Who is accountable when a DoD 5015.2 certified system is deployed but staff never apply the file plan or retention rules?
A common misconception is that buying a certified system satisfies an organization’s recordkeeping obligations. It does not. Certification under DoD 5015.2 evaluates whether a software product is capable of enforcing records management functions, such as applying a file plan, assigning retention, and executing disposition. It says nothing about whether an organization actually uses those capabilities. When staff never apply the file plan or retention rules, accountability remains with the organization and its people, not the vendor or the certificate.
What certification does and does not cover
Certification is a statement about technical capability under controlled test conditions. It confirms the tool can do the job. It does not configure your file plan, classify your records, or compel anyone to use the system correctly. A certified product operated as a generic file share produces the same compliance gaps as any uncontrolled repository.
Where accountability actually sits
Responsibility is layered, and each layer is answerable for its part:
- Senior leadership / agency head: ultimately accountable for the records management program and for ensuring records are managed for their full lifecycle. This duty is not delegable to a software purchase.
- Records officer / records manager: accountable for designing the file plan, approving retention schedules, and overseeing that they are applied in practice.
- System owners and IT: accountable for configuring the certified system so its controls are turned on and enforced, not left dormant.
- Individual staff and supervisors: accountable for filing records correctly and following procedures as part of their normal duties.
Why deployment alone is not compliance
Recognized practice treats records management as a governed program, with assigned roles, documented policy, training, and monitoring, not a one-time technology event. A system that is deployed but unused leaves an organization exposed to the same risks it sought to avoid: unmanaged retention, failed disposition, and inability to produce records for audits, litigation, or access requests.
In short, the certified system is a means of meeting obligations, never a substitute for them. Accountability flows from the program and the people who run it. To close the gap, organizations should assign clear ownership, configure and enforce the file plan, train staff, and audit results over time.
For broader context on standards and how they fit into a governance program, see the compliance and standards hub.
Sources & further reading
Authoritative government and non-profit references.
- Records management (NARA) — National Archives (NARA)
- ISO 15489-1 Records management — ISO
How to cite this page
APA
RM University Editorial. (2026). Who is accountable when a DoD 5015.2 certified system is deployed but staff never apply the file plan or retention rules?. Records Management University. https://www.recordsmgmt.org/questions/who-is-accountable-when-dod-5015-2-system-is-deployed-but-file-plan-is-never-used/
MLA
RM University Editorial. "Who is accountable when a DoD 5015.2 certified system is deployed but staff never apply the file plan or retention rules?." Records Management University, 16 June 2026, www.recordsmgmt.org/questions/who-is-accountable-when-dod-5015-2-system-is-deployed-but-file-plan-is-never-used/.
Related questions
- Can a commercial off-the-shelf system meet the NARA Universal ERM Requirements without being DoD 5015.2 certified?
- Can a company be fined or sanctioned for not following ISO 15489 in a lawsuit?
- Can a US company store its records on servers in another country, and what cross-border data rules apply?
- Can following ISO 15489 actually help us pass an audit or hold up in court?
- Can I just adopt ISO 15489 word-for-word as our records policy, or does it not work that way?