CIPA Compliance Guide

Schools (K-12)

Any school that receives discounts for internet access or internal connections through the E-Rate program (formally the Schools and Libraries Program of the Universal Service Fund) must comply with CIPA. This includes public schools, private schools, and charter schools that participate in E-Rate.

Public Libraries

Public libraries that receive E-Rate discounts or Library Services and Technology Act (LSTA) grants must also comply. LSTA grants are administered through state library agencies using federal funds from the Institute of Museum and Library Services (IMLS).

Who Is Exempt?

• Schools and libraries that do not receive E-Rate discounts or LSTA grants
• Private businesses, home networks, and personal devices
• Higher education institutions (colleges and universities are not covered by CIPA, though many adopt similar policies voluntarily)
• Organizations outside the United States

Even if your organization is not required to comply, CIPA requirements represent a well-established framework for responsible internet access management. Many organizations — including libraries, businesses, and WiFi providers — voluntarily adopt CIPA-aligned content filtering as a best practice.

1. Technology Protection Measures (Internet Filtering)

Schools and libraries must implement technology that blocks or filters internet access to visual depictions that are:

• Obscene (as defined under federal law)
• Child pornography (child sexual abuse material / CSAM)
• Harmful to minors (for computers accessed by minors) — this includes content that appeals to prurient interest, depicts sexual content in an offensive way, and lacks serious literary, artistic, political, or scientific value for minors

This is the core technical requirement and is where DNS filtering plays a direct role. CleanBrowsing's content filtering categories (including Adult, Adult-Mixed, and Malware) address all three categories.

2. Internet Safety Policy (ISP)

Every covered institution must adopt and implement a written Internet Safety Policy. This policy must address:

• Access by minors to inappropriate matter on the internet
• The safety and security of minors when using electronic mail, chat rooms, and other forms of direct electronic communications
• Unauthorized access, including "hacking" and other unlawful activities by minors online
• Unauthorized disclosure, use, and dissemination of personal information regarding minors
• Measures restricting minors' access to materials harmful to them

The policy must be adopted through a formal process. For schools, this typically involves school board approval. For libraries, it must include a public hearing.

3. Public Notice and Hearing

Before adopting the Internet Safety Policy, the institution must provide reasonable public notice and hold at least one public hearing or meeting to address the proposed policy. This ensures community input and transparency.

4. Monitoring Online Activities of Minors

Schools (but not libraries) must monitor the online activities of minors. This does not require tracking every keystroke, but it does require that the school has measures in place to observe how minors are using the internet. DNS activity monitoring, combined with staff supervision, satisfies this requirement.

CleanBrowsing's activity monitoring dashboard provides visibility into DNS queries, blocked requests, and filtering activity — giving administrators the oversight CIPA requires.

5. Education on Appropriate Online Behavior (Added 2011)

As part of the 2011 FCC update, schools are required to educate minors about appropriate online behavior. This includes:

• Interacting with other individuals on social networking websites and in chat rooms
• Cyberbullying awareness and response

This is a policy and curriculum requirement — technology alone cannot satisfy it. Schools must incorporate digital citizenship and online safety into their educational programs.

6. Authorized Adults May Disable Filters

CIPA requires that an authorized person (administrator, supervisor, or other authorized staff) may disable the technology protection measure during use by an adult to enable access for bona fide research or other lawful purposes. Libraries, in particular, must allow adults to request that filters be disabled.

CleanBrowsing supports this through its profile system and allowlist management. Administrators can create separate filtering profiles for different user groups or temporarily adjust settings as needed.

What Is E-Rate?

The E-Rate program (officially the Schools and Libraries Program) provides discounts of 20% to 90% on eligible telecommunications, internet access, and internal connections for schools and libraries. The discount level is based on the poverty level of the community and whether the institution is urban or rural.

E-Rate is funded by the Universal Service Fund and administered by USAC. In fiscal year 2024, E-Rate committed over $2.4 billion in funding to schools and libraries nationwide.

CIPA Certification for E-Rate

To receive E-Rate discounts, applicants must certify CIPA compliance on FCC Form 486. There are three certification options:

• Full compliance: The institution has implemented all CIPA requirements (internet safety policy, technology protection measures, and public hearing)
• Undertaking actions: The institution is in the process of implementing CIPA requirements and will be fully compliant before the next funding year
• Not subject to CIPA: The institution is only receiving telecommunications services (Category 1 only) and is therefore exempt from CIPA requirements

What Is LSTA?

The Library Services and Technology Act (LSTA) provides federal grants to state library agencies for library programs, including technology and internet access. Libraries receiving LSTA grants that provide internet access to the public must also comply with CIPA.

Consequences of Non-Compliance

Schools and libraries that fail to certify CIPA compliance cannot receive E-Rate discounts or LSTA grants. For many institutions — particularly those in underserved communities — this funding is essential for providing internet access. Non-compliance effectively means losing access to significant federal technology subsidies.

Why DNS Filtering for CIPA?

• Network-wide protection — Configure once at the router and every device on the network is protected. No software to install on individual devices.
• Device-agnostic — Protects Chromebooks, laptops, tablets, phones, and any other device that connects to the network.
• No performance impact — DNS filtering happens in milliseconds with no noticeable browsing slowdown.
• Affordable — CleanBrowsing plans start at $75/year, making CIPA compliance accessible for schools and libraries on limited budgets.
• Encrypted DNS support — DoH and DoT protect DNS queries from tampering, which is especially important on shared school networks.

1. Choose Your Deployment Method

For most schools and libraries, router-level deployment is the simplest approach — change the DNS settings on your router or firewall and every device on the network is immediately protected.

• Router/Firewall: Best for protecting an entire building or campus. See our setup guides for 50+ router models.
• MDM (Mobile Device Management): For 1:1 device programs. Deploy via Microsoft Intune, Mosyle, or Google Workspace.
• Active Directory: For Windows-based school networks. See our Active Directory guide.

2. Configure Content Filtering Profiles

Set up appropriate filtering for your environment:

• Start with the Family filter as your base (blocks adult content, enforces SafeSearch)
• Add categories as needed: Gaming, Social Media, Dating, Streaming
• Create a separate staff/adult profile with lighter restrictions (CIPA requires the ability to disable filters for adults)
• Review predefined filter categories to choose the right configuration

3. Enable Monitoring

Turn on DNS activity monitoring to satisfy CIPA's monitoring requirement. For compliance-ready logging and reporting, consider enabling data retention via Trunc.

4. Prevent Bypass

Students are resourceful. Harden your deployment by:

• Blocking VPN and proxy categories
• Disabling browser-level DoH (which can bypass network DNS filtering)
• Blocking Tor and other anonymization tools
• Locking DNS settings on devices where possible (DNS lock guide)

5. Draft and Adopt Your Internet Safety Policy

Write a formal Internet Safety Policy addressing all five areas CIPA requires (inappropriate content, electronic communications safety, unauthorized access, personal information disclosure, and access restrictions for minors). Hold a public hearing, then have your governing body formally adopt the policy.

6. Certify on FCC Form 486

When filing your annual E-Rate paperwork, certify CIPA compliance on FCC Form 486. If you are still implementing measures, you may certify that you are "undertaking actions" toward compliance and will be fully compliant before the next funding year.

7. Verify and Test

After deployment, verify that filtering is working correctly:

• Use the DNS Leak Test to confirm your network is using CleanBrowsing
• Verify your DNS configuration on each network segment
• Test that blocked categories are actually blocked and that allowed content is accessible
• Confirm that administrator override capability works for adult users

What is CIPA compliance?

CIPA compliance means that a school or library has implemented all requirements of the Children's Internet Protection Act: technology protection measures (internet filtering), a written Internet Safety Policy adopted through a public hearing, monitoring of minors' online activity (schools only), and education about appropriate online behavior (schools only). Compliance is certified annually on FCC Form 486 as part of the E-Rate application process.

Does CIPA apply to my school or library?

CIPA applies only to schools and libraries that receive E-Rate discounts for internet access or internal connections, or libraries that receive LSTA grants. If your institution does not receive these federal funds, CIPA compliance is not legally required — though many organizations voluntarily adopt CIPA-aligned practices as a framework for responsible internet management.

What is the best CIPA-compliant internet filter?

The best CIPA-compliant filter is one that reliably blocks the categories CIPA requires (obscene content, child pornography, and material harmful to minors), provides monitoring capabilities, supports administrator override, and fits your budget. CleanBrowsing is trusted by hundreds of schools and universities for CIPA compliance, with plans starting at $75/year and no per-user pricing.

How do I implement CIPA compliance?

Implementation involves three parallel tracks: (1) deploy internet filtering technology on all computers with internet access, (2) draft and formally adopt a written Internet Safety Policy through a public hearing, and (3) establish monitoring procedures and digital citizenship education programs. See Step 7 above for a detailed implementation guide using CleanBrowsing.

Is DNS filtering enough for CIPA compliance?

DNS filtering satisfies the technology protection measures requirement of CIPA (content filtering and blocking). However, CIPA also requires a written Internet Safety Policy, a public hearing, monitoring of minors' online activity, and digital citizenship education. Technology alone is not sufficient — you also need the policy and educational components.

Does CIPA require filtering on personal devices (BYOD)?

CIPA requires filtering on "computers" with internet access that are owned or operated by the school or library. The FCC has not explicitly extended this to personal devices brought onto the network. However, if your school provides internet access that students' personal devices connect to, applying DNS filtering at the network level (router/firewall) effectively filters all traffic — including BYOD devices — without needing software on each device.

Can adults request that filters be disabled?

Yes. CIPA specifically requires that an authorized person may disable the technology protection measure for an adult user conducting bona fide research or other lawful purposes. For libraries, this means adults can request that filters be turned off. CleanBrowsing supports this through its profile system and allowlist management.

How often do we need to recertify CIPA compliance?

CIPA compliance is certified annually as part of the E-Rate funding application process (FCC Form 486). There is no separate audit or inspection — the certification is a self-attestation by the institution's authorized representative. However, maintaining accurate records and documentation is essential in case of an FCC inquiry.