathan et al. and Sharifi with the motivation to automatically recommending, based on the assessed risk, a computer network change to reduce the assessed risk as taught by Ng et al. [Ng et al.: abs.].
Regarding claim 18, it recites limitations like claim 9, the reason for the rejection of claim 9 is incorporated.
Conclusion
The prior art made of record and not relied upon is considered pertinent to Applicant’s disclosure:
US 11888886 B1 Cyber Security Risk Assessment And Cyber Security Insurance Platform
US 20230091179 A1 SYSTEM AND METHOD FOR BUILDING A TRUSTED NETWORK OF DEVICES
US 11611590 B1 System And Methods For Reducing The Cybersecurity Risk Of An Organization By Verifying Compliance Status Of Vendors, Products And Services
US 20220385687 A1 CYBERSECURITY THREAT MANAGEMENT USING ELEMENT MAPPING
US 20220345491 A1 SYSTEMS AND METHODS FOR SCALABLE ZERO TRUST SECURITY PROCESSING
US 20220337631 A1 SYSTEM AND METHOD TO CREATE ZERO TRUST FRAMEWORK FOR SECURITY AS A SERVICE
US 20220141255 A1 SECURITY STATUS OF SECURITY SLICES
US 11188985 B1 Entity Prioritization And Analysis Systems
US 20210334386 A1 METHOD AND SYSTEM FOR ASSESSING EFFECTIVENESS OF CYBERSECURITY CONTROLS IN AN OT ENVIRONMENT
US 20170324733 A1 USING SECURITY POSTURE INFORMATION TO DETERMINE ACCESS TO SERVICES
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JASON CHIANG whose telephone number is (571)270-3393. The examiner can normally be reached on 9 AM to 6 PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571) 272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/JASON CHIANG/Primary Examiner, Art Unit 2431