Is it true that buying DoD 5015.2-certified software automatically makes my whole organization compliant, or do we still have to do something?
No. This is one of the most common and costly misconceptions in records management. Buying DoD 5015.2-certified software is a useful step, but it does not, by itself, make your organization compliant with anything. Certification applies to a product’s tested capabilities, not to how your organization actually manages its records.
What the certification actually means
DoD 5015.2 (the Design Criteria Standard for Electronic Records Management Software Applications) defines a baseline set of functional requirements a records system should be able to perform, such as applying retention schedules, capturing metadata, controlling disposition, and protecting records from unauthorized change. Certification means an independent test program confirmed the software can do those things in a controlled test.
What it does not mean:
- That those features are turned on or configured correctly in your environment.
- That your retention schedules, security classifications, or disposition rules are loaded and accurate.
- That your staff are trained to use the system as intended.
- That you satisfy the specific laws, regulations, or contractual obligations that apply to your organization.
In short, certification describes the tool. Compliance describes your program.
What you still have to do
Compliance is the outcome of policy, people, and process working together with the technology. Regardless of which certified product you choose, your organization is responsible for:
- Governance and policy. Adopt records management policies, assign clear roles, and document procedures.
- Retention schedules. Develop and maintain legally grounded schedules, then configure the system to enforce them.
- Configuration and testing. Set up classifications, permissions, and disposition workflows, then verify they behave as your policy requires.
- Training and culture. Ensure staff actually capture and declare records rather than working around the system.
- Audit and continuous improvement. Monitor, audit, and adjust as laws, business needs, and risks evolve.
International guidance such as ISO 15489-1 frames records management as a managed program built on policy, responsibilities, and ongoing controls, not a one-time purchase. Certified software can make a strong program easier to run, but it can never replace one.
A helpful way to think about it: the right tool removes obstacles to compliance, but you still have to do the managing. For more on how standards fit into a records program, see the compliance and standards hub.
Sources & further reading
Authoritative government and non-profit references.
- Records management policy and guidance — National Archives (NARA)
- ISO 15489-1 Records management — ISO
How to cite this page
APA
RM University Editorial. (2026). Is it true that buying DoD 5015.2-certified software automatically makes my whole organization compliant, or do we still have to do something?. Records Management University. https://www.recordsmgmt.org/questions/is-dod-5015-2-certified-software-enough-to-be-compliant/
MLA
RM University Editorial. "Is it true that buying DoD 5015.2-certified software automatically makes my whole organization compliant, or do we still have to do something?." Records Management University, 16 June 2026, www.recordsmgmt.org/questions/is-dod-5015-2-certified-software-enough-to-be-compliant/.
Related questions
- Can a commercial off-the-shelf system meet the NARA Universal ERM Requirements without being DoD 5015.2 certified?
- Can a company be fined or sanctioned for not following ISO 15489 in a lawsuit?
- Can a US company store its records on servers in another country, and what cross-border data rules apply?
- Can following ISO 15489 actually help us pass an audit or hold up in court?
- Can I just adopt ISO 15489 word-for-word as our records policy, or does it not work that way?