What's actually doing the content filtering. Multi-platform is the K-12 norm — endpoint agent for student devices going home, DNS-layer at the boundary, sometimes a firewall or secure web gateway layer for on-campus traffic. Districts that selected a security DNS provider in IPS F10 typically also have Cisco Umbrella here.
Where filtering happens when devices are physically on the district network. Multi-layer (firewall edge + DNS forwarder + endpoint agent) is the strongest pattern; single-layer is workable. No on-campus filter is a CIPA violation.
CIPA requires filtering on school-owned devices used by minors off-campus — the rule explicitly covers take-home Chromebooks, iPads, and laptops. This is the most-commonly-overlooked CIPA requirement when districts roll out 1:1 programs without rethinking their filtering boundary.
Who owns the category list (porn, gambling, weapons, drugs, social media, streaming, anonymizers, etc.) and how often it gets reviewed. Joint IT + curriculum review keeps the policy from drifting toward either over-blocking (educators can't access legitimate resources) or under-blocking (categories the district said it would block aren't enforced).
CIPA explicitly requires a written internet safety policy addressing minors' access to inappropriate matter, safety in electronic communication, unauthorized access and disclosure, and access restrictions. The policy must be adopted by the board after public notice and hearing. Annual E-Rate certification depends on this being current.
CIPA permits — and effectively requires the ability — for adults to disable filtering for bona fide research or other lawful purposes. The absence of any process for handling this puts the district at the edge of compliance and creates friction for legitimate instructional needs.
CIPA mandates “monitoring online activities of minors” — logging is the industry-standard demonstration of that, and the practical signal source for student-safety incidents (self-harm queries, threats, attempts to access blocked categories). Logs without review are a compliance artifact; logs with review are a safety capability.