Home / Sources / Select Committees / Recommendation 25
Index live · Last sync 22 May 2026
← Rec 24
Rec 26 →
Source · Select Committees · Public Accounts Committee

Recommendation 25

25 Accepted

Government lacks comprehensive understanding of its total legacy IT estate and associated risks.

Recommendation
We challenged DSIT and the Cabinet Office on why they were not identifying and fixing legacy IT systems, where the risk is greatest and security lowest. DSIT told us that before 2023 the centre of government did not have much information about legacy IT but this was improving. DSIT data showed that around 28% of the public sector’s IT estate was legacy. Twenty–eight public sector organisations had identified 319 legacy systems and self–assessed almost 25% of these as ‘red’ for risk.53 DSIT said it wanted to expand this work and better align it with GovAssure.54 We asked how many legacy assets there were in total across government. DSIT told us it did not know, and that 15% of organisations it had spoken to, as part of the State of digital government review, also did not know the what the situation was for their own legacy IT.55
Government Response Summary
The government agrees to the implied recommendation, with DSIT committed to improving data collection on legacy systems, ensuring departments use GovAssure for critical systems, supporting remediation efforts, and working with HMT to track funding for legacy projects and include cyber resilience in regular reporting by Spring 2026.
Government Response Accepted
HM Government Accepted
4.1 The government agrees with the Committee’s recommendation. Target implementation date: Spring 2026 4.2 DSIT is currently improving the way that they collect data on legacy systems across government. 4.3 Departments will continue to be required to identify and report on their critical systems through GovAssure, and drive adoption of the scheme across more of government. 4.4 The combined insights from these assurance frameworks will be used to determine the proportion of the estate which has been assessed, and the optimum scale and frequency of assessment activity going forward. 4.5 The government agrees with the Committee’s recommendation. Target implementation date: Spring 2026 4.6 DSIT will continue to support the work done by departments to remediate their legacy systems and improve cyber resilience. DSIT will work with HM Treasury (HMT) to develop a methodology for tracking funding allocated to legacy remediation projects to ensure it is delivering the expected improvements. 4.7 DSIT will work with HMT to include all government cyber resilience activity into departments’ regular reporting to HMT and DSIT on digital spending and delivery. DSIT is also working with HMT on mechanisms for protecting budgets for specific cyber and legacy remediation programmes to avoid diversion of funding after settlement.

Source

Report
24th Report - Government cyber resilience
09 May 2025
HC 643
View on Parliament website ↗

Addressee Bodies

HM Treasury

Timeline

Recommendation age 1.0 yr
Report published 09 May 2025