Senior digital leaders have revealed that a mechanism introduced in 2023 to consider the dangers of ageing tech in government has identified scores of red-rated systems across almost 30 agencies
Since being launched 18 months ago, government’s Legacy IT Risk Assessment Framework has identified about 80 systems currently used by agencies that pose a critical level of risk, according to the civil service’s most senior tech official.
Using a scoring system based on factors such as availability of vendor support, workforce skills, and downtime issues, the framework awards each system a score out of 30. Anything from 16 upwards is consider ‘red-rated’ – which “signifies that the system is at a critical level of risk, where the likelihood of encountering issues or failures is significant, and the potential impact of these issues could be severe”, according to the guidance.
Joanna Davinson, the interim government chief digital officer, this week told the Public Accounts Committee that, as of January 2025, the framework had been used across 29 departments and agencies, and had assessed 319 systems: “almost a quarter” of which were red-rated.
This equates to close to 80 systems deemed to pose a critical risk – and represents a near-twofold increase in the number of confirmed red-rated systems in the space of 12 months. In January 2024, parliamentary disclosures revealed the existence of at least 43 IT platforms across government ranked in the highest bracket of risk. Eleven of these were housed in the Ministry of Defence.
Assessments delivered by the framework so far have been targeted at the government entities with the biggest technology estates – including major departments, as well as some arm’s-length bodies, according to the digital leader.
Davinson, whose role is based in the Department for Science, Innovation and Technology, was asked by MPs how big a proportion of systems that require assessment have yet to be reviewed against the framework.
“The really honest answer is that we do not know,” the digital chief responded. “When we did our State of digital government review [in January], about 15% of the organisations that we spoke to did not know what their legacy IT was; they could not give us a view of it. There is a challenge there: the organisations that are responsible for legacy do not necessarily know themselves, in all cases, what the risks are in their estates. That was the whole purpose of creating the risk assessment framework: to shine a light and start to get information that enables us to challenge departments to do the work to understand that.”
Related content
- How GovAssure is bringing ‘rigour and objectivity’ to departments’ cyber credentials
- NAO finds government will miss 2025 cyber-resilience goal with big staffing gaps and legacy upgrades not funded
- Cyber Essentials: Updated government procurement policy advises ‘alternative controls’ are required to secure legacy tech
She added: “We continue to expand the number of systems that we are looking at, working with departments. We are improving that information as we go, but it is not as simple as saying: ‘What is the list?’.”
Also giving evidence to MPs was Cat Little, the civil service chief operating office and permanent secretary of the Cabinet Office.
Little told MPs that, when considering whether the Cabinet Office and DSIT should devote time and resources to compiling a comprehensive list of all legacy systems in use across the Whitehall landscape, “there is a choice whether.. [we] should spend all our time trying to get 100% complete data, or whether we should get the balance on doing as much as we can and then relying on departments”.
“What we are choosing to do is say that we will get 80% or 90% there, but we really need departments to own the risk – to tell us where there are gaps and to make sure that accounting officers have the support to set out the risks, to bid into the SR (spending review) process and to come to us for help,” she added. “That is a partnership. It has always been thus, and to some extent it will always be that way. It is my absolute hope that in the SR we will be able to do a much better job than we have done previously of elucidating those risks, having a proper conversation about prioritisation and buying out as much risk as we can afford.”
Published in September 2023, the legacy framework was accompanied by broader guidelines which set out seven “indicators” that a hardware or software platform is likely to be considered legacy.
These include: software out of support; expired vendor contracts; too few people with required knowledge and skills; inability to meet current or future business needs; unsuitable hardware; known security vulnerabilities; and recent problems or downtime.
