CIPA Compliance Checklist

The Children's Internet Protection Act (47 U.S.C. § 254(h)(5)), enacted in 2000, establishes three core obligations for schools and libraries receiving E-Rate discounts or LSTA grants. First, districts must adopt and enforce an Internet Safety Policy (ISP). Second, they must implement a technology protection measure — a content filter — on all devices with internet access. Third, they must provide education to minors about appropriate online behavior, including cyberbullying awareness and interaction with online predators.

CIPA compliance is not optional for E-Rate participants. The Federal Communications Commission (FCC) requires applicants to certify compliance annually on FCC Form 486 before funding is disbursed. Failure to maintain compliance can result in retroactive recovery of E-Rate funds, which for many districts represents hundreds of thousands of dollars in connectivity support. The Universal Service Administrative Company (USAC) conducts audits and Selective Reviews that specifically examine CIPA compliance documentation.

It is important to note that CIPA sets a federal floor, not a ceiling. Many states impose additional filtering and monitoring requirements that go beyond federal mandates. Districts should treat this checklist as a baseline and layer state-specific obligations on top.

CIPA mandates that schools block or filter internet access to visual depictions that are obscene, contain child pornography, or — in the case of minors — are harmful to minors. The technology protection measure must be applied to all computers and devices with internet access, including district-owned laptops, Chromebooks, tablets, and any devices connecting through the school network.

Effective filtering requires SSL/TLS inspection. Over 95% of web traffic is now encrypted, and without decrypting HTTPS connections, content filters cannot inspect the actual content of web pages. A filter that only examines domain names will miss inappropriate content hosted on otherwise legitimate platforms (e.g., explicit content on social media or cloud storage services). Districts must deploy SSL inspection certificates to managed devices and configure transparent decryption on the secure web gateway.

Beyond the minimum CIPA categories, most districts should block or restrict the following URL categories to satisfy both federal requirements and community expectations: adult and sexually explicit content, violence and weapons, malware and phishing, proxy and anonymizer services, gambling, drug-related content, and hate speech. Additionally, districts should implement SafeSearch enforcement for major search engines and restrict YouTube to the restricted or moderate mode.

• Deploy SSL/TLS inspection on all internet-bound traffic from managed devices
• Block visual depictions that are obscene (Miller v. California standard)
• Block child sexual abuse material (all users, no exception)
• Block content harmful to minors (applies to minor users)
• Enforce SafeSearch on Google, Bing, Yahoo, and DuckDuckGo
• Enable YouTube Restricted Mode or use an allow-list approach
• Block proxy, anonymizer, and VPN evasion categories
• Apply filtering to off-network devices using a cloud-based SWG or agent
• Ensure filtering applies equally to staff and student devices (obscenity and CSAM categories)
• Document the ability for authorized staff to disable filtering for bona fide research

CIPA requires that districts monitor the online activities of minors. While the statute does not prescribe specific monitoring technologies, the FCC has interpreted this to mean that districts must have measures in place to detect and address unauthorized or inappropriate internet use.

Monitoring should include real-time activity logging that captures URLs visited, search queries, application usage, and file transfer activity. Logs must be retained for a sufficient period to support investigations — most compliance frameworks recommend a minimum of one year, though some state laws require longer retention. The monitoring system should generate alerts for policy violations so that designated staff can review incidents promptly.

Districts should designate specific personnel — typically technology coordinators, building administrators, or student safety specialists — as responsible parties for reviewing monitoring alerts. The monitoring process should be documented in the Internet Safety Policy, including escalation procedures for incidents involving potential threats to student safety.

• Log all web traffic including URLs, timestamps, user identities, and bytes transferred
• Capture search engine queries across all major search providers
• Monitor application-layer activity including SaaS and cloud application usage
• Retain logs for a minimum of 12 months (verify state-specific requirements)
• Configure automated alerts for policy violations and high-risk activity categories
• Designate staff responsible for reviewing monitoring alerts
• Document monitoring procedures and escalation workflows
• Ensure monitoring extends to off-network device usage via cloud agent

Every CIPA-compliant district must adopt and implement a written Internet Safety Policy addressing specific topics enumerated in the statute. The policy must address: access by minors to inappropriate matter on the internet, the safety and security of minors when using electronic mail, chat rooms, and other forms of direct electronic communications, unauthorized access including hacking, unauthorized disclosure of personal information regarding minors, and measures restricting minors' access to materials harmful to them.

The 2008 Protecting Children in the 21st Century Act amended CIPA to require that the Internet Safety Policy also include education for students about appropriate online behavior, including cyberbullying awareness and response, and interaction with other individuals on social networking sites and in chat rooms.

The policy should be written in clear, accessible language and made available to parents, students, and staff. It must be formally adopted by the school board through a public process. The policy should reference the specific technology protection measures in use, describe the district's approach to monitoring, outline consequences for violations, and explain the process by which authorized adults can request that filtering be disabled for legitimate research purposes.

• Address all five CIPA-mandated policy topics in the written document
• Include provisions for educating students about cyberbullying and online safety
• Reference specific technology protection measures (content filter, monitoring tools)
• Describe the process for authorized adults to disable filtering for research
• Outline consequences for Acceptable Use Policy violations
• Ensure the policy covers all district-owned and district-managed devices
• Address student use of personal devices on district networks (BYOD)
• Include procedures for responding to student safety incidents identified through monitoring

Before adopting or revising the Internet Safety Policy, CIPA requires that schools provide reasonable public notice and hold at least one public hearing or meeting to address the proposed policy. This requirement ensures community input and transparency in the district's approach to internet safety.

The public hearing is typically conducted as part of a regular school board meeting, though it may also be a dedicated session. Districts should document the hearing by retaining meeting agendas, minutes, sign-in sheets, and any public comments received. The board resolution adopting the policy should reference the hearing date and note that public input was solicited.

Districts should plan to hold a public hearing whenever the Internet Safety Policy undergoes material revision — not only at initial adoption. Changes to filtering categories, monitoring scope, or student safety procedures should trigger a new review cycle. Many districts schedule an annual policy review aligned with the E-Rate application cycle to ensure documentation is current when certifying on Form 486.

• Provide public notice of the hearing at least 10 business days in advance
• Conduct the hearing during a school board meeting or dedicated public session
• Retain agendas, minutes, sign-in sheets, and public comment records
• Adopt the policy via formal board resolution with recorded vote
• Schedule subsequent public hearings for any material policy revisions
• Maintain a dated, versioned archive of all policy iterations

USAC requires CIPA compliance certification as part of the E-Rate application process. On FCC Form 486, the applicant must certify that the school or library has an Internet Safety Policy in place and that a technology protection measure is operational. USAC conducts Selective Reviews and audits where districts must produce evidence substantiating their certification.

Districts should maintain a CIPA compliance binder — either physical or digital — that contains all supporting documentation organized for rapid retrieval. This binder should be updated annually and reviewed before filing Form 486. During a Selective Review, USAC may request documentation with a short turnaround, so having materials pre-organized is critical.

Key documents include the current Internet Safety Policy with board adoption date, public hearing records, technology protection measure configuration documentation, filtering activity reports showing the system is operational, monitoring reports demonstrating ongoing oversight, and staff training records. Districts should also retain evidence that the technology protection measure applies to all internet-connected devices and that the filter cannot be easily bypassed by students.

• Current Internet Safety Policy with board adoption date and resolution number
• Public hearing notice, agenda, minutes, and attendance records
• Technology protection measure vendor documentation and configuration summary
• Monthly or quarterly filtering reports demonstrating operational status
• Monitoring activity reports showing ongoing staff review
• Staff and student Acceptable Use Policy acknowledgment records
• Training records for staff responsible for monitoring and internet safety education
• Annual policy review documentation showing date of last review

CIPA compliance is not a one-time implementation — it requires ongoing attention. Districts should establish a formal annual review cycle that evaluates the effectiveness of both technical controls and policy provisions. The review should be scheduled to conclude before the Form 486 filing deadline so that any deficiencies can be remediated prior to certification.

The annual review should evaluate whether the content filter is blocking the required categories effectively, whether new evasion techniques (such as DNS-over-HTTPS or new VPN applications) are being addressed, whether monitoring processes are functioning and alerts are being reviewed, whether the Internet Safety Policy remains current and addresses emerging threats, and whether student internet safety education has been delivered as required.

Districts should document the review process, findings, and any corrective actions taken. A brief annual compliance report signed by the technology director and superintendent provides strong evidence of ongoing diligence during audits.

• Schedule annual review 60 days before Form 486 filing deadline
• Test content filter effectiveness across all required categories
• Verify SSL inspection is functioning and certificate deployment is current
• Review monitoring alert logs to confirm active staff oversight
• Update the Internet Safety Policy to address new threats and technologies
• Confirm student internet safety education was delivered during the school year
• Document review findings and corrective actions in a dated report
• Obtain sign-off from the technology director and superintendent

The iboss cloud platform provides all technology protection measures required by CIPA through its Secure Web Gateway (SWG) and cloud-delivered security architecture. Because iboss operates as a cloud-native proxy, filtering and monitoring are enforced regardless of device location — on-campus, at home, or on the go — satisfying CIPA's requirement that the technology protection measure cover all internet access on protected devices.

The following configuration steps map iboss capabilities directly to CIPA requirements. Each setting should be verified during initial deployment and re-validated during the annual review process. Screenshots of each configuration page should be archived as audit evidence.

• Enable SSL Decryption policy and deploy the iboss root CA certificate to all managed devices via MDM or GPO
• Configure Web Filtering policies to block Adult, Pornography, Nudity, and Explicit Content categories (CIPA obscenity requirement)
• Enable the CSAM/Child Exploitation category block — this must apply to ALL users including staff
• Create age-appropriate filtering groups: separate policies for elementary, middle, high school, and staff
• Enable SafeSearch Enforcement in the SWG policy to force safe search across Google, Bing, and YouTube
• Configure YouTube Restricted Mode enforcement via HTTP header injection
• Block Proxy, Anonymizer, and VPN Evasion categories to prevent filter bypass
• Enable DNS-over-HTTPS (DoH) blocking to prevent encrypted DNS bypass of filtering
• Configure the iboss agent (cloud connector) on all district-owned devices for off-network protection
• Enable User Activity Logging with full URL capture, search query logging, and user identity correlation
• Configure automated alert rules for high-severity policy violations (self-harm keywords, explicit search attempts, violence)
• Set log retention to 12 months minimum (or longer per state requirements)
• Create an Administrator Override group allowing authorized staff to temporarily bypass filtering for research
• Generate and archive a monthly CIPA Compliance Summary Report from the iboss reporting dashboard
• Document all policy configurations with screenshots and store in the CIPA compliance binder