Children's Internet Protection Act (CIPA) Overview

What is CIPA?

The Children's Internet Protection Act (CIPA) is a federal requirement tied to certain E-Rate discounts. Schools and libraries must certify CIPA compliance to receive E-Rate support for Category One internet access or any Category Two service.

For E-Rate purposes, CIPA is not just "do you have a filter." It is a documented compliance workflow that connects board policy, IT operations, a public meeting, the right certification on the right form, and 10-year record retention. Most CIPA problems are not policy failures, they are documentation and timing failures, and they tend to surface at exactly the wrong moment: when you are trying to file FCC Form 486 and start invoicing.

When CIPA applies in E-Rate

USAC states that applicants must certify CIPA compliance to receive discounts on:

• Category One internet access
• Category Two internal connections
• Category Two managed internal broadband services
• Category Two basic maintenance of internal connections

In practice, that covers essentially every E-Rate funding request, because current requests involve internet access or Category Two services. The practical rule: if you are receiving E-Rate discounts, build CIPA review into the post-commitment and FCC Form 486 workflow.

The three core CIPA requirements

1. Internet safety policy

Schools and libraries must adopt and enforce an internet safety policy that includes a technology protection measure and protects against access to visual depictions that are obscene, that are child pornography, or, with respect to minors, that are harmful to minors. ("Minor" under CIPA means anyone under the age of 17.)

The policy must address all of the following:

• Access by minors to inappropriate matter on the internet
• The safety and security of minors using email, chat rooms, and other direct electronic communications
• Unauthorized access, including hacking and other unlawful activity by minors online
• Unauthorized disclosure, use, and dissemination of minors' personal information
• Measures restricting minors' access to materials harmful to them

For schools, the policy must also include monitoring the online activities of minors, and (since July 1, 2012) must provide for educating minors about appropriate online behavior, including social networking, chat rooms, and cyberbullying awareness and response.

From an operations standpoint, the policy should connect cleanly to the funding year. A reviewer should be able to see which policy was in force, when it was adopted or updated, and where the public meeting record lives. Strong CIPA files usually include both the board-approved policy and a short internal note explaining where filtering is managed and who owns the annual certification.

2. Technology protection measure

A technology protection measure is the filter or blocking technology that restricts access to covered visual depictions. It must block obscene material and child pornography for both minors and adults, and material harmful to minors for minors.

The measure must be enforced while school or library computers are used for internet access. An authorized administrator may disable the filter for an adult engaged in bona fide research or another lawful purpose, for example through a sign-in page where an adult affirms lawful intent.

This is where policy meets IT. A CIPA file should not just contain board policy language, it should preserve enough to show the filter is actually in place. Useful evidence includes the filtering vendor name, the contract or subscription record, an administrative screenshot showing the filter is active, a description of which networks or devices are covered, the process for disabling the filter for adults, and the role responsible for filter administration. You do not need a security-architecture treatise. You need "we have a filter" to be backed by a file that ties the filter to the certification.

3. Public notice and hearing or meeting

The administrative authority for the school or library must provide reasonable public notice and hold at least one public hearing or meeting to address the proposed technology protection measure and internet safety policy. For private schools, public notice means notice to the appropriate constituent group.

Additional meetings are not required even if the policy is amended later, unless state or local rules, or the policy itself, require them. The meeting record does not need to be elaborate, but it must be findable: keep the notice, agenda, minutes, and policy materials together. If the agenda says "internet safety policy" rather than "CIPA," make the connection obvious for whoever reviews the file years later.

FCC Form 486 and CIPA certification

FCC Form 486 notifies USAC that services have started and reports CIPA status for the recipients on the FRNs. You cannot file Form 486 for an FRN until USAC issues a positive Funding Commitment Decision Letter, and it generally must be certified within 120 days of the service start date or the FCDL date, whichever is later.

On Form 486, the administrative authority certifies its CIPA status: either that the applicant has complied with CIPA, or that it is undertaking actions to comply, including any necessary procurement, in the first year it applies for CIPA-covered services.

Choosing the wrong status can delay the E-Rate process and downstream invoicing, which is exactly why CIPA should be reviewed before Form 486 is filed, not after.

What "undertaking actions" means

USAC lets certain applicants certify that they are undertaking actions to comply, especially in the first funding year they apply for CIPA-covered services. The key is documentation: board agendas, meeting minutes, filtering quotes, draft procurement documents, or memos analyzing policy and filtering options. If you certify that you are undertaking actions, the file should show what actions occurred and when.

CIPA and consortia: the Form 479 workflow

Consortia add a coordination layer. The consortium leader must collect FCC Form 479 from each member to establish that member's CIPA status before completing FCC Form 486. Form 479 is not filed with USAC; the leader keeps it on file. It is also not required if the consortium requested funding only for services to which CIPA does not apply.

In practice, this is a member-by-member recordkeeping job, and it gets messy when entity structures change. Sites close, merge, reopen, or move under a different parent. A few field-tested habits keep it clean:

• Confirm which members or sites are actually receiving CIPA-covered services this year.
• Collect a signed Form 479 before filing Form 486 for every covered member, even when you also keep a separate internal CIPA letter. The Form 479 is the artifact USAC's Form 486 question is asking about.
• Keep member records with the funding-year file.
• Reflect how the applicant is represented in EPC for the funding year, not just how the organization thinks of itself. If an entity is set up as a consortium in EPC, maintain the consortium CIPA file (including 479s) until the structure is formally cleaned up, and time any reclassification between five-year Category Two budget cycles so you do not disrupt open invoicing.

What documentation should applicants keep?

CIPA records belong with the funding-year file and, like all E-Rate documentation, must be retained for at least 10 years after the later of the last day of the funding year or the service delivery deadline. A practical CIPA file includes:

• Current internet safety policy, with its adoption or most-recent-approval date
• Public notice for the meeting or hearing
• Agenda and minutes showing CIPA or the internet safety policy was addressed
• Filtering vendor documentation or screenshots, and the covered networks/devices
• Internal note identifying who administers the filter
• FCC Form 486 certification record and Notification Letter
• FCC Form 479 records for consortium members, where applicable
• Any policy updates, board approvals, or administrative memos

For a mature applicant, the biggest improvement is rarely a new policy. It is a cleaner evidence trail.

CIPA for schools vs. libraries

Schools and libraries share the same structure but differ operationally. Schools must address monitoring of minors' online activity and the education component (appropriate online behavior, social networking, cyberbullying). Libraries manage filtering while also handling adult access, including the ability to disable the filter for an adult for bona fide research or another lawful purpose. For both, the strongest practice is to keep policy, filtering, and certification records together by funding year.

Common CIPA compliance pitfalls

• There is a filter, but the internet safety policy cannot be produced quickly.
• The policy exists, but the public notice or hearing record is missing.
• The meeting happened, but the minutes do not show CIPA or the policy was addressed.
• The FCC Form 486 status does not match the applicant's actual CIPA position.
• A consortium leader does not have member Form 479 records organized, or substitutes a generic letter for the Form 479 the Form 486 question expects.
• The written policy is missing required school-specific elements (monitoring, education).
• Filtering records are scattered across IT, procurement, and E-Rate files.

These are not signs of an immature program. They happen because CIPA sits at the intersection of board policy, IT, E-Rate forms, and document retention.

CIPA is part of the funding-to-invoicing chain

CIPA feels like a policy topic, but it has direct workflow consequences. FCC Form 486 is the bridge between a funding commitment and invoicing readiness. If CIPA status is unresolved, Form 486 stalls; if Form 486 stalls, invoicing stalls; and if invoicing stalls, you run closer to the invoice deadline. The best time to organize CIPA records is before Form 486 is filed, not after an audit request arrives.

A practical CIPA workflow

Before filing FCC Form 486:

1. Confirm which FRNs include CIPA-covered services.
2. Verify the internet safety policy is current.
3. Confirm filtering is active and administered.
4. Locate the public notice and hearing or meeting documentation.
5. Confirm school-specific policy elements (monitoring, education), if applicable.
6. For consortia, collect signed FCC Form 479 records from members.
7. File FCC Form 486 with the correct CIPA status.
8. Store the Form 486 Notification Letter and supporting records together.

How ErateSync helps with CIPA readiness

CIPA is easier when E-Rate records are centralized. Applicants need to connect policies, board records, filtering evidence, Form 486 records, FRNs, funding years, and consortium member documentation. ErateSync helps teams organize E-Rate records by funding year and keep compliance documentation easy to find when filing, answering review questions, or preparing for an audit, so CIPA status is never the thing holding up Form 486.

Because ErateSync pulls live USAC Open Data, you can confirm an entity's funding, FRNs, and Form 486 status without digging through portals, and our E-Rate Chat answers E-Rate questions directly against that data.

Sources

• USAC, CIPA
• USAC, FCC Form 486 Filing
• USAC, Consortia
• FCC, Children's Internet Protection Act
• USAC Open Data (E-Rate datasets)
• edtechnologyfunds, What is E-Rate

This article reflects public USAC and FCC guidance and anonymized, real-world E-Rate consulting experience with Form 479/486 certification and consortium CIPA handling. No client names or confidential records are referenced.