As part of broader efforts to address ageing IT, stretching back over many years, the benefits department has engaged a major services firm to support its upgrade and mitigation work
The Department for Work and Pensions has signed a multimillion-pound deal for a tech company to help “discover solutions” to the prevalence of legacy technology across the organisation.
The DWP has long-standing and well-recognised issues with ageing IT; the organisation’s most recent annual report revealed that 70% of its benefit and pensions caseload – equating to about £200bn paid out to citizens each year – is still processed using legacy systems.
To help tackle this outdated infrastructure and technical debt – the term applied to current and future maintenance costs associated with inefficient systems – at the start of this week the DWP entered into an initial two-year contract with Capgemini. Over the course of the engagement – which can be extended by a six months, at the department’s discretion – the consultancy will support the government body’s approach to mitigating the impact of ageing platforms.
A newly published contract notice says: “This is a 24-month resource-based contract to assist the Department for Works and Pensions to discover solutions to the legacy technical debt within DWP.”
Inclusive of VAT, a total of £24m is expected to be spent between now and October 2027 – plus a potential additional £6m, if the agreement is extended.
The department’s annual accounts for the 2024/25 year, published this summer, indicated that the DWP’s plans to address legacy tech and services in use across the department will focus on areas identified as posing the greatest risk.
“To address the impact of our outdated IT services, we developed plans to take a new risk-based approach to identify legacy services,” the yearly report says. “This forms the focus for future, targeted investment in years ahead.”
Related content
- HMRC legacy decommissioning scheme requires ‘phased approach and careful consideration’
- Minister: ‘Spending review will tackle legacy IT and invest in cyber, cloud and AI tech’
- Spending Review: Defra given £300m fund to tackle legacy and boost digital services
In September 2023, government launched a Legacy IT Risk Assessment Framework and, earlier this year, it was revealed that more than 300 systems across 29 departments and agencies had been reviewed using the guidelines. About 80 of these were given a red rating – indicating a critical level of security risk.
Beyond which, when government’s new digital centre conducted a cross-government review at the start of 2025, “about 15% of the organisations that we spoke to did not know what their legacy IT was; they could not give us a view of it, [and] there is a challenge there: the organisations that are responsible for legacy do not necessarily know themselves, in all cases, what the risks are in their estates”, then government chief digital officer Joanna Davinson said in March.
The legacy assessment framework was accompanied by broader guidelines which set out seven “indicators” that a hardware or software platform is likely to be considered legacy.
These include: software out of support; expired vendor contracts; too few people with required knowledge and skills; inability to meet current or future business needs; unsuitable hardware; known security vulnerabilities; and recent problems or downtime.
The DWP is certainly not alone in facing issues with legacy IT – HM Revenue and Customs recently revealed that it had assessed its own overall technical health rating at 3 out of 5 up – one point below a score which is considered “acceptable”.
The recent annual report from the National Cyber Security Centre revealed that UK organisations were hit with more than 200 cyberattacks classed as being “nationally significant” in over the course of the year – well over double the tally from the prior year. Vulnerabilities in legacy systems were cited by NCSC as a key “contributing factor” in many serious incidents. The cyber intelligence agency pointed to three security advisory notes issued during the year – respectively released by Microsoft, Ivanti, and Fortinet – regarding vulnerabilities which “alone were associated with 29 incidents managed by the NCSC”.
