Industry Trends

CIPA Compliance: Using Cybersecurity to Keep Kids Safe

By Susan Biddle | August 31, 2017

Cybersecurity measures are being adopted and fine-tuned across industries to ensure sensitive data is protected against cybercriminals and evolving attack vectors. However, some industries, including education, are held more accountable for data protection than others.

The federal government requires schools to have certain protective features in place under the Children’s Internet Protection Act (CIPA), which was enacted in 2000. CIPA seeks to protect the personal information of minors from unauthorized viewers and to keep minors from accessing inappropriate material online.

Adopting technology and cybersecurity strategies that ensure the goals of CIPA are upheld has become more important, albeit more difficult, as technology becomes prolific in the classroom and cyberattacks become increasingly sophisticated. IT teams have to combat ransomware, phishing attacks, and social engineering at the same time that the number of endpoints accessing their network rises. Moreover, the increase in device and bandwidth use that requires in-depth network security also means higher costs for often limited IT budgets.

School library cipa compliance

 Core CIPA Regulations & Requirements

CIPA compliance is broken into five core components that secure what minors are able to access online, with whom they can communicate, who can access and disseminate personal information about them, and that restrict hacking and unlawful cyber behavior.

Forbid access to inappropriate materials

Schools must ensure students cannot access material that might be inappropriate or harmful to them while connected to their network. This means adopting technology protection measures that filter or block access to images of child pornography and images that are obscene or harmful on devices being used. There are various guidelines for determining which images and websites fall under these umbrella terms based upon court stipulations, legal precedent, and individual judgment. Obscene content is defined by Miller vs. California as that which does not offer legitimate literary, artistic, political, or scientific value. Local school boards, agencies, or other local authorities determine inappropriate material.

Ensure safety when using online communications

In addition to limiting what students can access online, schools must ensure they safely and securely engage with electronic forms of communication, such as email and chat rooms. Many forms of malware, such as ransomware (which affected 77 schools and colleges in 2020), are disseminated through infected email attachments or links sent in emails. In order to keep the network secure and children from interacting with dangerous users, schools must implement protocols that limit malicious communication.

Protect the personal information of students

Schools keep records on their students that include personally identifiable information (PII), financial information, and health information. This makes them a target for cybercriminals who seek to sell this data on the dark web. To ensure the privacy of each child, only certain employees at the school should have access to these records. CIPA requires that schools restrict unauthorized disclosure, use, and dissemination of personal information regarding minors, and therefore must have the proper security measures in place to keep this information private.

Prevent students from gaining unauthorized access to information

While it is clearly important that schools keep external actors from gaining access to sensitive information, it is just as important that students cannot hack into this, or other protected information. Thus, CIPA requires that schools must have solutions in place that prevent hacking and other unlawful activities by minors online.

Design an acceptable use policy

In addition to these rules for guidance, schools must also have a community meeting to discuss what they entail, define any ambiguous material, and come up with an acceptable use policy to be implemented across the school’s community. 

CIPA Compliance is Required for E-Rate Funding

In addition to protecting children’s personal information and safety, CIPA compliance is required for schools to be eligible for E-rate funding. E-rate is a government-run program that grants money to K-12 schools for internet access and critical technical infrastructure costs. This money has become necessary for school administrators as technology becomes more ingrained in the education process.

Today, both students and faculty expect to have access to devices, applications, and Wi-Fi while on school grounds. In addition to providing these services, IT teams must ensure their tech infrastructure can stand up to an increased number of endpoints as students and staff alike continue to bring their own devices. Bandwidth costs, access points, switches, caching, and other types of infrastructure amount to huge costs for education IT budgets and can prevent them from using funds for programs such as digital curriculums and education-focused applications.

E-rate is mitigating these costs with approximately $4.3 billion distributed to K-12 schools for IT in 2021. However, in order to be approved to receive this money, schools must demonstrate that they comply with CIPA’s ordinances. As such, CIPA compliance, cybersecurity, and technology use go hand-in-hand.  

Enabling CIPA Compliance Through Cybersecurity Solutions

The best way to ensure CIPA compliance is with integrated cybersecurity solutions that keep students safe online, while also protecting networks from a broad range of cyberattacks.

Next-generation firewalls (NGFWs) offered with FortiGate technology offer wide network protection from known and unknown threats, including ransomware, malware, and botnets, in addition to providing content filtering and the blocking of unwanted or malicious websites.

Anti-virus and web filtering from FortiGuard Labs block the latest threats and restrict access to unwanted websites. FortiGuard also automatically distributes critical updates based on the most recent threat intelligence. While FortiGate and FortiGuard Labs services block malicious content and websites, Unified Threat Management solutions enable educational institutions to set different user abilities for students, administrators, faculty, and guests to segment access to material based on policy.

Finally, to mitigate threats disseminated through email, such as ransomware and phishing, Fortinet offers secure email gateways to block these types of attacks, while also ensuring that sensitive data is not leaked through outgoing messages. 

Due to CIPA and E-rate, school’s IT programs and curriculum are inextricably tied to cybersecurity. These rules ensure the safety of minors in addition to making schools E-rate eligible; thus compliance is necessary.

Schools must meet these needs within their budget, even with limited resources. In addition to providing comprehensive security, Fortinet’s products are integrated with each other, offer automatic updates, and limit the strain on IT teams with single-pane-of-glass visibility into the entire security framework. For more information on how Fortinet enables CIPA compliance, click here.

Find out how the Fortinet Security Fabric platform delivers broad, integrated, and automated protection across an organization’s entire digital attack surface to deliver consistent security across all networks, endpoints, and clouds.