CIPA

Applicants must certify compliance with the Children’s Internet Protection Act (CIPA) to be eligible for Schools and Libraries (E-Rate) program discounts on Category One internet access and all Category Two services – internal connections, managed internal broadband services, and basic maintenance of internal connections. The relevant authority with responsibility for administration of the eligible school or library (the Administrative Authority) must certify that the school or library is enforcing an internet safety policy that includes measures to block or filter internet access for both minors and adults to certain visual depictions.

In general, school and library authorities must certify that: (1) they have complied with the requirements of CIPA; (2) they are undertaking actions, including any necessary procurement procedures, to comply with the requirements of CIPA; or (3) CIPA does not apply because they are receiving discounts for telecommunications services only.

Requirements

CIPA requirements include the following three items:

1. Internet Safety Policy

Schools and libraries are required to adopt and enforce an internet safety policy that includes a technology protection measure that protects against access by adults and minors to visual depictions that are obscene, child pornography, or – with respect to use of computers with internet access by minors – harmful to minors. “Minor” is defined as any individual who is under the age of 17.

This internet safety policy must address all of the following:

  • Access by minors to inappropriate matter on the internet and World Wide Web;
  • The safety and security of minors when using electronic mail, chat rooms, and other forms of direct electronic communications;
  • Unauthorized access including “hacking” and other unlawful activities by minors online;
  • Unauthorized disclosure, use, and dissemination of personal information regarding minors; and
  • Measures designed to restrict minors’ access to materials harmful to minors.

For schools, the policy must also include monitoring the online activities of minors. As of July 1, 2012, as part of their CIPA certification, schools also certify that their internet safety policies have been updated to provide for educating minors about appropriate online behavior, including interacting with other individuals on social networking websites and in chat rooms, cyberbullying awareness, and response.

2. Technology Protection Measure

A technology protection measure is a specific technology that blocks or filters internet access.

The school or library must enforce the operation of the technology protection measure during the use of its computers with Internet access, although an administrator, supervisor, or other person authorized by the authority with responsibility for administration of the school or library may disable the technology protection measure during use by an adult to enable access for bona fide research or other lawful purpose. For example, a library that uses internet filtering software can set up a process for disabling that software upon request of an adult user through use of a sign-in page where an adult user can affirm that he or she intends to use the computer for bona fide research or other lawful purposes.

CIPA uses the federal criminal definitions for obscenity and child pornography. The term “harmful to minors” is defined as “any picture, image, graphic image file, or other visual depiction that – (i) taken as a whole and with respect to minors, appeals to a prurient interest in nudity, sex, or excretion; (ii) depicts, describes, or represents, in a patently offensive way with respect to what is suitable for minors, an actual or simulated sexual act or sexual contact, actual or simulated normal or perverted sexual acts, or a lewd exhibition of the genitals; and (iii) taken as a whole, lacks serious literary, artistic, political, or scientific value as to minors.”

Decisions about what matter is inappropriate for minors are made by the local community. E-Rate program rules specify that “[a] determination regarding matter inappropriate for minors shall be made by the school board, local educational agency, library, or other authority responsible for making the determination.”

3. Public Notice and Hearing or Meeting

The authority with responsibility for administration of the school or library must provide reasonable public notice and hold at least one public hearing or meeting to address a proposed technology protection measure and Internet safety policy. For private schools, public notice means notice to their appropriate constituent group.

Additional meetings are not necessary – even if the policy is amended – unless those meetings are required by state or local rules or the policy itself.

Administrative Authority

The Administrative Authority for a school or library is the entity that must make the relevant certification for the purposes of CIPA. For a school, the Administrative Authority may be the school, school board, school district, local educational agency, or other authority responsible for administration of a school. For a library, the Administrative Authority may be the library, library board, or other authority with responsibility for administration of the library.

If the Administrative Authority is also the Billed Entity, the Administrative Authority certifies on the FCC Form 486 (Receipt of Service Confirmation and Children’s Internet Protection Act Certification Form). If the Administrative Authority is not the Billed Entity, the Administrative Authority must complete FCC Form 479 (Certification of Administrative Authority to Billed Entity of Compliance with the Children’s Internet Protection Act), and submit the FCC Form 479 to the Billed Entity. The Billed Entity then certifies on the FCC Form 486 that it has collected duly completed FCC Forms 479. The Billed Entity does not need to collect FCC Forms 479 when the Billed Entity applies only for telecommunications services.

Determination of the First Funding Year

CIPA provides that, in the first funding year following the effective date of CIPA (April 20, 2001) in which you are “applying” for funds (see Applying for Funds below), you need not be fully compliant with CIPA’s requirements but can certify that you are undertaking actions to be in compliance for the next funding year. You may also make this certification in your Second Funding Year for the purposes of CIPA, if you seek a waiver due to state or local procurement rules or regulations or competitive bidding requirements. Applicants, therefore, need to determine their “first,” “second,” and “third” funding years after the effective date of CIPA (April 20, 2001) in which their school or library is “applying” for funds.

Applying for Funds

For the purposes of CIPA, a school or library that is a recipient of service is considered to have “applied” for funds in a funding year after USAC successfully processes an FCC Form 486 with at least one funding request for services that require CIPA compliance and that include that school or library.

The First Funding Year

The first funding year after Funding Year 2000 (the funding year beginning July 1, 2000) in which your school or library applies for funds (i.e., in which an FCC Form 486 is successfully processed) for Category One Internet access and/or any Category Two services is your First Funding Year for the purposes of CIPA. Once your First Funding Year is established, the next two funding years will be your second and third funding years for the purposes of CIPA. In the First Funding Year, the applicant must be in compliance with CIPA or undertaking actions to comply with CIPA in order to receive support for Category One internet access and all Category Two services.

Once the First Funding Year is established, the funding year immediately following becomes the Second Funding Year for the purposes of CIPA.

The Second Funding Year

If the school or library applies for funds for Category One internet access and/or any Category Two services in the Second Funding Year, its Administrative Authority must certify compliance with CIPA unless state or local procurement rules or regulations or competitive bidding requirements prevent the making of the certification. A school or library so prevented can request a waiver for the Second Funding Year on FCC Form 486 or FCC Form 479, as appropriate.

The Third Funding Year

The Third Funding Year for the purposes of CIPA is the funding year immediately following the Second Funding Year. If the school or library applies for funds for Category One internet access and/or any Category Two services in the Third Funding Year, it must be compliant with CIPA.

The school or library must be compliant with CIPA for any funding year thereafter.

Certification for Undertaking Actions

Below is the appropriate certification that the Administrative Authority must make for “undertaking actions”:

“Pursuant to the Children’s Internet Protection Act, as codified at 47 U.S.C. Section 254(h) and (l), the recipient(s) of service represented in the Funding Request Number(s) on this FCC Form 486, for whom this is the first funding year in the federal universal service support mechanism for schools and libraries, is (are) undertaking such actions, including any necessary procurement procedures, to comply with the requirements of CIPA for the next funding year, but has (have) not completed all requirements of CIPA for this funding year.”

Documentation for Undertaking Actions

For a school or library to be able to make the certification quoted above, it must be able to demonstrate that action was taken by the start of services. USAC will not request this documentation as part of the FCC Form 486 filing process, but the school or library must maintain this documentation in its files for audit purposes.

An undertaken action is an action that can be documented and demonstrates that the school or library is taking steps to become compliant with the CIPA requirements. If a school or library has already provided reasonable public notice and at least one public hearing or meeting relating to an internet safety policy and technology protection measure that meets all the requirements listed above, that school or library has complied with the public notice and hearing or meeting requirements of CIPA. If a school or library has not met those conditions, the statute requires that the school or library provide the required notice and hearing or meeting.

Below are examples of documentation that could demonstrate that a school or library is undertaking actions to comply with CIPA:

  • A published or circulated school or library board agenda with CIPA compliance cited as a topic
  • A circulated staff meeting agenda with CIPA compliance cited as a topic
  • A service provider quote requested and received by a recipient of service or Billed Entity which contains information on a technology protection measure
  • A draft Request for Proposal or other procurement procedure to solicit bids for the purchase or provision of a technology protection measure
  • An agenda or minutes from a meeting open to the public at which an internet safety policy was discussed
  • An agenda or minutes from a public or non-public meeting of a school or library board at which procurement issues relating to the acquisition of a technology protection measure were discussed
  • A memo to an administrative authority of a school or library from a staff member outlining the CIPA issues not addressed by an Acceptable Use Policy currently in place
  • A memorandum or report to an administrative authority of a school or library from a staff member describing research on available technology protection measures
  • A memorandum or report to an administrative authority of a school or library from a staff member that discusses and analyzes Internet safety policies in effect at other schools and libraries

This list is not meant to be exhaustive, but includes examples of how applicants can demonstrate they are undertaking actions to become compliant with the CIPA requirements.

Remember that such actions must occur before the start of services in order for discounts to be paid back to the service start date reported on the FCC Form 486. Although applicants are allowed to undertake the actions described above in order to make the required certification regarding CIPA compliance during the First Funding Year, applicants should be prepared to implement all necessary measures in order to be compliant with the CIPA requirements before services start for the Second Funding Year, unless a waiver has been granted.

Documenting CIPA Compliance

Below is a list of the documentation that will be requested to demonstrate CIPA compliance during an audit. A school or library should retain copies of the documentation for each funding year where a CIPA certification is required. Note that documents must be retained for at least 10 years after the latter of the last day of the applicable funding year or the service delivery deadline for the funding request.

  • A copy of the internet safety policy
  • Documentation that the school or library gave public notice and held a public hearing or meeting on the policy
    • For example, a school or library could demonstrate public notice with a copy of a website announcement for a regular school or library board meeting open to the public where the policy will be discussed, or an advertisement in a local newspaper of a county government hearing or meeting where the policy appears as an agenda item. The school or library could also demonstrate that the hearing or meeting occurred with a copy of the minutes of the hearing or meeting and the date it occurred.
    • Since 2011, entities have been required, at a minimum, to keep some record of when public notice was provided and when the hearing or meeting took place (e.g., a copy of the meeting agenda or a newspaper article announcing the hearing or meeting).
  • Documentation of the adoption of the policy – for example, approval in the minutes of the hearing or meeting, or documented adoption by a school or library board
  • A description of the filter
  • A report or other documentation on the use of the filter
    The documentation should show that the filter was installed and was working during the funding year.

    • For example, a school that purchased filtered internet access could archive a sampling of reports from the service provider of internet sites blocked, or bills from the service provider verifying that the filter was operational. If a school purchased its own filter, it could archive logs produced by its IT staff showing the hours the filter was engaged.
  • Copies of the FCC Form 479 and/or FCC Forms 486, as applicable

Correcting CIPA Issues

Applicants are given the opportunity to correct minor errors that could result in violations of the CIPA rules before USAC institutes recovery of E-Rate program funds. Correctable errors are those that are immaterial to CIPA compliance.

Examples:

  • If a school has complied in practice with its CIPA certification, but inadvertently left out one of the requirements in its written internet safety policy, the school could correct its internet safety policy as it was substantially compliant with the CIPA requirements.
  • If a school or library cannot locate a record of a public notice and hearing or meeting that was held after August 2004, the school or library can correct its failure to document its public hearing or meeting by providing a public notice and holding a hearing or meeting.

These are just two CIPA issues that have been addressed by the FCC, but there may be other CIPA-related issues that can be corrected.