Safeguarding the Wired Schoolhouse

National Association of Secondary School Principals Logo

This project is made possible by an education grant from:
Verizon

Content provided by:


Brought to you by CoSN


Frequently Asked Questions on the Children's Internet Protection Act (CIPA)

NASSP Links

Internet Safety & CIPA

FAQ on CIPA

Compliance with CIPA

General

Q: What is CIPA and what does it require?
Q: Do I need to comply with CIPA in order to receive E-Rate funds?
Q: Will my E-Rate discounts apply to filtering software, hardware, and maintenance?
Q: Can I get an E-Rate discount if my ISP provides filtered access?

Timeline Requirements

Q: When do CIPA E-Rate requirements begin?
Q: What do I need to do to comply with CIPA and get Program Year 4 funds?
Q: When do I need to certify my compliance with CIPA?
Q: Do I have until October to certify if I start receiving funds in July?
Q: Will the CIPA requirements remain the same for Program Year 5?

Certification Requirements

Q: How do I certify compliance with CIPA?
Q: Does a school or library have to certify that the filtering or blocking technology is meeting the specific CIPA requirements?
Q: I am part of a consortium. What does a consortium need to do in order to comply with CIPA?
Q: In a state network or consortia setting, who is responsible for making sure that the schools and libraries are filtering or blocking covered material?

Technology Requirements

Q: CIPA requires the use of "technology protection measures" - isn't that more broad than filtering or blocking software?
Q: What filtering or blocking technology meets the CIPA requirements?
Q: Must schools and libraries install filtering or blocking technology on computers that are not used by children or other members of the public?
Q: What happens if, despite the filters, students are able to access materials restricted under CIPA?
Q: Do we have to keep records to show how well the technology is working?
Q: Is my school liable if our filters don't block access to materials others find objectionable?
Q: Under what circumstances can filters be disabled?

Monitoring Requirements

Q: What constitutes "monitoring" student Internet use in school?

"Internet Safety Policy" Requirements

Q: What is the difference between an Acceptable Use Policy and an Internet Safety Policy?
Q: What does a school "Internet Safety Policy" need to contain?
Q: Does the Internet Safety Policy have to address all these topics in a particular manner?
Q: I am not sure what some of the Internet Safety Policy requirements mean. Did the FCC provide definitions?

Public Meeting Requirements

Q: What kind of public meeting or hearing do I need to have to comply with CIPA?
Q: Do private schools need to have public meetings or hearings?

Additional Questions

Q: Is CIPA the same as the CHIP Act, CHIPA, and N-CIPA?
Q: What's the difference between CIPA, COPPA, COPA, and the CDA?

General

Q: What is CIPA and what does it require?
A: The Children's Internet Protection Act, commonly known as CIPA or the CHIP Act, mandates that schools and libraries receiving E-Rate discounts for "Internet access, Internet services, or internal connections," or education technology grants like STAR Schools or Technology Innovation Challenge Grants under the Department of Education or Library Services and Technology Act funds, put into place Internet safety policies that include installation and use of Internet filtering software or services preventing access to "visual depictions" of material that is obscene, child pornography, and, when minors are using the computer, material that is harmful to minors. Schools must also monitor student Internet use, and E-Rate recipients must implement detailed Internet Safety Policies.

Q: Do I need to comply with CIPA in order to receive E-Rate funds?
A: All entities receiving discounts on Internet access and internal connections will need to comply with CIPA. Entities receiving E-Rate funding only for services classified as "telecommunications" services do not need to comply with CIPA.

Q: Will my E-Rate discounts apply to filtering software, hardware, and maintenance?
A: No. E-Rate discounts cannot be used for any services or hardware other than internal connections, telecommunications, and Internet access. Filtering technologies and services not eligible.

Q: Can I get an E-Rate discount if my ISP provides filtered access?
A: You can only get E-Rate discounts for Internet access; filtering would be considered an Internet service, which is not eligible. However, if filtering is bundled with your Internet access, you may be able to get a partial discount, covering only the Internet access portion of the service. For more details, see the Schools and Libraries Division's FAQ on cost allocation: www.sl.universalservice.org/reference/costallocationguide.asp

Timeline Requirements

Q: When do CIPA E-Rate requirements begin?
A: CIPA E-Rate requirements begin with Program Year 4, which begins July 1, 2001. If you receive E-Rate funding with a later Year 4 Service Start Date, CIPA's requirements begin with your Service Start Date.

Q: What do I need to do to comply with CIPA and get Program Year 4 funds?
A: You must at least have "undertaken action" towards compliance with CIPA - meaning that you must begin taking serious steps towards compliance either by October 28, 2001, or if you have not yet received your Funding Commitment Decision Letter, within 120 days of receiving it. You will need to certify the status of your CIPA compliance to USAC on Form 486. If you are a member of a consortia, you will need to file a statement about that status to the billed entity in the consortia on a new form 479. During Program Year 4, that certification or statement may be one of three things: 1) That your school is compliant with the requirements of CIPA; 2) That your school is taking steps towards compliance with CIPA and expects to be compliant by Funding Year 5; or 3) That your school receives only telecommunications services through the E-Rate program and is thus not subject to the requirements of CIPA.

Q: When do I need to certify my compliance with CIPA?
A: Under the current rules, you must certify your CIPA compliance by October 28, 2001. However, that's a Sunday and the FCC has indicated that certifications postmarked Monday will be treated as having missed the deadline, so the effective deadline is Saturday, October 27. Remember also that E-Rate funding will not begin to flow until you have certified compliance with CIPA.

Q: Do I have until October to certify if I start receiving funds in July?
A: Yes, but there's a catch. The funds will not begin to flow until after the certification is completed. Funding will be retroactive to the time when you began receiving the service if you were taking steps towards becoming CIPA compliant during any time for which you are requesting funds.

Q: Will the CIPA requirements remain the same for Program Year 5?
A: The substantive requirements will most likely remain the same. The procedures are likely to change. Schools that applied for and received funding for Program Year 4 will not have until October to certify compliance during Program Year 5. The FCC has indicated that for Program Year 5 and beyond, it will continue using Form 486 for certification of CIPA compliance. That form is technically due within ten days of the start of the E-Rate funded service, although the deadline has not been strictly enforced.

Certification Requirements

Q: How do I certify compliance with CIPA?
A: A new certification will be included on the Form 486. This certification will allow applicants to state that they are either in compliance with the requirements of CIPA or are working to become compliant. Some waivers will be available for schools limited by local procurement laws. By Funding Year 6 (approximately 2 years from now), all applicants receiving internal connections and/or Internet access discounts will need to comply with CIPA.

Q: Does a school or library have to certify that the filtering or blocking technology is meeting the specific CIPA requirements?
A: No. Schools and libraries must certify that they are in compliance or working on becoming compliant with CIPA, but they don't have to certify as to the precision of the software they have selected. However, if a school or library knowingly fails to comply with CIPA, it loses eligibility and risks having to repay E-Rate funds that have already been paid.

Q: I am part of a consortium. What does a consortium need to do in order to comply with CIPA?
A: The compliance process for consortia is somewhat more complicated that the compliance process for other applicants. Within a consortium, all entities receiving internal connections or Internet access must fill out the new Form 479. The lead member of the consortium is responsible for collecting these and certifying on behalf of all the members of the consortium.

Q: In a state network or consortia setting, who is responsible for making sure that the schools and libraries are filtering or blocking covered material?
A: The answer to this question is not clear. The FCC and USAC have made it very clear that they consider the question of "what technology protection measure" is selected to be a local decision. Ultimately, if a school or school district certifies that it is compliant with CIPA or that it is undertaking actions to become compliant and will be compliant by E-Rate Year 5, the "administrative authority" making that certification has made a legal claim about that compliance status - and they should be prepared to back up that statement.

Technology Requirements

Q: CIPA requires the use of "technology protection measures" - isn't that more broad than filtering or blocking software?
A: No. Under CIPA, a "technology protection measure" is defined as " a specific technology that blocks or filters Internet access to visual depictions that are:

  1. obscene, as that term is defined in section 1460 of title 18, United States Code;
  2. child pornography, as that term is defined in 2256 of title 18, United States Code; or
  3. harmful to minors."

This could include filtered Internet access through the Internet service provider, restricting users to a web browser such as LYNX, which only permits text-based Internet browsing, or using a client-side or server-side Internet filtering software program.

Q: What filtering or blocking technology meets the CIPA requirements?
A: The FCC made it very clear that the technology selection is a local matter, not something it will review or micromanage. Each local school or library authority may select the filtering or blocking technology of its choice, so long as it blocks visual depictions that are obscene, child pornography, or harmful to minors.

Q: Must schools and libraries install filtering or blocking technology on computers that are not used by children or other members of the public?
A: Yes. All computers with Internet access must be filtered if a school or library is covered by CIPA. This includes administrative computers and school district computers that teachers or administrators use from home.

Q: What happens if, despite the filters, students are able to access materials restricted under CIPA?
A: The FCC does not require that the filtering software schools and libraries select be foolproof. Schools and libraries are required to engage in a good faith effort to abide by the requirements of CIPA. Although it is not required, it is a good idea to review the accuracy of the product you select and upgrade if necessary on a regular basis.

Q: Do we have to keep records to show how well the technology is working?
A: No. Although several groups asked the FCC to require schools and libraries to keep web logs and make them available to the public, the FCC did not do so. The FCC indicated that such a request goes beyond what CIPA requires. A local district, however, may choose to keep logs or otherwise trace the effectiveness of its software.

Q: Is my school liable if our filters don't block access to materials others find objectionable?
A: CIPA does not create a "private right of action," meaning that if an individual comes in to a school and finds objectionable material on a computer subject to the CIPA requirements, he or she cannot file a lawsuit complaining that the school violated CIPA. The person can complain to the FCC or USAC, which may investigate the school's compliance. The most severe penalties available under CIPA involve requiring a school that has knowingly violated the CIPA requirements to repay the E-Rate funding received while the school was out of compliance. In addition, there may be state or local laws that apply, depending on the circumstances. This is a question best answered in consultation with the school's attorney.

Q: Under what circumstances can filters be disabled?
A: If a school receives E-Rate support for Internet access or internal connections, the filters cannot be disabled when minors are using the computers. For example, if a school uses Bess, the time-limited password disabling feature can not be used when a minor is using the computer. If a site is inappropriately blocked, educators must work with the network manager, technology director and/or the provider of the filtering software to have it unblocked. When adults are doing "bona fide research," filters may be disabled on the spot.

If a school receives Department of Education educational technology grants, but not E-Rate funding, the filters may be disabled for anyone conducting "bona fide research," not only adults.

Monitoring Requirements

Q: What constitutes "monitoring" student Internet use in school?
A: The FCC declined to further explain the requirement that student Internet use be monitored, reserving that for local authorities. That means that 'monitoring software' is not required, although it clearly remains one option schools may consider.

"Internet Safety Policy" Requirements

Q: What is the difference between an Acceptable Use Policy and an Internet Safety Policy?
A: They're essentially different terms for the same thing. However, you need to make sure that the school's Acceptable Use Policy addresses all of the specific topics outlined in CIPA, and that it was adopted with at least one open meeting or hearing. If you have covered all the substantive areas and held a public meeting on your policy, you don't need to do it again. Otherwise, you need to revise the policy and subject it to public review in order to meet the Internet Safety Policy requirements of CIPA.

Q: What does a school "Internet Safety Policy" need to contain?
A: A school Internet Safety Policy must address the following issues:

  • Access by minors to inappropriate material on the Internet and World Wide Web;
  • The safety and security of minors when using electronic mail, chat rooms, and other forms of direct electronic communications (e.g. Instant Messaging services);
  • Unauthorized access, including so-called 'hacking' and other unlawful activities by minors online;
  • Unauthorized disclosure, use, and dissemination of personal identification information regarding minors; and
  • Measures designed to restrict minors' access to materials harmful to minors;

It must also require the selection and use of filtering or blocking technology.

Q: Does the Internet Safety Policy have to address all these topics in a particular manner?
A: No. As long as you address all of the topics required by CIPA, the FCC considers the content of the Internet Safety Policy to be a local decision. You do not even have to provide the FCC with a copy of the Internet Safety Policy when you file your certification that you are compliant with CIPA.

Q: I am not sure what some of the Internet Safety Policy requirements mean. Did the FCC provide definitions?
A: No. It's up to you interpret the requirements. But there are resources that can help. The first place to look is CoSN's Safeguarding the Wired Schoolhouse web site: www.safewiredschools.org. It includes a checklist for decision makers about how to manage Internet content in schools. Schools may want to examine CIPA's rules and the CoSN checklist with their lawyers, to make sure that your policy also complies with local laws that may address similar issues.

Public Meeting Requirements

Q: What kind of public meeting or hearing do I need to have to comply with CIPA?
A: It depends. Public schools and libraries need to make sure that any public meeting they have on this issue follows local or state law related generally to public meetings. Otherwise, the structure and agenda of the meeting is up to you. In most cases, the school board or the library trustees will be responsible for holding the meeting, but the state department of public instruction or state library agency may also be responsible. Contact your local school or library board, or your school or library attorney, to determine the appropriate answer for your situation.

Q: Do private schools need to have public meetings or hearings?
A: Yes. Private schools must hold public meetings to create Internet Safety Policies. Private schools may want to consult with counsel to decide how to interpret the requirements in the context of a private institution.

Additional Questions

Q: Is CIPA the same as the CHIP Act, CHIPA, and N-CIPA?
A: These acronyms all refer to the Children's Internet Protection Act. N-CIPA specifically refers to the "Internet Safety Policy" section, which applies only to the E-Rate. This document will refer to the Children's Internet Protection Act as "CIPA."

Q: What's the difference between CIPA, COPPA, COPA, and the CDA?
A: CIPA is the Children's Internet Protection Act, and was passed in late 2000. It requires schools and libraries receiving certain types of federal funding to filter or block Internet access to "visual depictions" of material that is obscene, child pornography, and when minors are using the computer, material that is harmful to minors.

COPPA is the Children's Online Privacy Protection Act, and was passed in 1998. It requires commercial Web sites oriented to minors to get parental permission to collect personally identifiable information from children under age 13.

COPA is the Children's Online Protection Act, and was passed in 1997. It prohibited commercial Web sites from providing "harmful to minors" content to minors. COPA was found unconstitutional by the 3rd Circuit Court of Appeals. The Supreme Court is expected to review that decision shortly.

CDA is the Communications Decency Act, which passed as part of the 1996 Telecommunications Deregulation Act. The CDA prohibited "indecent" communication over the Internet. It was found unconstitutional by a unanimous Supreme Court in 1997.

Consortium for School Networking. All rights reserved.