The Children’s Internet Protection Act (CIPA) requires schools and libraries receiving E-rate funding or LSTA grants to implement technology protection measures for computers accessed by minors. Understanding what CIPA actually requires — and what satisfies it — helps institutions choose the right filtering approach and document their compliance accurately.
What CIPA Actually Requires
CIPA requires that covered institutions implement a technology protection measure that blocks or filters internet access to:
- Obscene content
- Child pornography
- Material harmful to minors (for computers accessible to minors)
This requirement applies to computers that access the internet, and it applies specifically to visual depictions — not text. The law does not specify which technology must be used to achieve this — only that the visual depiction blocking must be in place.
For E-rate applicants, CIPA compliance is part of Form 471 certification. The institution certifies that it has an internet safety policy and has implemented the required technology protection measures.
What Counts as a “Technology Protection Measure” Under CIPA
CIPA is intentionally technology-neutral. A compliant technology protection measure can be:
- A network-level content filter (DNS filtering, proxy-based filtering)
- A device-level content filter (software installed on each computer)
- A whitelist-only browser that restricts access to pre-approved sites only
All three approaches satisfy CIPA’s requirement if they effectively prevent access to the prohibited visual content. However, they differ significantly in how verifiable and how robust the protection is.
Why Whitelist-Only Filtering Is the Strongest CIPA Approach
Category-based content filters block known harmful sites but rely on a database that must be kept current. New sites that publish prohibited content may not be categorized immediately, creating a window during which access is possible.
Whitelist-only browsing eliminates this gap. If a site is not on the approved list, it is inaccessible — regardless of when it was created, what category it would fall into, or whether it has been flagged anywhere. For CIPA purposes, this is the most defensible form of compliance because you can demonstrate exactly what content is accessible (the whitelist) rather than arguing that your blocklist was sufficiently comprehensive.
Documenting CIPA Compliance for E-Rate Reviewers
For E-rate compliance, institutions typically need to demonstrate:
- An internet safety policy adopted through a public process — a formal policy document reviewed and adopted by the school board, library board, or equivalent governing body
- Technology protection measures implemented and operational — the actual filtering software or whitelist browser in use
- Monitoring of online activities for minors — this does not require surveillance; having a process for reviewing filtering logs or approving whitelist changes satisfies this
For institutions using Kidsplorer, the technology protection measure documentation includes:
- Description of the whitelist-only filtering approach
- Evidence of the whitelist configuration
- Description of the admin dashboard and how filtering is maintained
- Process for whitelist updates and review
The Institutional L plan includes CIPA documentation — written materials describing Kidsplorer’s filtering approach and configuration, suitable for inclusion in an E-rate application or audit response.
Practical CIPA Compliance for Small Schools, Churches, and Libraries
Large school districts typically have IT departments that handle CIPA compliance as part of their network infrastructure. Small institutions — small private schools, church computer labs, and branch libraries — often lack this infrastructure and need to implement CIPA compliance without dedicated IT staff.
For these institutions, the key requirements are:
1. Have a written internet safety policy. This doesn’t need to be elaborate. A one-page document stating that the institution restricts internet access for minors to prevent access to obscene or harmful visual content, reviewed and approved by whoever governs the institution, satisfies the policy requirement.
2. Implement filtering on covered computers. Every computer accessible to minors that connects to the internet must have the technology protection measure active. A whitelist browser installed on each computer satisfies this.
3. Know how to respond if the filtering fails. Have a process — even a simple one — for what happens if a child reports encountering inappropriate content. This demonstrates that the filtering is monitored, not just installed.
Which Institutions Need CIPA Compliance
CIPA compliance is required for:
- Schools that receive E-rate funding for internet access or telecommunications services
- Libraries that receive E-rate funding or Library Services and Technology Act (LSTA) grants for internet access
Institutions that do not receive E-rate or LSTA funding are not legally required to comply with CIPA, though many choose to implement filtering anyway as a matter of policy.
If you’re unsure whether your institution receives E-rate funding, check with your business manager or the E-rate Productivity Center (USAC).
Getting Started with CIPA-Compliant Filtering
For small institutions looking for a practical, low-maintenance CIPA-compliant filtering solution:
- Adopt an internet safety policy at your next board or leadership meeting
- Install a whitelist browser on all computers accessible to minors
- Build and maintain an approved site list appropriate for your use case
- Document the configuration and keep the documentation with your E-rate records
Kidsplorer’s Institutional L plan includes the CIPA documentation and the admin dashboard for managing all your computers from one place — no IT staff required.
Start a 30-day free institutional trial → | See library-specific features → | Contact us about CIPA documentation →