Source · Select Committees · Public Accounts Committee
Recommendation 26
26
Accepted
Unacceptable knowledge gap persists due to poor legacy IT asset management across government.
Conclusion
We pressed DSIT and the Cabinet Office on why Government’s understanding of its legacy IT was so limited. They told us that the amount of legacy systems, and understanding of them, varied between departments. They said this was because information about legacy systems 48 Q 39 49 Qq 41–42 50 Q 43 51 C&AG’s Report, para 1.3 52 C&AG’s Report, para 3.5 53 Q 47; Letter from the Civil Service Chief Operation Officer and Cabinet Office Permanent Secretary relating to the oral evidence session held on 10 March 2025 on Government Cyber Resilience, 24 March 2025 54 Q 47 55 Q 49; Department for Science, Innovation & Technology, State of digital government review, January 2025 15 was not easy to access and was spread across arm’s–length and other public bodies. The Cabinet Office agreed there was an unacceptable gap in knowledge about government’s legacy IT.56 We asked why departments could not provide a list of the systems they have. We heard that data were in different formats across departments and poor asset management meant departments could not easily collate this data.57 DSIT told us that departments and the centre of government had limited resource to understand and fix legacy systems.58
Government Response Summary
The government agrees with the implied recommendation, with DSIT committed to improving data collection on legacy systems, ensuring departments use GovAssure for critical systems, supporting remediation efforts, and working with HMT to track funding for legacy projects and include cyber resilience in regular reporting by Spring 2026.
Government Response
Accepted
HM Government
Accepted
4.1 The government agrees with the Committee’s recommendation. Target implementation date: Spring 2026 4.2 DSIT is currently improving the way that they collect data on legacy systems across government. 4.3 Departments will continue to be required to identify and report on their critical systems through GovAssure, and drive adoption of the scheme across more of government. 4.4 The combined insights from these assurance frameworks will be used to determine the proportion of the estate which has been assessed, and the optimum scale and frequency of assessment activity going forward. 4.5 The government agrees with the Committee’s recommendation. Target implementation date: Spring 2026 4.6 DSIT will continue to support the work done by departments to remediate their legacy systems and improve cyber resilience. DSIT will work with HM Treasury (HMT) to develop a methodology for tracking funding allocated to legacy remediation projects to ensure it is delivering the expected improvements. 4.7 DSIT will work with HMT to include all government cyber resilience activity into departments’ regular reporting to HMT and DSIT on digital spending and delivery. DSIT is also working with HMT on mechanisms for protecting budgets for specific cyber and legacy remediation programmes to avoid diversion of funding after settlement.