SCORM Acquisition Guidance
ADL has developed a course which explains special considerations about acquiring or procuring distributed learning systems and content that must conform with SCORM and other U.S. Department of Defense (DoD) requirements. It is targeted at acquisition and procurement personnel, program and project managers. Topics include: Acquisition Planning; The Components of SCORM; SCORM Conformance; Instructional Systems Design and SCORM; and Project Management. There are two versions of this course available for download:
Department of Defense Instruction (DoDI) 1322.26 contains the current guidance for SCORM conformance in DoD.
Several members of the community through blogs, forums, and websites highlighted a SCORM content vulnerability circa 2005. The vulnerability they highlight is not new, nor did it originate with SCORM. It exists within the SCORM Run-Time API, which is based on an IEEE Standard. Some version of an ECMAScript based API has existed in all versions of SCORM since SCORM 1.2 was released in 2001. Given the flexibility of ECMAScript within the browser environment, this vulnerability allows technologically advanced users to potentially interfere with learner tracking data communicated from content by directly overriding and/or setting various SCORM data model elements.
ADL contacted the IEEE LTSC about this issue to discuss what actions can be taken to update the current standard or develop a complementary standard that would better enforce data integrity for delivered content. Several SCORM LMS vendors are investigating ways to prevent or detect individuals who leverage this vulnerability. Please contact your vendor directly to determine the actions they are taking.
Like online banking or any other online activity that you want to be secure, you can increase security in your SCORM content, but there is no way to guarantee security. Un-proctored online assessments should be considered a form of "open-book exams" since learners may have technical manuals, books, job aids, Google, or other resources in front of them while they are taking tests.
Content developers who are concerned about SCORM data integrity can take some actions to mitigate this vulnerability. ADL provides examples these mitigation actions in the following two documents:
When a launched SCO and its LMS-provided API Instance are hosted on different domains, browser security restrictions may prevent API calls, thus prohibiting communication. Through collaboration with several members of the ADL Community and internal prototyping efforts, the ADL Technical Team has tested several different solutions to this problem and is providing them to the ADL Community at large. This paper details the Cross-Domain Issue and presents several known and tested solutions.