CIPA Compliance Guidelines

cipa_policy_example.docx |
Applicants must certify compliance with the Children’s Internet Protection Act (CIPA) to be eligible for Schools and Libraries (E-Rate) program discounts on Category One internet access and all Category Two services – internal connections, managed internal broadband services, and basic maintenance of internal connections. The relevant authority with responsibility for administration of the eligible school or library (the Administrative Authority) must certify that the school or library is enforcing an internet safety policy that includes measures to block or filter internet access for both minors and adults to certain visual depictions.
In general, school and library authorities must certify that: (1) they have complied with the requirements of CIPA; (2) they are undertaking actions, including any necessary procurement procedures, to comply with the requirements of CIPA; or (3) CIPA does not apply because they are receiving discounts for telecommunications services only.
CIPA compliance is required for all school owned / issued devices wherever they may be used.
Requirements:
Internet Safety Policy
Schools and libraries are required to adopt and enforce an internet safety policy that includes a technology protection measure that protects against access by adults and minors to visual depictions that are obscene, child pornography, or – with respect to use of computers with internet access by minors – harmful to minors. “Minor” is defined as any individual who is under the age of 17.
This internet safety policy must address all of the following:
For schools, the policy must also include monitoring the online activities of minors. As of July 1, 2012, as part of their CIPA certification, schools also certify that their internet safety policies have been updated to provide for educating minors about appropriate online behavior, including interacting with other individuals on social networking websites and in chat rooms, cyberbullying awareness, and response.
Technology Protection Measure
A technology protection measure is a specific technology that blocks or filters internet access.
The school or library must enforce the operation of the technology protection measure during the use of its computers with Internet access, although an administrator, supervisor, or other person authorized by the authority with responsibility for administration of the school or library may disable the technology protection measure during use by an adult to enable access for bona fide research or other lawful purpose. For example, a library that uses internet filtering software can set up a process for disabling that software upon request of an adult user through use of a sign-in page where an adult user can affirm that he or she intends to use the computer for bona fide research or other lawful purposes.
CIPA uses the federal criminal definitions for obscenity and child pornography. The term “harmful to minors” is defined as “any picture, image, graphic image file, or other visual depiction that – (i) taken as a whole and with respect to minors, appeals to a prurient interest in nudity, sex, or excretion; (ii) depicts, describes, or represents, in a patently offensive way with respect to what is suitable for minors, an actual or simulated sexual act or sexual contact, actual or simulated normal or perverted sexual acts, or a lewd exhibition of the genitals; and (iii) taken as a whole, lacks serious literary, artistic, political, or scientific value as to minors.”
Decisions about what matter is inappropriate for minors are made by the local community. E-Rate program rules specify that “[a] determination regarding matter inappropriate for minors shall be made by the school board, local educational agency, library, or other authority responsible for making the determination.”
Public Notice and Hearing or Meeting
The authority with responsibility for administration of the school or library must provide reasonable public notice and hold at least one public hearing or meeting to address a proposed technology protection measure and Internet safety policy. For private schools, public notice means notice to their appropriate constituent group.
Additional meetings are not necessary – even if the policy is amended – unless those meetings are required by state or local rules or the policy itself.
Documentation for Undertaking Actions:
An undertaken action is an action that can be documented and demonstrates that the school or library is taking steps to become compliant with the CIPA requirements. If a school or library has already provided reasonable public notice and at least one public hearing or meeting relating to an internet safety policy and technology protection measure that meets all the requirements listed above, that school or library has complied with the public notice and hearing or meeting requirements of CIPA. If a school or library has not met those conditions, the statute requires that the school or library provide the required notice and hearing or meeting.
Below are examples of documentation that could demonstrate that a school or library is undertaking actions to comply with CIPA:
Documenting CIPA Compliance:
Below is a list of the documentation that will be requested to demonstrate CIPA compliance during an audit. A school or library should retain copies of the documentation for each funding year where a CIPA certification is required. Note that documents must be retained for at least 10 years after the latter of the last day of the applicable funding year or the service delivery deadline for the funding request.
The documentation should show that the filter was installed and was working during the funding year.
oFor example, a school that purchased filtered internet access could archive a sampling of reports from the service provider of internet sites blocked, or bills from the service provider verifying that the filter was operational. If a school purchased its own filter, it could archive logs produced by its IT staff showing the hours the filter was engaged.
Example Policy
In general, school and library authorities must certify that: (1) they have complied with the requirements of CIPA; (2) they are undertaking actions, including any necessary procurement procedures, to comply with the requirements of CIPA; or (3) CIPA does not apply because they are receiving discounts for telecommunications services only.
CIPA compliance is required for all school owned / issued devices wherever they may be used.
Requirements:
Internet Safety Policy
Schools and libraries are required to adopt and enforce an internet safety policy that includes a technology protection measure that protects against access by adults and minors to visual depictions that are obscene, child pornography, or – with respect to use of computers with internet access by minors – harmful to minors. “Minor” is defined as any individual who is under the age of 17.
This internet safety policy must address all of the following:
- Access by minors to inappropriate matter on the internet and World Wide Web;
- The safety and security of minors when using electronic mail, chat rooms, and other forms of direct electronic communications;
- Unauthorized access including “hacking” and other unlawful activities by minors online;
- Unauthorized disclosure, use, and dissemination of personal information regarding minors; and
- Measures designed to restrict minors’ access to materials harmful to minors.
For schools, the policy must also include monitoring the online activities of minors. As of July 1, 2012, as part of their CIPA certification, schools also certify that their internet safety policies have been updated to provide for educating minors about appropriate online behavior, including interacting with other individuals on social networking websites and in chat rooms, cyberbullying awareness, and response.
Technology Protection Measure
A technology protection measure is a specific technology that blocks or filters internet access.
The school or library must enforce the operation of the technology protection measure during the use of its computers with Internet access, although an administrator, supervisor, or other person authorized by the authority with responsibility for administration of the school or library may disable the technology protection measure during use by an adult to enable access for bona fide research or other lawful purpose. For example, a library that uses internet filtering software can set up a process for disabling that software upon request of an adult user through use of a sign-in page where an adult user can affirm that he or she intends to use the computer for bona fide research or other lawful purposes.
CIPA uses the federal criminal definitions for obscenity and child pornography. The term “harmful to minors” is defined as “any picture, image, graphic image file, or other visual depiction that – (i) taken as a whole and with respect to minors, appeals to a prurient interest in nudity, sex, or excretion; (ii) depicts, describes, or represents, in a patently offensive way with respect to what is suitable for minors, an actual or simulated sexual act or sexual contact, actual or simulated normal or perverted sexual acts, or a lewd exhibition of the genitals; and (iii) taken as a whole, lacks serious literary, artistic, political, or scientific value as to minors.”
Decisions about what matter is inappropriate for minors are made by the local community. E-Rate program rules specify that “[a] determination regarding matter inappropriate for minors shall be made by the school board, local educational agency, library, or other authority responsible for making the determination.”
Public Notice and Hearing or Meeting
The authority with responsibility for administration of the school or library must provide reasonable public notice and hold at least one public hearing or meeting to address a proposed technology protection measure and Internet safety policy. For private schools, public notice means notice to their appropriate constituent group.
Additional meetings are not necessary – even if the policy is amended – unless those meetings are required by state or local rules or the policy itself.
Documentation for Undertaking Actions:
An undertaken action is an action that can be documented and demonstrates that the school or library is taking steps to become compliant with the CIPA requirements. If a school or library has already provided reasonable public notice and at least one public hearing or meeting relating to an internet safety policy and technology protection measure that meets all the requirements listed above, that school or library has complied with the public notice and hearing or meeting requirements of CIPA. If a school or library has not met those conditions, the statute requires that the school or library provide the required notice and hearing or meeting.
Below are examples of documentation that could demonstrate that a school or library is undertaking actions to comply with CIPA:
- A published or circulated school or library board agenda with CIPA compliance cited as a topic
- A circulated staff meeting agenda with CIPA compliance cited as a topic
- A service provider quote requested and received by a recipient of service or Billed Entity which contains information on a technology protection measure
- A draft Request for Proposal or other procurement procedure to solicit bids for the purchase or provision of a technology protection measure
- An agenda or minutes from a meeting open to the public at which an internet safety policy was discussed
- An agenda or minutes from a public or non-public meeting of a school or library board at which procurement issues relating to the acquisition of a technology protection measure were discussed
- A memo to an administrative authority of a school or library from a staff member outlining the CIPA issues not addressed by an Acceptable Use Policy currently in place
- A memorandum or report to an administrative authority of a school or library from a staff member describing research on available technology protection measures
- A memorandum or report to an administrative authority of a school or library from a staff member that discusses and analyzes Internet safety policies in effect at other schools and libraries
Documenting CIPA Compliance:
Below is a list of the documentation that will be requested to demonstrate CIPA compliance during an audit. A school or library should retain copies of the documentation for each funding year where a CIPA certification is required. Note that documents must be retained for at least 10 years after the latter of the last day of the applicable funding year or the service delivery deadline for the funding request.
- A copy of the internet safety policy
- Documentation that the school or library gave public notice and held a public hearing or meeting on the policy
- Since 2011, entities have been required, at a minimum, to keep some record of when public notice was provided and when the hearing or meeting took place (e.g., a copy of the meeting agenda or a newspaper article announcing the hearing or meeting).
- Documentation of the adoption of the policy – for example, approval in the minutes of the hearing or meeting, or documented adoption by a school or library board
- A description of the filter
- A report or other documentation on the use of the filter
The documentation should show that the filter was installed and was working during the funding year.
oFor example, a school that purchased filtered internet access could archive a sampling of reports from the service provider of internet sites blocked, or bills from the service provider verifying that the filter was operational. If a school purchased its own filter, it could archive logs produced by its IT staff showing the hours the filter was engaged.
Example Policy