New version of approval process will be a tied to a wide range of additional technical and commercial guidance aligned to government’s digital roadmap, while also offering potential greater independence
The Cabinet Office has published detailed new spending controls that demand departmental commitments including “no automatic contract extensions” while offering “earned autonomy” for organisations that demonstrate rigorous assessment of their own projects.
Published on Friday, version 6 of the government’s Digital and technology spend controls are intended to work in conjunction with several other pieces of guidance. This includes two newly created sets of rules – the Risk and importance framework, and the Digital and data function’s strategic commitments – as well as the existing Technology Code of Practice. The delivery and enforcement of all these guidelines is overseen by the Cabinet Office-based Central Digital and Data Office.
As before, all spending of more than £100,000 on citizen services is required to go through the controls process, as is all other digital and data spending in excess of £1m. All investment in cryptography products – regardless of value – require assessment and approval.
The intention of the new additional rules is to ensure that projects are aligned to government’s wider transformation roadmap, while enabling CDDO to better identify programmes that carry the highest degrees of risk.
The new strategic commitments guidance document states that departments “must consider [these] as part of the… spend control process”.
Agencies seeking approval for spending will be asked whether or not their projects align to the various commitments – which are closely tied to the objectives set out in the six missions defined by government’s three-year digital and data roadmap, published in 2022.
“Answering ‘no’ will not lead to an automatic rejection and you will need to explain why your spend cannot align to the commitment,” the guidance says.
“An argument for contract extension based on having insufficient time to consider alternatives is not sufficient grounds for approval”
Guidance on automatic contract extensions
On the roadmap’s mission of “transformed public services that achieve the right outcomes”, departments will be asked to agree to three commitments: to provide quarterly service performance data; use mandated central services, such as GOV.UK Notify and Pay; and use GOV.UK domains and the GOV.UK design system.
Agencies will also be expected to commit to using the new One Login system, to “make essential shared data assets usable across government”, and to ensure that delivery of the project in for which approval is sought is “overseen by a named crown or public servant”.
There are also two required commitments intended to support the mission of ensuring efficient, secure and sustainable technology across government: prevent technical debt and legacy; and follow the government cyber security standard.
Alongside these demands aligned with the government roadmap, there are also four specified requirements constituting “digital best practice in support of [the] commitments”.
The first of these best-practice requirements asks that government bodies “separate service integration from service provision” – ensuring that separate suppliers are appointed for these two distinct requirements.
Another new rule demands that there are “no automatic contract extensions” for digital and technology engagements, and that “contractual exit plans must be developed as an alternative to extension – or evidence provided for why an extension is both legally allowed and value for money”.
Detailed guidance on this requirement specifies that “an argument for extension based on having insufficient time to consider alternatives is not sufficient grounds for approval”.
The final two requirements ask that departments ensure they are complying with both accessibility and data-protection regulations.
Risk and reward
The other major new element of the controls is the risk and importance framework. The guidelines, which are intended to better identify potential high-risk plans, cover four types of investment, including: digital services; platforms and common components; commodity technology and licences; and specialist technology.
In each of these areas, organisations seeking approval will be asked a variety of questions intended to cover issues of: cost; value; risk to users; delivery team capability; novelty of technology; previous delivery quality; and political priority.
Having answered all these questions, each submission for approval will be assigned an overall risk and importance rating of high, medium, or low.
£100,000
Threshold at which spending on public-facing digital services requires approval
5%
Proportion of projects – selected at random – CDDO will continue to assess once a department has achieved ‘earned autonomy’
12 months
Minimum length of time in advance departments should begin the approval process
2018
Year in which version 5 of the spend controls were introduced
If a project is deemed to be high risk, CDDO will work closely with an organisation’s assurance professionals throughout, while a medium rating will result in lighter-tough level of consultation with the digital unit. If the submission is rated as low risk, no additional assurance support will be required.
Alongside the controls, new guidance has also been issued outlining how departments can achieve “earned autonomy”, granting them greater authority to self-assure their own projects at medium and low levels of risk and importance, and enjoy higher spending thresholds. To achieve such independence, organisations “must demonstrate that your organisation is continually achieving all the criteria in the ‘good’ category” of assurance guidelines.
“CDDO will propose a level of autonomy for your organisation and tell you what you will need to do to get that level,” the guidance says. “Your organisation must accept the proposal and agree to the recommendations. CDDO will write to its minister recommending that your organisation is granted ‘provisional earned autonomy’. The provisional status will run for a minimum of three months. During the provisional stage, CDDO advisers will review half of the decisions made by your assurance team and provide feedback. If your organisation is found to be making consistently good decisions, CDDO will recommend the minister grants you ‘earned autonomy’.”
Even after a department has been approved for this greater autonomy, CDDO will keep an eye on its activity to ensure it is continuing to adhere to the expected standards.
“CDDO… will randomly sample 5% of cases or any additional or unusual cases a CDDO advisor notices on your pipeline,” the guidelines say. “If a CDDO adviser notices consistent deficiencies, CDDO will ask you to implement an improvement plan and revert your organisation to a ‘provisional earned autonomy’ state. If your organisation does not make these improvements within the agreed time, the CDDO will recommend that the minister revoke the organisation’s earned autonomy, reverting the department to default levels.”
The controls clarify that approval should be sought at regular intervals throughout the delivery of a project, including the creation of strategic, outline and full business case, throughout the procurement process, and at the commencement of each phase of an agile project: discovery; alpha; and beta.
The latest version of the controls will maintain the long-term pipeline model first introduced in 2018 – and which it was recently revealed that all departments have now adopted. The controls state that agencies should begin the approval process “when you start to plan or up to 12 months before you expect to start spending”.
Alongside the new version of the controls, a dedicated digital service is also being introduced through which departments can submit their claims for approval. Previously, submissions were made by email.
The service will be rolled out across government in the coming weeks and, until an organisation is able to switch to using the new tool, their claims will continue to be assessed against version 5 of the controls.
A Cabinet Office spokesperson said: “The Digital and Technology Spend Control, originally published in 2018, ensures departments and other public bodies spend on digital and technology is in line with government priorities and represents the best value for money. The update to the Digital and Technology Spend Control guidance aligns to our commitments in the government’s digital future roadmap, and ensures all money spent helps us in achieving this goal, whilst cutting down on bureaucracy and red tape.”
