Question to the Cabinet Office:

To ask the Minister for the Cabinet Office, with reference to the guidance by the Central Digital and Data Office entitled Guidance on the Legacy IT Risk Assessment Framework, published on 29 September 2023, how many red-rated IT systems are used by his Department; and how many red-rated IT systems have been identified since 4 December 2023.

The Central Digital and Data Office (CDDO), in the Cabinet Office, has established a programme to support departments managing legacy IT. CDDO has agreed a framework to identify ‘red-rated’ systems, indicating high levels of risk surrounding certain assets within the IT estate. Departments have committed to have remediation plans in place for these systems by June next year (2025).

It is not appropriate to release sensitive information held about specific red-rated systems or more detailed plans for remediation within Cabinet Office’s IT estate, as this information could indicate which systems are at risk, and may highlight potential security vulnerabilities.