Legacy supplier retained as Covid and Ukraine war has ‘delayed meaningful transformation’ of national vetting system

Cabinet Office awards deal – of unspecified length and value, and without competition – as time runs short before conclusion of existing contract and replacement work for critical service running behind schedule

Government has retained the supplier of the existing legacy system for national security vetting after progress on long-standing transformation and replacement work was stalled by the Covid pandemic and the war in Ukraine.

Newly published commercial documents reveal that, at the start of this month, the Cabinet Office signed a contract – of unspecified length and value, and without any competitive process – with global IT services giant CGI, the provider of the National Service Vetting System (NSVS). The firm’s deal to support the service was due to conclude early next year but this has been extended – seemingly indefinitely – as it is no longer possible to complete a transformation programme intended to deliver a replacement before the existing agreement concludes.

“A surge in demand caused by the war in Ukraine and a backlog due to Covid-19 placed increased pressure on the system which has delayed any meaningful transformation work,” the contract-award notice said. “Cabinet Office has resumed work on transformation., but it is not practically possible for a replacement system for NSVS, supplied by an economic operator other than the incumbent, to be procured and operational in time for the expiry of the current contract in February 2024.”

This conclusion is supported by a report from the National Audit Office earlier this year that found that in April 2022 – six weeks after Russia invaded Ukraine – just 7% of developed vetting clearances were being successfully within the target of 95 days. The report also found that the UK Security Vetting unit was understaffed by as much as a quarter, and that its parent department, the Cabinet Office, had been forced to write off £2.5m on “a failed IT upgrade”.

Related content

The NAO also noted the urgency of transformation work, finding that “old and unstable” technology was a significant contributory factor to UKSV’s performance issues, which auditors said were putting the effective functioning of government departments and national security at risk.

The freshly released procurement document added that extending government’s engagement with CGI is especially important as the system is critical to national security.

“NSVS is the only IT platform available to process requests for national security vetting that meets the requirements of both UKSV and its customers,” the notice said. “UKSV is an important apparatus protecting the UK from attack by ensuring that suitably qualified people are appropriately vetted during the appointment process.”

It added: “NSVS is faced by highly sophisticated attacks conducted by nation-states with near-limitless resources. A complex set of specific requirements are needed to help keep NSVS – and more importantly the vetting data that it holds – safe and secure, which are being developed as part of the planning for a replacement system and service.”

UKSV – and the vetting system it supports – was moved to the Cabinet Office in 2020 from its previous home in the Ministry of Defence. The central department is now leading a transformation programme, which encompasses the development of new underpinning technology platforms.

The notice acknowledges that the current service is a “legacy system [that] is about 10 years old and is in need of transformation”.

CGI began working with the MoD in 2008, providing the Cerberus vetting service used by the ministry, the Foreign Office and the wider defence sector. It was appointed in 2015 to lead the development of NSVS, which was intended to provide a system suitable for use across government more broadly.

The contract notice states that, as well as the lack of “suitable commercial off-the-shelf products available that would support a quick re-procurement exercise” before the current deal expires in six months’ time, “the incumbent owns essential intellectual property that interfaces with another supplier’s software and systems”.

“Any new supplier would need to build a similar interface solution to connect to multiple sources and translate data into suitable formats for the rest of the system to process which would require a considerable length of time,” it added.

“Replacing the incumbent with another supplier would [also] mean replicating a very specific set of security controls and building a new environment to manage that complexity, which cannot be done before February 2024.”

Sam Trendall

Learn More →

Leave a Reply

Your email address will not be published. Required fields are marked *

Thank you! Your subscription has been confirmed. You'll hear from us soon.
Subscribe to our newsletter