Web Content Filtering System

The Vendor is required to provide web content filtering system will be used by agency to monitor and control content that users can access on the internet while connected to the district’s network, or on district-managed devices.
- System requirements, features, and services
•    System must seamlessly integrate with agency existing network infrastructure (e.g., firewalls, switches) and identity management systems (e.g., active directory, Microsoft ENTRA, google workspace). 
•    System must be scalable to manage filtering for over 320,000 students and 45,000 staff across approximately 390 locations, accommodating current and future growth. 
•    System must support up to 200 gigabits of peak traffic with capability of scaling to higher throughputs in the future. 
•    The district has two internet egress locations with 100 gigabit interfaces each. 
•    System must provide a means of user identification for personal devices not managed by the district as well as district managed devices (e.g. Captive portal, radius, etc.). 
•    System must provide content filtering services for all devices that are utilizing the district’s network as well as managed devices that leave periodically. 
•    A managed device is a district-owned device that is centrally administered by the school district using management tools, allowing the district to enforce security policies, install software, apply updates, and monitor compliance. 
•    Any needed agent on managed devices will support all available web browsers. 
•    This agent will support the following operating systems: windows, macos, iOS, ipados, android and chromeos. 
•    System must provide transparent filtering for devices not managed by the district. 
•    System must prevent unmanaged devices from circumventing the filter as effectively as managed devices. 
•    System must filter unmanaged devices using an in-line appliance at each of the district’s internet egress locations. 
•    An in-line appliance is a physical network security device that is physically inserted directly into the network traffic path at an internet egress point, such that all inbound and outbound traffic must pass through the device for inspection, filtering, and enforcement before accessing the public internet.
•    The appliance operates inline and must enforce web content filtering in real time to identify unmanaged devices, without requiring client-side software. 
•    This may include managed devices that do not have an agent.
•    System must not rely solely on agency filtering for unmanaged devices. 
•    System shall be a fully self-contained solution that has no dependencies on existing agency hardware infrastructure or software licenses. 
•    System must be able to provide a “single pane of glass” console which aggregates all locally hosted and cloud-based resources. 
•    System must offer a mechanism to accommodate differentiated filtering options based on grade levels prek-12, adult students, guest, and employees and allow further subcategorization within each custom group. 
•    System shall allow the option of scheduling policies to apply at future times without requiring manual initiation. 
•    System shall provide robust reporting capabilities, including but not limited to:
o    Application usage. 
o    Categorization usage. 
o    Ability to scale up in a hierarchical fashion i.e., by student, grade levels, school and district.
•    System must allow logging of events to include, but not limited to: logins, logouts, policy changes, rule changes. 
•    System shall be able to send audit logs to a separate SIEM (security information and event management) product. 
•    Audit logs are defined on number 15. 
•    System must be able to allow web filter policy configurations based on one or a combination of the following: username, group membership, or IP address. 
•    System shall provide a way to display relevant information about policy assignments (e.g., why a policy change was applied, internal ticket number). 
•    System shall provide a client-side diagnostic utility to troubleshoot common issues. 
•    System shall provide an option for temporary policy elevation or bypass from client for blocked pages and services. 
•    System must include a method for quick bypassing of all filter rules for troubleshooting. 
•    System shall allow live monitoring of web sessions for the sake of troubleshooting connectivity issues. 
•    System must allow a hierarchy to be configured which decides what policies take precedence over others. 
•    System shall be able to allow blocking and unblocking of uniform resource locator (URLS) or content delivery network (CDNS) based on a specific application or signature.
•    System must support and utilize a combination of URL and domain filtering, category filtering, keyword filtering, and content-aware analysis (including real-time image and video analysis) to prevent new or uncategorized inappropriate content. 
•    System must enforce a policy that prohibits and prevents students from accessing social media platforms using internet access provided by the school district and on-site or off-site on district managed devices. 
•    System shall allow exceptions when expressly directed by a teacher solely for educational purposes, requiring the system to have a mechanism to allow a teacher-controlled, temporary bypass for specific educational platforms. 
•    System shall be capable of full traffic inspection without negatively impacting network performance or user experience to detect content hidden within encrypted traffic. 
•    System must proactively block known and emerging methods of filtering bypass, including but not limited to proxies, virtual private networks (VPNS), and anonymizer services. 
•    Along with proposal response, provide timely information on current hardware lifecycle and future roadmap for upgrades. 
•    This must include consideration for any third-party hardware or software solutions that is utilized by the service. 
•    Provider must have a service level agreement (SLA) that ensures expedited response (within 2 hours of notice by the district) to issues that are reported 24/7. 
•    System must comply with all state laws and statutes related to web content filtering, including any prohibited content outlined in state statute. 
•    System shall be able to perform deep filtering and recognize A.I. prompts and A.I.-generated responses and content, and block them appropriately. 
•    System shall automatically detect and restrict access to inappropriate or harmful images including those on uncategorized, proxy, or A.I.-generated sources while allowing configurable sensitivity levels and exemptions to support instructional needs. 
•    System must retain historical web traffic and audit logs for a minimum of 90 calendar days. 
•    Provider must provide a detailed deployment plan and timeline, including a phased rollout strategy for all schools and devices. 
•    System must be maintained with continuous, real-time threat intelligence updates and content categorization to address new and emerging web threats and domains. 
•    Provider must provide comprehensive, hands-on training for district IT staff and end-user support teams on system management, configuration, troubleshooting, and reporting.