Recommendation 4

Government still has substantial gaps in its understanding of how resilient its IT estate is to cyber attack. In July 2024, GovAssure’s assessment of 72 critical IT systems across 35 organisations, identified that government cyber resilience was substantially lower than the Cabinet Office expected. Departments had multiple fundamental control failures, including in risk management and response planning. The GovAssure scheme collects data about departments’ ‘critical’ IT systems to assess their cyber resilience. This is a clear improvement compared with the previous reliance on departments’ optimistic self–assessments, but government should have collected reliable data sooner. We recognise the need to balance effort between assurance and frontline security, but there is also scope for GovAssure to assess more systems, faster. Separately, DSIT’s understanding of Government’s ‘legacy’ IT assets relies on self–assessments by departments. By January 2025, 28 public sector organisations had identified 319 legacy systems in use across government, rating around 25% as ‘red’ because there was a high likelihood and impact of risks occurring. However, DSIT does not know how many legacy systems there are in total. Departments need to make a more complete and reliable assessment of their legacy systems so that government can take informed decisions about funding, prioritisation and risk. recommendation The Cabinet Office should set out: what proportion of critical and legacy IT systems it has assessed so far; the optimal scale and frequency of assessment activity needed; a deadline for when this will be achieved by; and how it will prevent departments from diverting funding away from this activity.