Who is responsible for configuring and maintaining the DoD 5015.2 access controls and audit settings after the software is installed, IT or the records officer?
The short answer is that it is a shared responsibility. DoD 5015.2-style certification tests what the software can do; it does not decide who configures it. After installation, the records officer and IT each own a distinct layer of the same controls, and a compliant system depends on both doing their part.
What each role typically owns
The records officer (or records manager) owns the policy layer. This is the person who decides what the controls should enforce, based on the organization’s recordkeeping requirements:
- Which file plan, categories, and record series exist
- Who may declare, view, edit, or destroy records in each category
- What retention and disposition rules apply
- What events must be captured in the audit trail to prove records are authentic, reliable, and trustworthy
These are business and governance decisions, not technical ones. They flow from law, regulation, and organizational policy rather than from the software itself.
IT (or a system administrator) owns the technical implementation. IT translates those policy decisions into the system’s configuration:
- Creating user and group accounts and mapping them to roles
- Applying the permission settings the records officer specifies
- Enabling and protecting the audit log so it cannot be altered or disabled
- Patching, backups, and integration with the organization’s identity and security infrastructure
Why the split matters
If IT configures access purely from a technical standpoint without records-management input, the result is often secure but non-compliant — for example, audit events that satisfy general IT logging but not recordkeeping requirements. Conversely, a records officer cannot enforce a file plan without administrative rights to the platform. International guidance such as ISO 15489 frames recordkeeping as a governance function with clearly assigned roles and responsibilities, which is exactly why these duties are separated rather than handed to one team.
Practical model
Most organizations succeed by treating it as a partnership: the records officer authors the access-control and audit requirements, IT implements and maintains them, and the two review settings together on a regular cadence. Document who approves changes to permissions and audit configuration so accountability is clear.
For broader context on recordkeeping standards and roles, see the compliance standards hub.
Sources & further reading
Authoritative government and non-profit references.
- ISO 15489-1 Records management — ISO
- Records management (NARA) — National Archives (NARA)
How to cite this page
APA
RM University Editorial. (2026). Who is responsible for configuring and maintaining the DoD 5015.2 access controls and audit settings after the software is installed, IT or the records officer?. Records Management University. https://www.recordsmgmt.org/questions/who-maintains-dod-5015-2-access-controls-and-audit-settings-it-or-records-officer/
MLA
RM University Editorial. "Who is responsible for configuring and maintaining the DoD 5015.2 access controls and audit settings after the software is installed, IT or the records officer?." Records Management University, 16 June 2026, www.recordsmgmt.org/questions/who-maintains-dod-5015-2-access-controls-and-audit-settings-it-or-records-officer/.
Related questions
- Can a commercial off-the-shelf system meet the NARA Universal ERM Requirements without being DoD 5015.2 certified?
- Can a company be fined or sanctioned for not following ISO 15489 in a lawsuit?
- Can a US company store its records on servers in another country, and what cross-border data rules apply?
- Can following ISO 15489 actually help us pass an audit or hold up in court?
- Can I just adopt ISO 15489 word-for-word as our records policy, or does it not work that way?