Disclosures from a range of departments reveal that other organisations with multiple systems rated red on CDDO’s risk framework include HMCTS, DWP and HMRC – but some refuse to provide data
At least 43 legacy IT systems across government are at a critical level of risk, with 11 of those being used in the Ministry of Defence, disclosures from departments have revealed.
A red rating indicates that a system is “at a critical level of risk, where the likelihood of encountering issues or failures is significant, and the potential impact of these issues could be severe”, according to the Central Digital and Data Office’s Legacy IT Risk Assessment Framework.
The figures were published by departments in response to a series of parliamentary questions tabled by Reading East MP Matt Rodda. However, there may be more red-rated systems still in use as some departments have refused to release their data.
Of the agencies which disclosed how many red-rated legacy IT systems they have, HM Courts and Tribunals Service came in second with nine, followed by the Department for Work and Pensions with six, the Ministry of Justice with five, and the Cabinet Office and HM Revenue and Customs with four each.
The MoJ said it has only assessed its top 10 most critical legacy IT systems, however, and is currently in the process of judging the rest of its systems against the CDDO framework.
The framework describes a red rating as “an alert that draws attention to systems that require immediate attention, mitigation, or remediation due to their potential to cause substantial harm, disruption, or negative consequences if left unaddressed”.
It says red-rated systems “likely exhibit a combination of factors that make them more vulnerable, such as outdated technology, lack of support, susceptibility to security breaches, and potential hindrance to meeting business needs”.
The CDDO framework says red-rated systems “should be given top priority for management, modernisation, or replacement to reduce their risk and ensure the continued smooth operation of the organisation’s IT infrastructure”.
- Cabinet Office schemes target areas of ‘greatest exposure to legacy technology’
- Government CTO interview: ‘Technologists have a duty to explain tech – and have not always done a great job’
- GOV.UK One Login to cost £305m – and deliver £1.75bn benefits, report finds
The Department for Culture, Media and Sport has refused to reveal how many of their systems are red-rated, citing security concerns.
In the MoD disclosure, defence procurement minister James Cartlidge said: “The MoD takes the issue of the resilience of our IT networks extremely seriously, and we are driving forward with a number of initiatives to improve it. Work that has been undertaken in line with the CDDO framework includes conducting of obsolescence risk assessments for our critical systems, and creating remediation plans at pace for any of those requiring immediate attention.”
Rodda, who is Labour’s shadow AI minister, said the scale of legacy tech woes at the MoD is “utterly unacceptable”.
“Key departments – including the Ministry of Defence, the department chiefly responsible for the security of Britain – should simply not have this many critical failures in their systems. We can’t even get the basics right,” he told PublicTechnology sister publication Civil Service World.
He called on the government to “update the public on whether these failures represent national security risks”.
Two former Conservative defence ministers – Mark Francois and Tobias Ellwood – also called for the government to urgently review the security of the MoD’s IT systems in light of the data.
Of the rest of the departments, five revealed that they have one red-rated legacy IT system: HM Treasury; The Foreign, Commonwealth and Development Office; the Department for Business and Trade; the Department for Environment, Food and Rural Affairs; and the Department for Education.
Another five departments said they have zero: the Department for Health and Social Care; the Department for Science, Innovation and Technology; the Department for Levelling Up, Housing and Technology; the Attorney General’s Office; and the Northern Ireland Office.
The Department for Energy Security and Net Zero said it does not hold this information as the department is new “so the risk is unlikely to be recorded”, and the Scotland Office said it uses a system provided and operated by the Cabinet Office.
A government spokesperson said: “We take the issue of the resilience and security of our IT networks extremely seriously and we have always ensured government IT systems are keeping pace with technological change. At the 2021 Spending Review, £2.6bn was allocated to cyber security and the replacement of legacy IT, to complement £600m invested at the previous year’s Spending Review. The Central Digital and Data Office is playing a leading role in delivering long-term digital transformation across government and this transformation programme is expected to deliver over £1bn in efficiency savings by 2025.”
In a recent speech, the soon-to-depart civil service chief operating officer claimed that government has “really turned a corner in the last three years” in its mission to tackle legacy systems, and had now “have a funded and carefully planned out remediation plan” for all systems rated at the highest levels of risk.
CDDO recently updated the framework for assessing and defining legacy IT. The new rules include consideration of waning knowledge of the technology’s operation and issues with downtime in the recent past.