How do I get a records management system certified to DoD 5015.2?
A key point to understand first: organizations are not certified to DoD 5015.2 — software products are. The standard defines the functional requirements a records management application must meet, and individual products are tested against it. So the real question is usually one of two things: how does a software product earn certification? or how do we, as an organization, choose a system that has it?
How a product gets certified
DoD 5015.2 is a U.S. Department of Defense standard describing the functions records management software must perform — declaring, categorizing, retaining, and disposing of records; controlling access; and producing reliable audit trails. Certification works like this:
- The software developer submits their product for formal testing against the standard’s requirements.
- An authorized test body — historically the Joint Interoperability Test Command (JITC) — runs the product through a structured test suite.
- If the product passes, it is added to a published register of compliant products.
This is a vendor-driven process tied to a specific product version. End-user organizations do not perform the certification themselves; they procure a system that already holds it.
What organizations should actually do
If your goal is a defensible recordkeeping program rather than a certificate on a product, focus on these steps:
- Define requirements first. Document your retention, access, security, and disposition needs before evaluating any system.
- Treat certification as evidence, not a guarantee. A 5015.2-tested product confirms the software can perform core functions — but only if configured and operated correctly. Certification of a tool does not certify your program.
- Verify scope and version. Confirm which version of the standard a product was tested against and which modules (for example, classified or Freedom of Information Act handling) are covered.
- Plan for governance. Pair the technology with policies, schedules, and training, then audit periodically to demonstrate compliance.
Context worth knowing
Note that the National Archives has shifted its own emphasis toward its Universal Electronic Records Management Requirements, so for federal agencies DoD 5015.2 may not be the primary benchmark it once was. Internationally, ISO 16175 specifies comparable functional requirements for records in digital environments. Check which framework your sector, agency, or regulator expects before pursuing any single certification.
Sources & further reading
Authoritative government and non-profit references.
- ISO 16175 records in digital environments — ISO
- Records management policy and guidance — National Archives (NARA)
How to cite this page
APA
RM University Editorial. (2026). How do I get a records management system certified to DoD 5015.2?. Records Management University. https://www.recordsmgmt.org/questions/how-to-get-dod-5015-2-certified/
MLA
RM University Editorial. "How do I get a records management system certified to DoD 5015.2?." Records Management University, 16 June 2026, www.recordsmgmt.org/questions/how-to-get-dod-5015-2-certified/.
Related questions
- Can a commercial off-the-shelf system meet the NARA Universal ERM Requirements without being DoD 5015.2 certified?
- Can a company be fined or sanctioned for not following ISO 15489 in a lawsuit?
- Can a US company store its records on servers in another country, and what cross-border data rules apply?
- Can following ISO 15489 actually help us pass an audit or hold up in court?
- Can I just adopt ISO 15489 word-for-word as our records policy, or does it not work that way?