What is the difference between being DoD 5015.2 certified and being compliant with records management law?
People often treat “DoD 5015.2 certified” and “compliant with records management law” as if they mean the same thing. They do not. One describes a product capability; the other describes an organizational obligation. Understanding the gap between them is essential to building a defensible records program.
What DoD 5015.2 Certification Means
DoD 5015.2 is a design criteria standard for records management application software. Originating with the U.S. Department of Defense, it specifies the functional requirements a software system should meet to manage records, such as capturing records, applying retention schedules, supporting disposition, and maintaining audit trails. Software products can be tested against this standard, and a product that passes is described as “certified.”
Certification tells you that a tool is capable of performing certain records functions. It is a statement about technology, evaluated at a point in time against a defined checklist.
What Compliance With the Law Means
Compliance is an obligation that rests with the organization, not the software. It means an entity actually meets the legal and regulatory requirements that apply to its records, which may include statutory recordkeeping duties, retention periods set by various authorities, access obligations, and preservation duties tied to litigation or investigations.
Compliance depends on far more than a tool:
- Policies and schedules that reflect the laws governing your records
- People and procedures who classify, retain, and dispose of records correctly
- Consistent execution over time, not just at a single audit
- Evidence that the program did what the law requires
Why the Distinction Matters
Using certified software can support compliance, but it does not create it. An organization can run a certified system and still violate the law by misconfiguring retention, failing to apply schedules, or ignoring legal holds. Conversely, the law generally cares about outcomes, not which product produced them.
In short:
- Certification = a tool meets a functional standard.
- Compliance = an organization meets its legal duties.
Treat certification as one input to a broader program. Authoritative recordkeeping principles and the body of applicable law, not a single certificate, ultimately define whether your organization is compliant. For related material, see the compliance and standards hub.
Sources & further reading
Authoritative government and non-profit references.
- Records management laws — National Archives (NARA)
- ISO 15489-1 Records management — ISO
How to cite this page
APA
RM University Editorial. (2026). What is the difference between being DoD 5015.2 certified and being compliant with records management law?. Records Management University. https://www.recordsmgmt.org/questions/difference-between-dod-5015-2-certified-and-legally-compliant/
MLA
RM University Editorial. "What is the difference between being DoD 5015.2 certified and being compliant with records management law?." Records Management University, 16 June 2026, www.recordsmgmt.org/questions/difference-between-dod-5015-2-certified-and-legally-compliant/.
Related questions
- Can a commercial off-the-shelf system meet the NARA Universal ERM Requirements without being DoD 5015.2 certified?
- Can a company be fined or sanctioned for not following ISO 15489 in a lawsuit?
- Can a US company store its records on servers in another country, and what cross-border data rules apply?
- Can following ISO 15489 actually help us pass an audit or hold up in court?
- Can I just adopt ISO 15489 word-for-word as our records policy, or does it not work that way?