What happens when we decommission a legacy system that was never DoD 5015.2 or NARA-compliant and still holds active records?
Decommissioning a non-compliant legacy system is not just an IT project. The moment a system holds active records, retiring it becomes a recordkeeping event with legal and accountability stakes. The records do not lose their value or their obligations simply because the system that held them was never certified.
First principle: the records survive the system
A record’s retention and legal status are tied to the content and its business or legal context, not to the application that stored it. Shutting down the platform does not end any retention period, legal hold, or statutory obligation attached to the records inside it. Destroying records to avoid migrating them, or letting them become inaccessible by default, can expose an organization to spoliation, audit findings, and compliance penalties.
What to do before the lights go out
A defensible decommission generally works through these steps:
- Inventory and appraise. Identify what record types exist, their retention requirements, and whether any are subject to litigation or investigation holds.
- Migrate the records, not just the data. Move content together with the metadata that gives it meaning and defensibility — creation dates, authorship, classification, and audit history. Records stripped of context are far weaker as evidence.
- Preserve usable, open formats. Favor stable, non-proprietary formats so the records remain readable after the originating software is gone.
- Carry retention and holds forward. Re-establish retention rules and legal holds in the receiving system or repository before the legacy system is turned off.
- Document the chain of custody. Record what moved, how, when, and by whom, so the migration itself is auditable.
The compliance gap is your opportunity
Because the old system was never built to standard, this transition is the natural point to bring records into a compliant environment. Standards such as ISO 15489 (records management) and ISO 16175 (records in digital environments) describe the functional outcomes a trustworthy system should deliver — capture, retention, protection, and disposition with integrity — regardless of which platform you choose.
For federal records, NARA’s guidance establishes that records must remain reliable, authentic, and retrievable for their full lifecycle, and that disposition must follow an approved schedule rather than convenience.
In short: never let a system’s end date become a record’s end date. Plan the migration as a controlled records action, and a non-compliant retirement becomes a compliance upgrade. See more under compliance standards.
Sources & further reading
Authoritative government and non-profit references.
- Records management policy and guidance — National Archives (NARA)
- ISO 15489-1 Records management — ISO
How to cite this page
APA
RM University Editorial. (2026). What happens when we decommission a legacy system that was never DoD 5015.2 or NARA-compliant and still holds active records?. Records Management University. https://www.recordsmgmt.org/questions/what-happens-when-we-decommission-a-non-compliant-legacy-records-system/
MLA
RM University Editorial. "What happens when we decommission a legacy system that was never DoD 5015.2 or NARA-compliant and still holds active records?." Records Management University, 16 June 2026, www.recordsmgmt.org/questions/what-happens-when-we-decommission-a-non-compliant-legacy-records-system/.
Related questions
- Can a commercial off-the-shelf system meet the NARA Universal ERM Requirements without being DoD 5015.2 certified?
- Can a company be fined or sanctioned for not following ISO 15489 in a lawsuit?
- Can a US company store its records on servers in another country, and what cross-border data rules apply?
- Can following ISO 15489 actually help us pass an audit or hold up in court?
- Can I just adopt ISO 15489 word-for-word as our records policy, or does it not work that way?