Source · Select Committees · Public Accounts Committee
Recommendation 27
27
Accepted
Incomplete knowledge of legacy systems hampers effective risk management and funding decisions.
Recommendation
We queried how government could manage the risk from legacy systems, make informed bids for funding to fix them, or prevent departments reprioritising this funding, if it did not know what systems it had.59 The Cabinet Office told us that legacy systems were one of its biggest priorities, but that departments needed to own the risk.60 DSIT claimed that many of these legacy systems were likely to be isolated from networks and, although expensive to run, were not flashing ‘red’ as a risk.61 DSIT also told us that moving to subscription–based services, such as cloud platforms, helps government to manage the risks posed by legacy IT.62 Managing suppliers and the wider public sector
Government Response Summary
The government agrees to the implied recommendation, with DSIT committed to improving data collection on legacy systems, ensuring departments use GovAssure for critical systems, supporting remediation efforts, and working with HMT to track funding and include cyber resilience in regular reporting by Spring 2026.
Government Response
Accepted
HM Government
Accepted
4.1 The government agrees with the Committee’s recommendation. Target implementation date: Spring 2026 4.2 DSIT is currently improving the way that they collect data on legacy systems across government. 4.3 Departments will continue to be required to identify and report on their critical systems through GovAssure, and drive adoption of the scheme across more of government. 4.4 The combined insights from these assurance frameworks will be used to determine the proportion of the estate which has been assessed, and the optimum scale and frequency of assessment activity going forward. 4.5 The government agrees with the Committee’s recommendation. Target implementation date: Spring 2026 4.6 DSIT will continue to support the work done by departments to remediate their legacy systems and improve cyber resilience. DSIT will work with HM Treasury (HMT) to develop a methodology for tracking funding allocated to legacy remediation projects to ensure it is delivering the expected improvements. 4.7 DSIT will work with HMT to include all government cyber resilience activity into departments’ regular reporting to HMT and DSIT on digital spending and delivery. DSIT is also working with HMT on mechanisms for protecting budgets for specific cyber and legacy remediation programmes to avoid diversion of funding after settlement.