Gov't Security Requirements

Report · Nov 01, 2016

Building a Captivate training program for use by US government agencies seems to require compliance with "NIST Special Publication 800-53, “Security and Privacy Controls for Federal Information Systems and Organizations”, and

employing "code analysis tools to examine the software for common flaws and document results in a Code Review Report".

I have no idea how any of this might relate to a Captivate developed program, does anyone have any experience with this requirement?

Thanks

Report · Nov 01, 2016

Keep in mind that the output is your deliverable, so you're building "HTML5 or Flash based pages" for web delivery.

If they require delivery of .exe files, that would greatly change the dynamic.

From what I can see in this 462 page document, you're likely an external service provider, so focus on section 2.5.

Keep in mind, I'm not a lawyer, and this isn't legal advice, just a posting in a public forum.

So, have you asked the person bidding how they reviewed these requirements?

Or, are you preparing a bid?

Report · Nov 01, 2016

Thanks for your "not legal advice". And yes, I'm the bidder. These security requirements were dropped in to the proposal request very late in the process, just before the bid is due. As you imply, I don't think they apply at all to the HTML5 output being supplied, but I'm asked to certify compliance, which does make me nervous.

Report · Nov 01, 2016

Sorry for that, but I figured at the top of the thread it might be wise to mention that :-).

These kind of shenanigans are what kept me from the SBIR and other programs I investigated long ago.

Report · Nov 02, 2016

That document seems to address server security more than anything. I would say that it does address cross-domain. So don't link to anything external to the course. Also, you cannot, the server maintaining section can, use any server-side script on government systems without proper certification.

Like most government documents, there is a hierarchy of specification referenced in the document that must also be followed.

My day job is at a US Air Force facility and we use Captivate frequently, but have never been bound by that document. My guess would be that if they are asking you to self-certify that as long as the package is completely self-contained it would be OK. Perhaps cookies may be frowned upon as well as cross-domain and server-side scripting.

Report · Nov 17, 2016

Having to deal with both desktop/web app certification AND e-learning development, this really doesn't apply to a Captivate generated product, even if generated as an executable. I don't know what Government agency you're bidding on, but that reference is for Enterprise level Information Systems, any Captivate output would be considered neither enterprise level nor an information system. At least from the US Air Force perspective, Captivate or any other web-based training product, executable or not, is considered training materials, not an information system OR application, since other than storing scripted variable, it doesn't actually generate any product of its own with an exe. or other proprietary file extension. You might get into some issue if you have an executable and you create an installer for it, but again, then you would be dealing with desktop application certification, and NOT enterprise level certification with all the additional security verification and source checking. All you really need to worry about is SCORM compliance and ADA Section 508/W3C Accessibility conformance. (Retired USAF MSgt. with 25+ years experience in IT/Training development)