The Children’s Internet Protection Act (CIPA) was signed into law on December 21, 2000. To receive support for Internet access and internal connections services from the Universal Service Fund (USF), school and library authorities must certify that they are enforcing a policy of Internet safety that includes measures to block or filter Internet access for both minors and adults to certain visual depictions. The relevant authority with responsibility for administration of the eligible school or library must certify the status of its compliance for the purpose of CIPA in order to receive USF support.

In general, school and library authorities must certify either that they have complied with the requirements of CIPA or that CIPA does not apply to them because they are receiving discounts for telecommunications services only.

CIPA Requirements:

Technology Protection Measure

A technology protection measure (e.g. Internet filtering software) is a specific technology that blocks or filters Internet access. It must protect against access by adults and minors to visual depictions that are obscene, child pornography, or — with respect to use of computers with Internet access by minors — harmful to minors. It may be disabled for adults engaged in bona fide research or other lawful purposes. For schools, the policy must also include monitoring the online activities of minors.

Internet Safety Policy

The Internet safety policy must address the following issues:

  • Access by minors to inappropriate matter on the Internet and World Wide Web
  • The safety and security of minors when using electronic mail, chat rooms, and other forms of direct electronic communications
  • Unauthorized access including “hacking” and other unlawful activities by minors online
  • Unauthorized disclosure, use, and dissemination of personal information regarding minors
  • Measures designed to restrict minors’ access to materials harmful to minors
  • FCC Order FCC-11-125A1 CIPA Order (8/11/11) provides details and effective date of July 1, 2012 for schools to update their Internet Acceptable Use Policy to state that they are “educating minors about appropriate online behavior, including interacting with other individuals on social networking websites and in chat rooms and cyberbullying awareness and response.”

Public Notice and Hearing

The authority with responsibility for administration of the school or library must provide reasonable public notice and hold at least one public hearing to address a proposed technology protection measure and Internet safety policy.

For further details on what to say at your board meeting, see: Board Meeting Discussion for CIPA

CIPA Documentation to keep for Audit

If your school or library is selected for audit, you must have documentation to support your CIPA compliance:

  • Technology Protection Measure: copy of invoice from Internet filtering software company that shows you purchased the filtering software. If you have an on-site audit, you may need to demonstrate how the filtering software blocks or filters Internet access and how it protects against access by adults and minors.
  • Internet Safety Policy: Copy of your board approved Internet acceptable use policy. Be sure to READ YOUR POLICY and make sure it addresses the required issues including October 2008 changes related to Protecting Children in the 21st Century Act. Many of the policies developed prior to CIPA (2001) do not meet the CIPA requirements. Most likely you need to update your policy and have it approved at your next regularly scheduled board or governing body meeting.
  • Public Notice and Hearing: Copy of board agenda and minutes when CIPA was discussed. The first notice and hearing was most likely held prior to July 1, 2002. Anytime you make a change to your technology protection measure or your internet acceptable use policy, you MUST notify your community of the change. The notice and hearing can be done at your regularly scheduled board meeting or governing body meeting. Be sure to keep copies of the board agenda and minutes.

CIPA Update May 11, 2021

On May 11, 2021, the FCC released the Emergency Connectivity Fund Order (ECF Order). Beginning on page 51, the ECF Order includes clarification on CIPA requirements regarding off-campus use of school or library owned devices as follows:

  • First, we conclude that CIPA applies to the use of any computers owned by a school or library, including those purchased with Emergency Connectivity Fund support if the school or library receives Emergency Connectivity Fund or E-Rate support for Internet access or Internet services, or E-Rate support for internal connections. This is true even if the student or library patron does not use Internet access services provided by the school or library.
  • Second, we conclude that CIPA does not apply to the use of computers owned by a school or library including those laptop computers or tablet computers purchased with support from the Emergency Connectivity Fund Program, if the purchasing entity does not also receive Emergency Connectivity Fund or E-Rate discounted Internet access or Internet services, or E-Rate discounted internal connections—or network equipment for Internet access, Internet service, or internal connections
  • Third and finally, we conclude that CIPA does not apply to the use of third-party owned devices, even if the school or library receives Emergency Connectivity Fund or E-Rate support for Internet access or Internet services, or E-Rate support for internal connections.

CIPA Updates August 11, 2011

On August 11, 2011 the FCC released an order updating the existing Commission rules regarding CIPA to include the statutory language from the Protecting Children in the 21st Century Act regarding the education of students about appropriate online behavior. Rules effective with E-Rate FY 2012-13 applications. FCC-11-125A1 CIPA Order 110811.pdf

Note: The statute does not extend the new requirement to “monitor the online activities of minors” to libraries.

Following summary of changes provided by E-Rate Central (

  1. The new Internet Safety Policy requirement becomes effective for FY 2012, the E-rate funding year beginning July 1, 2012.
  2. Applicants, who have existing and properly adopted Internet Safety Policies, will not be required to hold new public hearings to amend their policies. New applicants, adopting an Internet Safety Policy for the first time, remain bound by the public notice and forum requirements.
  3. The Order clarifies that the determination of what matter is considered inappropriate for minors is a local decision to be made by the school board, local educational agency, library, or other authority. Most specifically, the FCC found that social network Websites (e.g., Facebook and MySpace) do not fall into one of the categories that must be blocked.
  4. Applicants must retain Internet Safety Policy documentation — including both the Policy itself and the adoption records — for a period of five years after the end of the funding year that relied on that Policy. Although five years is the standard record retention rule, the FCC was careful to note that this may mean the retention of Policy documentation for far longer than five years. If, for example, a Policy adopted in 2005 was used as the basis for a Form 486 certification for 2011-2012, the documentation must be retained until at least June 30, 2017. Special dispensation on record retention is provided for applicants who had adopted their policies prior to August 2004, the date the FCC initially established the five-year retention rule.
  5. The FCC clarified “…that selecting a telecommunications carrier as a service provider does not absolve schools and libraries of their obligation to adhere to the Children’s Internet Protection Act (CIPA) requirements when they use USF funding to obtain discounted Internet access service.” Conversely, it would follow that an applicant receiving discounts on telecommunications services, but not on Internet service itself carried over the telecommunications facility, would not have to be CIPA compliant. This provision is particularly important for many libraries receiving telecom discounts, but forgoing Internet discounts, for policy reasons.
  6. The Order codifies much of the statutory language of the original Children’s Internet Protection Act including definitions of “minor,” “obscene,” “child pornography,” “harmful to minors,” “sexual act,” “sexual contact,” and “technology protection measure…” For CIPA purposes, a “minor” means “any individual who has not attained the age of 17 years.”
  7. The FCC concluded that the new rules will not require revisions to either the Form 486 or Form 479, but that changes have to be made to the instructions for those forms to list revised restrictions (and, presumably, the revised technology plan requirements adopted last year).
  8. Although CIPA requirements mandate filtering school or library computers used to access the Internet, the FCC acknowledged that there was confusion as to CIPA requirements pertaining to the on-site use of portable devices owned by students and library patrons. The FCC indicated that it intended to seek public comment on these issues in a separate proceeding.

FAQs on Educating Minors November 14, 2012

On November 14, 2012 the FCC provided guidance for schools regarding CIPA compliance, specifically with the new rules for educating minors about appropriate online behavior.

Questions answered are as follows:

Q1: What should schools include in their Internet safety policies, and what documents should schools retain to demonstrate compliance with the requirement to educate minors about appropriate online behavior?

A: It is sufficient for a school’s Internet safety policy to specify that the school educates its students about appropriate online behavior. A school is not required to provide details about the curriculum, trainings or other educational programs it has chosen in the Internet safety policy itself. Although the FCC does not require schools to specify curriculum in their Internet safety policies, they should keep
records of the implementation of their chosen method(s) for educating minors about appropriate online behavior. For example, a school could maintain an annual list of the curriculum, trainings, or other programs provided to its students.

Q2: Are schools receiving E-rate discounts for Internet access and/or internal connections required to provide education about appropriate online behavior to their students every year?

A: The Protecting Children in the 21st Century Act requires a school to certify, as part of its Internet safety policy, that it “is educating minors about appropriate online behavior.” Neither the statute nor the FCC’s rules, however, specify how often a school must provide education regarding appropriate online behavior. While we do not read the statute to require annual trainings, curriculum or online behavior education programs, the phrase “is educating” in the statute suggests some form of regular training. Therefore, schools should determine how frequently they will provide educational programs or curriculum by evaluating local or community needs, and should retain documents demonstrating the frequency with which they provide their students with such programs or access to such curriculum. For example, a school might decide to provide training about appropriate online behavior to its students when they first start using the Internet and then every other year that follows.

Q3: Do schools need to ensure the education of every student in order to be able to certify they are educating minors about appropriate online behavior?

A: Schools should provide education about appropriate online behavior to their students who are actually accessing the Internet using E-rate covered services. Schools are not required to provide education about appropriate online behavior to very young students who are not yet using the Internet in school. Once schools identify the students that should receive education about appropriate online behavior, we expect schools to take reasonable steps to educate these minors. To the extent that a school has a way to record the students that have received training, it may want to retain such records. For example, if a school trains its students using an online education course, it can keep records of which students have taken the online training. Or, if a school educates its students about appropriate online behavior at a school assembly, the school could retain a record of the students in attendance that day. We recognize there may
be situations, however, where it would be difficult to demonstrate that all of the students identified as needing the training have been trained, due to student absences or other variables. To the extent a school is aware that some students have missed the scheduled training, the school should take reasonable steps to provide a make-up training or otherwise provide the relevant material to those students.

For the full text, see: 2012_CIPA_DA-12-1836A1.pdf


Cybersmart Curriculum:

Common Sense Media:

Free Cyberbullying Toolkit for Educators from Common Sense Media

Common Sense Media also offers Media and Technology Resources for educators including Digital Literacy and Citizenship Curriculum.

On Guard Online:

FBI Safe Online Surfing:

Taking action to prevent crimes against children. Click here to take the Internet Challenge.

SLD Reference:

Protecting Children in the 21st Century (Broadband Data Improvement) Act(S. 1492) October 2008