[Federal Register Volume 67, Number 216 (Thursday, November 7, 2002)]
[Notices]
[Pages 67889-67890]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 02-28371]


-----------------------------------------------------------------------

DEPARTMENT OF TRANSPORTATION

Federal Aviation Administration


Advisory Circular No. 00-62, Internet Communications of Aviation 
Weather and NOTAMs

AGENCY: Federal Aviation Administration, DOT.

ACTION: Notice of availability and disposition of comments.

-----------------------------------------------------------------------

SUMMARY: This notice announces the availability of Advisory Circular 
No. 00-62, Internet Communications of Aviation Weather and NOTAMs, and 
disposes of comments received on an earlier proposed draft.

FOR FURTHER INFORMATION CONTACT: Steven R. Albersheim, Aerospace 
Weather Policy Division, Federal Aviation Administration, 800 
Independence Avenue, SW., Washington, DC 20591, (202) 385-7704, or 
[email protected].

SUPPLEMENTARY INFORMATION:

Background

    On January 14, 2002 the FAA issued a draft Advisory Circular (AC) 
on Internet Communications of Aviation Weather and NOTAMs. The FAA 
requested comment on all aspects of the proposed AC. This AC sets forth 
the process to become a Qualified Internet Communications Provider 
(QICP) and addresses issues that relate to accessing aviation weather 
and NOTAM information from approved QICPs.

Disposition of Comments

    Comments were submitted from industry, special interest groups, and 
private individuals. The comments covered various issues, but were 
principally concerned with how a vendor would meet the provisions of 
reliability, accessibility, and security to be approved as a QICP by 
the FAA. The following addresses the issues raised by the commenters:
    Several commenters questioned and/or did not support that the AC 
does not address the quality of a QICP's service or the quality of the 
QICP's data. As stated in the draft AC and reiterated here, the FAA 
does not intend to provide quality control of QICP data or approve the 
data accessed from a QICP. While the FAA requires air carriers 
certificated under 14 CFR parts 121 and 135 to use an FAA-approved 
source for weather information, the FAA does not approve the 
information supplied to these carriers, or to pilots conducting 
operations under part 91. This AC does not change the agency's current 
position on approving quality of data, or sources for other than part 
121 and 135 carriers. A fundamental change such as approving data and/
or sources for part 91 operations would require rulemaking with a 
public process for notice and comment. While these comments are noted, 
the purpose and goal of this AC are not to add these requirements. The 
FAA finds value in ensuring that the provider's facility, as an 
approved source for part 121 and 135 operators, is reliable, accessible 
and secure. This value may be realized by part 91 operators utilizing 
QICP vendors, if they so choose. To further clarify that an approved 
QICP does not include FAA approval of data source or quality, the FAA 
has added as part of the approval process, the provider's agreement to 
display a label on its internet site with the following recommended 
language. Failure to display this label may result in losing QICP 
status.
    This Qualified Internet Communication Provider's (QICP) servers and 
communication interfaces are approved by the FAA as secure, reliable, 
and accessible in accordance with AC 00-62.
    (1) This QICP does not ensure the quality and currency of the 
information transmitted to you.
    (2) You assume the entire risk related to the information and its 
use.
    Several commenters questioned the nature of the Quality of Service 
(QOS) agreements. Each approved QICP's maintenance plan has a QOS 
agreement with each user that addresses how the provider will meet 
measures of accessibility, reliability, and security. The QOS agreement 
should at most, only reference the standards and provide for complaint 
procedures if they are not maintained, allowing the parties to freely 
negotiate appropriate remedies and limitations of liability in the 
event the standards cannot be met for some period of time.
    Comments were received on the use of standard security technology 
to ensure site authentication/data integrity. Specifically, a commenter 
disagreed with the use of Secure Sockets Layer (SSL) because SLL is not 
a formal standard and there are known bugs in early versions of SSL 
that allow an attacker to defeat any authentication and integrity 
assurances that it might provide, with a similar effort to altering 
data from an unsecured HTTP session.
    The FAA agrees with this comment and has changed the AC to reflect 
that approved QICP's should maintain a security system that is 
applicable to current state-of-the-art technology. This also allows the 
applicant greater flexibility in implementing a system that complies 
with the AC while serving its customers and minimizing costs. In 
addition, it is noted that this change assists in preventing 
unauthorized access to or modification of provider data, software and 
hardware.
    One commenter states that this AC inadequately describes the 
disaster recovery and contingency measures. The FAA does not believe it 
is necessary to provide specific details on every possible incident 
that could occur and believes that the AC provides guidance

[[Page 67890]]

to applicants in devising individual security plans. The applicants 
need to demonstrate in their application that their security plans will 
maintain the integrity of the data. It is up to each applicant to show 
how they will maintain their operation 24 hours per day, seven days a 
week during any event that could disrupt service.
    One commenter states that the FAA's response to an Application or a 
Letter of Denial following a Capability Demonstration should clearly 
define the standards/requirements to be met to allow the applicant to 
have its Application accepted and move on to the Capability 
Demonstration, or to have its Capability Demonstration completed 
successfully and qualify as a QICP.
    In the event that a vendor's application is unsuccessful initially, 
the FAA will recommend revisions and inform the applicant of any needed 
changes. Similarly, a Letter of Denial will indicate the reasons for 
the denial so that the vendor could make appropriate changes to 
successfully complete its Capability Demonstration.
    A commenter suggested that the approval period last for one or two 
years with a mandatory performance review of any extension and conduct 
interim review upon request.
    The FAA finds that a six-month review is appropriate. QICPs are to 
provide facility performance statistics semiannually or upon request. 
This review assists in ensuring that QICPs are meeting the criteria of 
this AC.
    One commenter argued that the required time for a QICP to respond 
to a user's Quality of Service complaints should be reduced from 14 
calendar days to one business day following receipt.
    The FAA maintains the 14-calendar day response period because while 
some complaints may be resolved in a very short time frame, other 
complaints may be more difficult to address. Each QICP has the option 
of implementing a more stringent response period in its QOS agreement. 
However, the agency finds that at a minimum, some latitude is necessary 
and that 14 calendar days provides that latitude.
    One comment questioned the necessity for QICPs to authenticate 
users and limit access to authorized users, in order to provide users 
with information that is publicly available to anyone via other 
sources. This commenter contends that user authentication can increase 
the costs of providing such services.
    User authentication is only a recommended practice. The significant 
aspect is that digital authentication is used so that the user knows 
that he/she has signed on to an approved QICP site. The FAA does not 
discourage those vendors who choose to provide a value-added service 
with password restriction to their customers. In accordance with this 
AC, QICPs are to meet the minimum-security protocol, which is to verify 
the authenticity of the source of information.
    Comments were received on the need to further address the 
provisions of reliability and accessibility, in that the measures are 
too stringent. FAA disagrees with this position. In order to meet the 
purpose of this AC, a QICP's server and communication interface should 
have very little down time. In developing this measure of service, the 
FAA consulted with industry and the National Weather Service and 
believes this is achievable and easily maintained and consistent with 
current industry practices. FAA did not receive any comments on the 
burden of meeting the criteria in the AC in response to the 
solicitation for comments addressing reports requirements under the 
Paper Work Reduction Act of 1995.
    A commenter recommends that the FAA consider the feasibility of 
requiring a certificate of authority for providers of aviation 
information, or that other means be identified to provide 
authentication and integrity protection.
    It is recognized that no form of Internet security is totally risk 
free. The agency's intent with this AC is to reduce the risk to an 
acceptable level. The use of server digital certificates is consistent 
with current business practices, which the FAA finds to be an 
acceptable level. However, a QICP and user have the option of agreeing 
upon the use of a specific server certificate of their choice if they 
believe greater security linkage is warranted.
    On September 17, 2002 the FAA published a proposed Revision to 
Operations Specifications (OpSpecs) A010, Aeronautical Weather Data in 
the Federal Register, which proposed a new requirement for 14 CFR part 
121 and part 135 certificate holders that obtain approved weather data 
via the public Internet for use in flight operations. Under this 
proposal, these carriers must use a QICP for Internet communications of 
aviation weather and NOTAMs. OpSpec A010, would be amended to read as 
follows:
    ``For Internet communications of aviation weather and NOTAMS used 
in flight operations, all part 121 and 135 operators are required to 
use an approved Qualified Internet Communications Provider (QICP):
    (1) The QICPs used by the operator must be listed in OpSpec A010.
    (2) The QICP used must be obtained from the approved list provided 
by the FAA.
    (3) For more detailed information with regard to QICPs, refer to 
the appropriate AC pertaining to Internet Communications of Aviation 
Weather and NOTAMs and Volume 3, Chapter 7, Section 5, of this Order.''
    In response to this Notice, the Air Transport Association commented 
that it supports the proposal and one air carrier requested 
clarification as to when a Part 121 operator could use an Internet 
provider for aviation weather services.
    The Internet AC addresses measures to be taken by a QICP to assure 
the security, availability, and accessibility of Internet 
communications link for providing weather and NOTAM information. Some 
of the service providers that become QICP will likely provide a very 
comprehensive service while others will provide a narrower service 
focus. FAA will approve QICP status to both types of providers who meet 
the communications capabilities in the interest of enabling providers 
of weather and NOTAM service to use the public Internet.

Availability of the Advisory Circular

    Aviation weather information is available on the public Internet 
from a variety of government and vendor sources with minimal quality 
control. Users of the National Airspace System, dispatchers, pilots and 
air traffic controllers/specialists have expressed interest in the 
ability to utilize the public Internet to retrieve aviation weather 
text and graphic products for operational decision-making. The FAA 
issued Advisory Circular 00-62 ``Internet Communications of Aviation 
Weather and NOTAMS'' on November 1, 2002 and is available on the FAA 
Web page at, http://www.faa.gov/ats/ars/qicp.

    Issued in Washington, DC, on November 1, 2002.
James H. Washington,
Director, Air Traffic System Requirements Service.
[FR Doc. 02-28371 Filed 11-6-02; 8:45 am]
BILLING CODE 4910-13-P