Updated August 2016
Applicants must enforce a policy of Internet safety and certify compliance with the Children's Internet Protection Act (CIPA) to be eligible for discounts. CIPA was signed into law on December 21, 2000. To receive support for Category One Internet access and all Category Two services – internal connections, managed internal broadband services, and basic maintenance of internal connections, school and library authorities must certify that they are enforcing a policy of Internet safety that includes measures to block or filter Internet access for both minors and adults to certain visual depictions. The relevant authority with responsibility for administration of the eligible school or library (hereinafter known as the Administrative Authority) must certify the status of its compliance for the purpose of CIPA in order to receive universal service support.
In general, school and library authorities must certify either that they have complied with the requirements of CIPA, that they are undertaking actions, including any necessary procurement procedures, to comply with the requirements of CIPA, or that CIPA does not apply to them because they are receiving discounts for telecommunications services only.
CIPA requirements include the following three items:
Schools and libraries receiving universal service discounts are required to adopt and enforce an Internet safety policy that includes a technology protection measure that protects against access by adults and minors to visual depictions that are obscene, child pornography, or – with respect to use of computers with Internet access by minors – harmful to minors. "Minor" is defined as any individual who is under the age of 17.
The Internet safety policy must address all of the following issues:
For schools, the policy must also include monitoring the online activities of minors. Note: As of July 1, 2012, as part of their CIPA certification, schools are also required to certify that their Internet safety policies have been updated to provide for educating minors about appropriate online behavior, including interacting with other individuals on social networking websites and in chat rooms, cyberbullying awareness, and response.
A technology protection measure is a specific technology that blocks or filters Internet access.
The school or library must enforce the operation of the technology protection measure during the use of its computers with Internet access, although an administrator, supervisor, or other person authorized by the authority with responsibility for administration of the school or library may disable the technology protection measure during use by an adult to enable access for bona fide research or other lawful purpose. For example, a library that uses Internet filtering software can set up a process for disabling that software upon request of an adult user, through use of a sign-in page where an adult user can affirm that he or she intends to use the computer for bona fide research or other lawful purposes.
CIPA uses the federal criminal definitions for obscenity and child pornography. The term "harmful to minors" is defined in the statute and in the E-rate rules as "any picture, image, graphic image file, or other visual depiction that – (i) taken as a whole and with respect to minors, appeals to a prurient interest in nudity, sex, or excretion; (ii) depicts, describes, or represents, in a patently offensive way with respect to what is suitable for minors, an actual or simulated sexual act or sexual contact, actual or simulated normal or perverted sexual acts, or a lewd exhibition of the genitals; and (iii) taken as a whole, lacks serious literary, artistic, political, or scientific value as to minors."
Decisions about what matter is inappropriate for minors must be made by the local community. E-rate program rules specify that the library or other authority for making the determination shall make "[a] determination regarding matter inappropriate for minors."
The authority with responsibility for administration of the school or library must provide reasonable public notice and hold at least one public hearing or meeting to address a proposed technology protection measure and Internet safety policy. For private schools, public notice means notice to their appropriate constituent group. Additional meetings are not necessary – even if the policy is amended – unless required by local or state rules or the policy itself.
The Administrative Authority for a school or library is the entity that must make the relevant certification for the purpose of CIPA. For a school, the Administrative Authority may be the school, school district, school board, local educational agency, or other authority with responsibility for administration of the school. For a library, the Administrative Authority may be the library, library board, or other authority with responsibility for administration of the library.
If the Administrative Authority is also the Billed Entity, the Administrative Authority certifies on the FCC Form 486. If the Administrative Authority is not the Billed Entity, the Administrative Authority must complete FCC Form 479 (Certification of Administrative Authority to Billed Entity of Compliance with the Children's Internet Protection Act), and submit the FCC Form 479 to the Billed Entity. The Billed Entity then certifies on the FCC Form 486 that it has collected, duly completed, and signed the FCC Form 479. The Billed Entity does not need to collect FCC Forms 479 when the Billed Entity applies only for telecommunications services.
CIPA provides that, in the first funding year following the effective date of CIPA (April 20, 2001) in which you are "applying" for funds, you need not be fully compliant with CIPA's requirements but can certify that you are undertaking actions to be in compliance for the next funding year. You may also make this certification in your Second Funding Year for the purpose of CIPA if you seek a waiver due to state or local procurement rules or regulations or competitive bidding requirements. Applicants, therefore, need to determine their "first," "second," and "third" funding years after the effective date of CIPA (April 20, 2001) in which their school or library is "applying" for funds and must also understand what "applying" for funds means in this context.
For the purpose of CIPA requirements, a school or library that is a recipient of service is considered to have "applied" for funds in a funding year after a Receipt of Service Confirmation and Children's Internet Protection Act and Technology Plan Certification Form (FCC Form 486) for a funding request for Category One Internet access and all Category Two services have been successfully processed by USAC.
The first funding year after Funding Year 2000 (the funding year beginning July 1, 2000) in which your school or library applies for funds (i.e., in which an FCC Form 486 is successfully processed) for Category One Internet access and all Category Two services is your First Funding Year for the purpose of CIPA. Once your First Funding Year is established, the next two funding years will be your second and third funding years for the purpose of CIPA. In the First Funding Year, the applicant must be in compliance with CIPA or undertaking actions to comply with CIPA in order to receive support for Category One Internet access and all Category Two service.
Once the First Funding Year is established, the funding year immediately following becomes the Second Funding Year for the purpose of CIPA.
If the school or library applies for funds for Category One Internet access and all Category Two services in the Second Funding Year, its Administrative Authority must certify compliance with CIPA unless state or local procurement rules or regulations or competitive bidding requirements prevent the making of the certification. A school or library so prevented can request a waiver for the Second Funding Year on FCC Form 486 or FCC Form 479, as appropriate.
The Third Funding Year for the purpose of CIPA is the funding year immediately following the second. If the school or library applies for funds for Category One Internet access and all Category Two services in the Third Funding Year, it must be in compliance with CIPA.
The school or library must be in compliance with CIPA for any funding year thereafter.
Below is the appropriate certification that the Administrative Authority must make for "undertaking actions" from the Federal Communications Commission, FCC 01-120 Order, released on April 5, 2001:
"I certify that, as of the date of the start of discounted services, pursuant to the Children's Internet Protection Act, as codified at 47 U.S.C. Section 254(h) and (l), the recipient(s) of service represented in the Funding Request Number(s) on this FCC Form 486 is (are) undertaking such actions, including any necessary procurement procedures, to comply with the requirements of CIPA for the next funding year, but has (have) not completed all requirements of CIPA for this funding year."
For a school or library to be able to make the certification quoted above, it must be able to demonstrate that action was taken by the start of services. USAC will not request this documentation as part of the FCC Form 486 filing process but the school or library must maintain this documentation in its files for audit purposes.
An undertaken action is an action that can be documented and demonstrates that the school or library is taking steps to become compliant with the CIPA requirements. If a school or library has already provided reasonable public notice and at least one public hearing or meeting relating to an Internet safety policy and technology protection measure that meets all the requirements listed above, that school or library has complied with the public notice and hearing or meeting requirements of CIPA. If a school or library has not met those conditions, the statute requires that the school or library provide the required notice and hearing or meeting.
Following are a few examples of documentation that could demonstrate that a school or library is undertaking actions to comply with CIPA:
This list is not meant to be exhaustive, but includes examples of how applicants can demonstrate they are undertaking actions to become compliant with the CIPA requirements. Remember that such actions must occur before the start of services in order for discounts to be paid back to the service start date reported on the FCC Form 486. Although applicants are allowed to undertake the actions described above in order to make the required certification regarding CIPA compliance during the first funding year, applicants should be prepared to implement all necessary measures in order to be in full compliance with the CIPA requirements before services start for the second funding year, unless a waiver has been granted.
Below is a list of the documentation that will be requested to demonstrate CIPA compliance during an audit. A school or library should retain copies of the documentation for each funding year where a CIPA certification is required. Note that documents must be retained for at least 10 years after the latter of the last day of the applicable funding year or the service delivery deadline for the funding request.
Applicants are given the opportunity to correct minor errors that could result in violations of the CIPA rules before instituting recovery of E-rate Program funds. Correctable errors are those that are immaterial to CIPA compliance. For example, if a school has complied in practice with its CIPA certification, but inadvertently left out one of the details of its practice in its written Internet safety policy, the FCC would consider that to be an immaterial error that could be corrected. Also, since 2011, entities have been required, at a minimum, to keep at least some record of when the public notice and meeting or hearing took place (e.g., a copy of the meeting agenda, or a newspaper article announcing the meeting or hearing). However, if a school or library cannot locate a record of a public notice and meeting or hearing that was held after August 2004, the school or library can correct its failure to document its public meeting or hearing by providing a public notice and holding a meeting or hearing. These are just two CIPA issues that have been addressed by the FCC, but there may be others that can be corrected.