When the National Archives and Records Administration (NARA) revoked its long-standing endorsement of the DoD 5015.2 standard in 2022, it did not leave federal agencies without a reference. In its place NARA pointed to the Universal Electronic Records Management (ERM) Requirements, developed under the Federal Electronic Records Modernization Initiative (FERMI). Where 5015.2 was a single, product-oriented test administered through a certification regime, the Universal ERM Requirements are a deliberately broader, technology-neutral statement of what an electronic records solution must accomplish — leaving the how to vendors and implementers.
This deep dive looks past the headline of “what replaced 5015.2” and into the substance: how the requirements are organized, what functional ground they cover, the meaning of their normative language, and how agencies actually put them to work. For the surrounding policy landscape, see the compliance and standards hub.
Why NARA shifted to a requirements model
The move away from endorsing 5015.2 reflected a structural problem. A certification standard fixes a single technical baseline and assumes solutions look broadly alike — a records repository with a file plan, metadata fields, and disposition rules. Modern recordkeeping is messier: records live in email and chat platforms, case-management systems, cloud collaboration suites, and line-of-business applications, often without any user ever “filing” anything into a dedicated repository.
A requirements model accommodates that reality. Instead of asking “is this product certified against the standard?”, it asks “does this solution, however it is built, deliver these outcomes?” That framing lets agencies evaluate a SharePoint configuration, a cloud ERM service, or a custom system against the same yardstick. It also means a single certificate is no longer a shortcut to compliance — the burden shifts to demonstrating that capabilities are present and actually used.
How the requirements are organized
The Universal ERM Requirements are written as a structured set of statements grouped around the lifecycle functions an electronic records system must support. While the exact organization is maintained and periodically updated by NARA, the requirements broadly address capabilities such as:
- Capture and declaration — bringing records into managed control, including records created in systems not designed primarily for recordkeeping.
- Classification and metadata — associating records with a category, schedule, and the descriptive and contextual metadata that make them findable and interpretable over time.
- Maintenance and use — preserving the integrity, authenticity, and usability of records throughout their active life, including access controls and audit trails.
- Retention and disposition — applying approved schedules, managing holds, and executing defensible, documented destruction or transfer.
- Transfer — supporting the electronic transfer of permanent records to NARA in approved formats, consistent with the broader federal mandate to manage records electronically.
These functional groupings echo the international consensus captured in standards like ISO 16175, which sets out functional requirements for managing records in digital environments. The Universal ERM Requirements are not a clean-room invention; they sit within that broader body of records-management thinking and are intended to be read alongside it.
Normative language: MUST versus SHOULD
A defining feature of the requirements is their use of normative keywords. Statements framed as MUST (or “shall”) express mandatory capabilities — the floor a solution has to meet to support federal recordkeeping obligations. Statements framed as SHOULD express recommended capabilities that strengthen a program but allow for justified deviation depending on context.
This distinction matters in practice. It lets agencies separate non-negotiable functions from desirable enhancements when scoping a procurement or conducting a gap analysis. It also discourages a checkbox mentality: meeting every MUST does not automatically produce a mature program, and a thoughtful implementation often adopts SHOULD-level capabilities where risk or volume warrants. Reading the requirements carefully — and recording the rationale for any SHOULD not implemented — is itself part of building a defensible record of compliance.
How agencies and vendors use them
The requirements serve several audiences at once. Agency records officers use them as an evaluation framework — mapping each requirement to how their environment satisfies it, and surfacing gaps that need remediation, configuration, or new tooling. Acquisition staff use them as procurement language; FERMI is paired with a dedicated GSA Special Item Number so agencies can buy ERM services and solutions against a common federal specification rather than reinventing requirements for every contract. Solution providers use them as a design target, demonstrating how their offering meets each capability without claiming a single endorsement.
Because the model is demonstration-based rather than certificate-based, documentation becomes central. An agency that can show, requirement by requirement, how its system captures records, applies schedules, maintains audit trails, and transfers permanent records has produced exactly the evidence an inspection or audit looks for. A certificate alone — including a DoD 5015.2 certificate, which still exists as a product credential — does not substitute for that mapping.
Living guidance, not a frozen standard
Perhaps the most important practical point is that the Universal ERM Requirements are maintained guidance, not a one-time, frozen specification. NARA updates and refines them as recordkeeping technology and federal policy evolve. Agencies should therefore treat alignment as an ongoing activity: re-checking their environment against the current version, watching for new or revised requirements, and updating their compliance documentation accordingly. The authoritative text and any revisions are published through NARA’s records management policy and guidance, which agencies should consult directly rather than relying on summaries.
The net effect is a more flexible — and more demanding — compliance posture. Flexible, because almost any well-designed solution can meet the requirements in its own way. Demanding, because the responsibility to prove it, in detail and on a continuing basis, rests squarely with the agency.
Sources & further reading
Authoritative government and non-profit references.
- Records management policy and guidance — National Archives (NARA)
- Records management (NARA) — National Archives (NARA)
- ISO 16175 records in digital environments — ISO
How to cite this page
APA
RM University Editorial Team. (2026). The Universal ERM Requirements: A Deep Dive. Records Management University. https://www.recordsmgmt.org/articles/universal-erm-requirements-deep-dive/
MLA
RM University Editorial Team. "The Universal ERM Requirements: A Deep Dive." Records Management University, 16 June 2026, www.recordsmgmt.org/articles/universal-erm-requirements-deep-dive/.