AGENCY:

Federal Aviation Administration, DOT.

ACTION:

Notice of availability and disposition of comments.

SUMMARY:

This notice announces the availability of Advisory Circular No. 00-62, Internet Communications of Aviation Weather and NOTAMs, and disposes of comments received on an earlier proposed draft.

FOR FURTHER INFORMATION CONTACT:

Steven R. Albersheim, Aerospace Weather Policy Division, Federal Aviation Administration, 800 Independence Avenue, SW., Washington, DC 20591, (202) 385-7704, or steven.albersheim@faa.gov.

SUPPLEMENTARY INFORMATION:

Background

On January 14, 2002 the FAA issued a draft Advisory Circular (AC) on Internet Communications of Aviation Weather and NOTAMs. The FAA requested comment on all aspects of the proposed AC. This AC sets forth the process to become a Qualified Internet Communications Provider (QICP) and addresses issues that relate to accessing aviation weather and NOTAM information from approved QICPs.

Disposition of Comments

Comments were submitted from industry, special interest groups, and private individuals. The comments covered various issues, but were principally concerned with how a vendor would meet the provisions of reliability, accessibility, and security to be approved as a QICP by the FAA. The following addresses the issues raised by the commenters:

Several commenters questioned and/or did not support that the AC does not address the quality of a QICP's service or the quality of the QICP's data. As stated in the draft AC and reiterated here, the FAA does not intend to provide quality control of QICP data or approve the data accessed from a QICP. While the FAA requires air carriers certificated under 14 CFR parts 121 and 135 to use an FAA-approved source for weather information, the FAA does not approve the information supplied to these carriers, or to pilots conducting operations under part 91. This AC does not change the agency's current position on approving quality of data, or sources for other than part 121 and 135 carriers. A fundamental change such as approving data and/or sources for part 91 operations would require rulemaking with a public process for notice and comment. While these comments are noted, the purpose and goal of this AC are not to add these requirements. The FAA finds value in ensuring that the provider's facility, as an approved source for part 121 and 135 operators, is reliable, accessible and secure. This value may be realized by part 91 operators utilizing QICP vendors, if they so choose. To further clarify that an approved QICP does not include FAA approval of data source or quality, the FAA has added as part of the approval process, the provider's agreement to display a label on its internet site with the following recommended language. Failure to display this label may result in losing QICP status.

This Qualified Internet Communication Provider's (QICP) servers and communication interfaces are approved by the FAA as secure, reliable, and accessible in accordance with AC 00-62.

(1) This QICP does not ensure the quality and currency of the information transmitted to you.

(2) You assume the entire risk related to the information and its use.

Several commenters questioned the nature of the Quality of Service (QOS) agreements. Each approved QICP's maintenance plan has a QOS agreement with each user that addresses how the provider will meet measures of accessibility, reliability, and security. The QOS agreement should at most, only reference the standards and provide for complaint procedures if they are not maintained, allowing the parties to freely negotiate appropriate remedies and limitations of liability in the event the standards cannot be met for some period of time.

Comments were received on the use of standard security technology to ensure site authentication/data integrity. Specifically, a commenter disagreed with the use of Secure Sockets Layer (SSL) because SLL is not a formal standard and there are known bugs in early versions of SSL that allow an attacker to defeat any authentication and integrity assurances that it might provide, with a similar effort to altering data from an unsecured HTTP session.

The FAA agrees with this comment and has changed the AC to reflect that approved QICP's should maintain a security system that is applicable to current state-of-the-art technology. This also allows the applicant greater flexibility in implementing a system that complies with the AC while serving its customers and minimizing costs. In addition, it is noted that this change assists in preventing unauthorized access to or modification of provider data, software and hardware.

One commenter states that this AC inadequately describes the disaster recovery and contingency measures. The FAA does not believe it is necessary to provide specific details on every possible incident that could occur and believes that the AC provides guidance Start Printed Page 67890to applicants in devising individual security plans. The applicants need to demonstrate in their application that their security plans will maintain the integrity of the data. It is up to each applicant to show how they will maintain their operation 24 hours per day, seven days a week during any event that could disrupt service.

One commenter states that the FAA's response to an Application or a Letter of Denial following a Capability Demonstration should clearly define the standards/requirements to be met to allow the applicant to have its Application accepted and move on to the Capability Demonstration, or to have its Capability Demonstration completed successfully and qualify as a QICP.

In the event that a vendor's application is unsuccessful initially, the FAA will recommend revisions and inform the applicant of any needed changes. Similarly, a Letter of Denial will indicate the reasons for the denial so that the vendor could make appropriate changes to successfully complete its Capability Demonstration.

A commenter suggested that the approval period last for one or two years with a mandatory performance review of any extension and conduct interim review upon request.

The FAA finds that a six-month review is appropriate. QICPs are to provide facility performance statistics semiannually or upon request. This review assists in ensuring that QICPs are meeting the criteria of this AC.

One commenter argued that the required time for a QICP to respond to a user's Quality of Service complaints should be reduced from 14 calendar days to one business day following receipt.

The FAA maintains the 14-calendar day response period because while some complaints may be resolved in a very short time frame, other complaints may be more difficult to address. Each QICP has the option of implementing a more stringent response period in its QOS agreement. However, the agency finds that at a minimum, some latitude is necessary and that 14 calendar days provides that latitude.

One comment questioned the necessity for QICPs to authenticate users and limit access to authorized users, in order to provide users with information that is publicly available to anyone via other sources. This commenter contends that user authentication can increase the costs of providing such services.

User authentication is only a recommended practice. The significant aspect is that digital authentication is used so that the user knows that he/she has signed on to an approved QICP site. The FAA does not discourage those vendors who choose to provide a value-added service with password restriction to their customers. In accordance with this AC, QICPs are to meet the minimum-security protocol, which is to verify the authenticity of the source of information.

Comments were received on the need to further address the provisions of reliability and accessibility, in that the measures are too stringent. FAA disagrees with this position. In order to meet the purpose of this AC, a QICP's server and communication interface should have very little down time. In developing this measure of service, the FAA consulted with industry and the National Weather Service and believes this is achievable and easily maintained and consistent with current industry practices. FAA did not receive any comments on the burden of meeting the criteria in the AC in response to the solicitation for comments addressing reports requirements under the Paper Work Reduction Act of 1995.

A commenter recommends that the FAA consider the feasibility of requiring a certificate of authority for providers of aviation information, or that other means be identified to provide authentication and integrity protection.

It is recognized that no form of Internet security is totally risk free. The agency's intent with this AC is to reduce the risk to an acceptable level. The use of server digital certificates is consistent with current business practices, which the FAA finds to be an acceptable level. However, a QICP and user have the option of agreeing upon the use of a specific server certificate of their choice if they believe greater security linkage is warranted.

On September 17, 2002 the FAA published a proposed Revision to Operations Specifications (OpSpecs) A010, Aeronautical Weather Data in the Federal Register, which proposed a new requirement for 14 CFR part 121 and part 135 certificate holders that obtain approved weather data via the public Internet for use in flight operations. Under this proposal, these carriers must use a QICP for Internet communications of aviation weather and NOTAMs. OpSpec A010, would be amended to read as follows:

“For Internet communications of aviation weather and NOTAMS used in flight operations, all part 121 and 135 operators are required to use an approved Qualified Internet Communications Provider (QICP):

(1) The QICPs used by the operator must be listed in OpSpec A010.

(2) The QICP used must be obtained from the approved list provided by the FAA.

(3) For more detailed information with regard to QICPs, refer to the appropriate AC pertaining to Internet Communications of Aviation Weather and NOTAMs and Volume 3, Chapter 7, Section 5, of this Order.”

In response to this Notice, the Air Transport Association commented that it supports the proposal and one air carrier requested clarification as to when a Part 121 operator could use an Internet provider for aviation weather services.

The Internet AC addresses measures to be taken by a QICP to assure the security, availability, and accessibility of Internet communications link for providing weather and NOTAM information. Some of the service providers that become QICP will likely provide a very comprehensive service while others will provide a narrower service focus. FAA will approve QICP status to both types of providers who meet the communications capabilities in the interest of enabling providers of weather and NOTAM service to use the public Internet.

Availability of the Advisory Circular

Aviation weather information is available on the public Internet from a variety of government and vendor sources with minimal quality control. Users of the National Airspace System, dispatchers, pilots and air traffic controllers/specialists have expressed interest in the ability to utilize the public Internet to retrieve aviation weather text and graphic products for operational decision-making. The FAA issued Advisory Circular 00-62 “Internet Communications of Aviation Weather and NOTAMS” on November 1, 2002 and is available on the FAA Web page at, http://www.faa.gov/​ats/​ars/​qicp.