[Federal Register Volume 67, Number 216 (Thursday, November 7, 2002)]
[Notices]
[Pages 67889-67890]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 02-28371]
-----------------------------------------------------------------------
DEPARTMENT OF TRANSPORTATION
Federal Aviation Administration
Advisory Circular No. 00-62, Internet Communications of Aviation
Weather and NOTAMs
AGENCY: Federal Aviation Administration, DOT.
ACTION: Notice of availability and disposition of comments.
-----------------------------------------------------------------------
SUMMARY: This notice announces the availability of Advisory Circular
No. 00-62, Internet Communications of Aviation Weather and NOTAMs, and
disposes of comments received on an earlier proposed draft.
FOR FURTHER INFORMATION CONTACT: Steven R. Albersheim, Aerospace
Weather Policy Division, Federal Aviation Administration, 800
Independence Avenue, SW., Washington, DC 20591, (202) 385-7704, or
[email protected].
SUPPLEMENTARY INFORMATION:
Background
On January 14, 2002 the FAA issued a draft Advisory Circular (AC)
on Internet Communications of Aviation Weather and NOTAMs. The FAA
requested comment on all aspects of the proposed AC. This AC sets forth
the process to become a Qualified Internet Communications Provider
(QICP) and addresses issues that relate to accessing aviation weather
and NOTAM information from approved QICPs.
Disposition of Comments
Comments were submitted from industry, special interest groups, and
private individuals. The comments covered various issues, but were
principally concerned with how a vendor would meet the provisions of
reliability, accessibility, and security to be approved as a QICP by
the FAA. The following addresses the issues raised by the commenters:
Several commenters questioned and/or did not support that the AC
does not address the quality of a QICP's service or the quality of the
QICP's data. As stated in the draft AC and reiterated here, the FAA
does not intend to provide quality control of QICP data or approve the
data accessed from a QICP. While the FAA requires air carriers
certificated under 14 CFR parts 121 and 135 to use an FAA-approved
source for weather information, the FAA does not approve the
information supplied to these carriers, or to pilots conducting
operations under part 91. This AC does not change the agency's current
position on approving quality of data, or sources for other than part
121 and 135 carriers. A fundamental change such as approving data and/
or sources for part 91 operations would require rulemaking with a
public process for notice and comment. While these comments are noted,
the purpose and goal of this AC are not to add these requirements. The
FAA finds value in ensuring that the provider's facility, as an
approved source for part 121 and 135 operators, is reliable, accessible
and secure. This value may be realized by part 91 operators utilizing
QICP vendors, if they so choose. To further clarify that an approved
QICP does not include FAA approval of data source or quality, the FAA
has added as part of the approval process, the provider's agreement to
display a label on its internet site with the following recommended
language. Failure to display this label may result in losing QICP
status.
This Qualified Internet Communication Provider's (QICP) servers and
communication interfaces are approved by the FAA as secure, reliable,
and accessible in accordance with AC 00-62.
(1) This QICP does not ensure the quality and currency of the
information transmitted to you.
(2) You assume the entire risk related to the information and its
use.
Several commenters questioned the nature of the Quality of Service
(QOS) agreements. Each approved QICP's maintenance plan has a QOS
agreement with each user that addresses how the provider will meet
measures of accessibility, reliability, and security. The QOS agreement
should at most, only reference the standards and provide for complaint
procedures if they are not maintained, allowing the parties to freely
negotiate appropriate remedies and limitations of liability in the
event the standards cannot be met for some period of time.
Comments were received on the use of standard security technology
to ensure site authentication/data integrity. Specifically, a commenter
disagreed with the use of Secure Sockets Layer (SSL) because SLL is not
a formal standard and there are known bugs in early versions of SSL
that allow an attacker to defeat any authentication and integrity
assurances that it might provide, with a similar effort to altering
data from an unsecured HTTP session.
The FAA agrees with this comment and has changed the AC to reflect
that approved QICP's should maintain a security system that is
applicable to current state-of-the-art technology. This also allows the
applicant greater flexibility in implementing a system that complies
with the AC while serving its customers and minimizing costs. In
addition, it is noted that this change assists in preventing
unauthorized access to or modification of provider data, software and
hardware.
One commenter states that this AC inadequately describes the
disaster recovery and contingency measures. The FAA does not believe it
is necessary to provide specific details on every possible incident
that could occur and believes that the AC provides guidance
[[Page 67890]]
to applicants in devising individual security plans. The applicants
need to demonstrate in their application that their security plans will
maintain the integrity of the data. It is up to each applicant to show
how they will maintain their operation 24 hours per day, seven days a
week during any event that could disrupt service.
One commenter states that the FAA's response to an Application or a
Letter of Denial following a Capability Demonstration should clearly
define the standards/requirements to be met to allow the applicant to
have its Application accepted and move on to the Capability
Demonstration, or to have its Capability Demonstration completed
successfully and qualify as a QICP.
In the event that a vendor's application is unsuccessful initially,
the FAA will recommend revisions and inform the applicant of any needed
changes. Similarly, a Letter of Denial will indicate the reasons for
the denial so that the vendor could make appropriate changes to
successfully complete its Capability Demonstration.
A commenter suggested that the approval period last for one or two
years with a mandatory performance review of any extension and conduct
interim review upon request.
The FAA finds that a six-month review is appropriate. QICPs are to
provide facility performance statistics semiannually or upon request.
This review assists in ensuring that QICPs are meeting the criteria of
this AC.
One commenter argued that the required time for a QICP to respond
to a user's Quality of Service complaints should be reduced from 14
calendar days to one business day following receipt.
The FAA maintains the 14-calendar day response period because while
some complaints may be resolved in a very short time frame, other
complaints may be more difficult to address. Each QICP has the option
of implementing a more stringent response period in its QOS agreement.
However, the agency finds that at a minimum, some latitude is necessary
and that 14 calendar days provides that latitude.
One comment questioned the necessity for QICPs to authenticate
users and limit access to authorized users, in order to provide users
with information that is publicly available to anyone via other
sources. This commenter contends that user authentication can increase
the costs of providing such services.
User authentication is only a recommended practice. The significant
aspect is that digital authentication is used so that the user knows
that he/she has signed on to an approved QICP site. The FAA does not
discourage those vendors who choose to provide a value-added service
with password restriction to their customers. In accordance with this
AC, QICPs are to meet the minimum-security protocol, which is to verify
the authenticity of the source of information.
Comments were received on the need to further address the
provisions of reliability and accessibility, in that the measures are
too stringent. FAA disagrees with this position. In order to meet the
purpose of this AC, a QICP's server and communication interface should
have very little down time. In developing this measure of service, the
FAA consulted with industry and the National Weather Service and
believes this is achievable and easily maintained and consistent with
current industry practices. FAA did not receive any comments on the
burden of meeting the criteria in the AC in response to the
solicitation for comments addressing reports requirements under the
Paper Work Reduction Act of 1995.
A commenter recommends that the FAA consider the feasibility of
requiring a certificate of authority for providers of aviation
information, or that other means be identified to provide
authentication and integrity protection.
It is recognized that no form of Internet security is totally risk
free. The agency's intent with this AC is to reduce the risk to an
acceptable level. The use of server digital certificates is consistent
with current business practices, which the FAA finds to be an
acceptable level. However, a QICP and user have the option of agreeing
upon the use of a specific server certificate of their choice if they
believe greater security linkage is warranted.
On September 17, 2002 the FAA published a proposed Revision to
Operations Specifications (OpSpecs) A010, Aeronautical Weather Data in
the Federal Register, which proposed a new requirement for 14 CFR part
121 and part 135 certificate holders that obtain approved weather data
via the public Internet for use in flight operations. Under this
proposal, these carriers must use a QICP for Internet communications of
aviation weather and NOTAMs. OpSpec A010, would be amended to read as
follows:
``For Internet communications of aviation weather and NOTAMS used
in flight operations, all part 121 and 135 operators are required to
use an approved Qualified Internet Communications Provider (QICP):
(1) The QICPs used by the operator must be listed in OpSpec A010.
(2) The QICP used must be obtained from the approved list provided
by the FAA.
(3) For more detailed information with regard to QICPs, refer to
the appropriate AC pertaining to Internet Communications of Aviation
Weather and NOTAMs and Volume 3, Chapter 7, Section 5, of this Order.''
In response to this Notice, the Air Transport Association commented
that it supports the proposal and one air carrier requested
clarification as to when a Part 121 operator could use an Internet
provider for aviation weather services.
The Internet AC addresses measures to be taken by a QICP to assure
the security, availability, and accessibility of Internet
communications link for providing weather and NOTAM information. Some
of the service providers that become QICP will likely provide a very
comprehensive service while others will provide a narrower service
focus. FAA will approve QICP status to both types of providers who meet
the communications capabilities in the interest of enabling providers
of weather and NOTAM service to use the public Internet.
Availability of the Advisory Circular
Aviation weather information is available on the public Internet
from a variety of government and vendor sources with minimal quality
control. Users of the National Airspace System, dispatchers, pilots and
air traffic controllers/specialists have expressed interest in the
ability to utilize the public Internet to retrieve aviation weather
text and graphic products for operational decision-making. The FAA
issued Advisory Circular 00-62 ``Internet Communications of Aviation
Weather and NOTAMS'' on November 1, 2002 and is available on the FAA
Web page at, http://www.faa.gov/ats/ars/qicp.
Issued in Washington, DC, on November 1, 2002.
James H. Washington,
Director, Air Traffic System Requirements Service.
[FR Doc. 02-28371 Filed 11-6-02; 8:45 am]
BILLING CODE 4910-13-P