Asked by: Lord Agnew of Oulton (Conservative - Life peer)
Question to the Department for Science, Innovation & Technology:
To ask His Majesty's Government how many public contracts across all departments currently include the “security schedules” referenced in the Government Cyber Security Strategy: 2022–2030; and what steps they are taking to ensure full implementation of proportionate cyber requirements across all commercial agreements.
Answered by Baroness Jones of Whitchurch
It is long standing policy that Government does not disclose the specifics of its security arrangements, including with suppliers.
In recognition of the fact that not all government departments have the resources or expertise to include bespoke security requirements of every single commercial arrangement, GSG has developed and published Modular Security Schedules. These schedules provide departments with industry best practice security requirements to be included in commercial agreements. They have been tailored to meet a whole range of scenarios and risks.
These schedules are now publicly available on security.gov.uk and have been widely adopted by government departments. We are actively running training sessions for commercial teams to aid their implementation. Furthermore, they are now included in the standard, Model Services Contract, Mid-Tier Contract and Short Form Contract.
Asked by: Lord Agnew of Oulton (Conservative - Life peer)
Question to the Department for Science, Innovation & Technology:
To ask His Majesty's Government what plans they have to require their suppliers to use secure container images, in a manner comparable to the United States 2024 executive order on securing the software supply chains of federal government suppliers.
Answered by Baroness Jones of Whitchurch
In February 2025 Cabinet Office published the updated National Procurement Policy Statement (NPPS). The statement requires all public sector contracting authorities in scope to mitigate supply chain and national security risks by ensuring appropriate controls are in place, such as the Cyber Essentials standard for cyber security. Contracting authorities should also follow government guidance on Tackling Security Risk in Government Supply Chains inclusive of software security risk.
In May 2025 DSIT published a voluntary Software Security Code of Practice. The Code of Practice has been developed to improve the security and resilience of software that organisations and businesses rely on. This is not mandatory for government suppliers but we strongly encourage public sector organisations to use the Code of Practice in their commercial engagements.
Asked by: Lord Agnew of Oulton (Conservative - Life peer)
Question to the Department for Science, Innovation & Technology:
To ask His Majesty's Government whether any departments or government agencies monitor the use of insecure or vulnerable container images within government IT systems; and, if so, whether they will publish the latest audit data on the number of container images in use that contain critical or high-severity vulnerabilities.
Answered by Baroness Jones of Whitchurch
All government departments and their Arms Length Bodies must meet the Government Cyber Security Standard, which specifies that organisations shall meet or exceed the security outcomes specified in the National Cyber Security Centre’s Cyber Assessment Framework (CAF). Principle B4 of the CAF on system security requires departments to manage vulnerabilities on their systems.
His Majesty’s Government does not hold a central view of departmental or agency vulnerabilities.
Asked by: Lord Agnew of Oulton (Conservative - Life peer)
Question to the Department for Science, Innovation & Technology:
To ask His Majesty's Government, further to the Written Answer by Baroness Jones of Whitchurch on 20 May (HL7143), how much they spent in total each year since 2019–20 on (1) digital systems delivered from public cloud, and (2) the entire digital systems estate.
Answered by Baroness Jones of Whitchurch
The historical data requested is not held centrally, however the State of Digital Government report, published in January 2025, confirms that the UK public sector spends over £26bn annually on digital technology. Additionally, GDS is currently working with public sector organisations to understand their annual spend on public cloud services.
Asked by: Lord Agnew of Oulton (Conservative - Life peer)
Question to the Department for Science, Innovation & Technology:
To ask His Majesty's Government, further to the Written Answer by Baroness Jones of Whitchurch on 20 May (HL7143), whether the Government Digital Service has guidance and policies on cost-effectiveness and value-for-money achieved by reporting departments.
Answered by Baroness Jones of Whitchurch
GDS publishes policy and guidance, including the Technology Code of Practice, Cloud First Policy, and Government Service Standard that departments must adhere to and that support cost-effectiveness and value for money objectives. Where departmental submissions are not deemed cost-effective or value for money GDS can halt further progression using the digital spend controls process that is required for all citizen-facing digital services with a value of more than £100,000, and all technology spend with a value in excess of £1 million.
Asked by: Lord Agnew of Oulton (Conservative - Life peer)
Question to the Department for Science, Innovation & Technology:
To ask His Majesty's Government what proportion of the grants awarded by Innovate UK since 1 January 2018 have been (1) formally terminated prior to full completion, (2) suspended or places on hold due to non-performance, non-compliance, or suspected misuse of funds, and (3) subject to financial recovery or clawback proceedings; what is the total value of those grants; and what is the total number of those grants.
Answered by Lord Vallance of Balham - Minister of State (Department for Energy Security and Net Zero)
Innovate UK has robust processes in place for monitoring its grants and ensuring that only eligible costs are supported. It centralised the process for the suspension, withdrawal, and termination of grants from 1st April 23 to provide a consistent record for continuous improvement. Data is presented from then until 31st March 25. The value of grants paid for this period was £2.78 billion.
Asked by: Lord Agnew of Oulton (Conservative - Life peer)
Question to the Department for Science, Innovation & Technology:
To ask His Majesty's Government what the total kilowatt-hours and average power usage effectiveness have been for each year since 2019/20 of (1) the government server rooms, and (2) their industry suppliers in providing the equivalent, including via public cloud.
Answered by Baroness Jones of Whitchurch
No central assessment has been made of what the total kilowatt-hours and average power usage effectiveness have been for each year since 2019/20 of (1) the government server rooms, and (2) their industry suppliers in providing the equivalent, including via public cloud. Whilst we would expect individual organisations to have an understanding of the power usage costs associated with the running of their on-premise services this is not information that is recorded centrally.
Asked by: Lord Agnew of Oulton (Conservative - Life peer)
Question to the Department for Science, Innovation & Technology:
To ask His Majesty's Government what estimate they have made of the total annual estate and electricity cost of housing digital infrastructure and IT systems, legacy and otherwise, across the server rooms of the government estate.
Answered by Baroness Jones of Whitchurch
There is currently no centrally conducted analysis of the total estate and electricity cost across for housing digital infrastructure or IT systems. HMT provides guidance for how to estimate the cost of both land and energy consumption when a business case is being developed. This helps to ensure that the best value for money option is selected when a new project is undertaken. For digital projects the Government Cloud First policy states that when procuring new or existing services, public sector organisations should default to Public Cloud first and where there is no choice but to host on-premises, use Crown Hosting.
Asked by: Lord Agnew of Oulton (Conservative - Life peer)
Question to the Department for Science, Innovation & Technology:
To ask His Majesty's Government what estimate they have made of total government savings over the past five years of shifting data from locally hosted back-office IT systems, legacy or otherwise, to the public cloud.
Answered by Baroness Jones of Whitchurch
No central assessment has been made of total government savings over the past five years of shifting data from locally hosted back-office IT systems, legacy or otherwise, to the public cloud. Whilst we would expect individual organisations to have an understanding of the costs associated with the running of their cloud and on-premise services, to support their own business cases, this is not information that is recorded centrally.
Asked by: Lord Agnew of Oulton (Conservative - Life peer)
Question to the Department for Science, Innovation & Technology:
To ask His Majesty's Government what assessment they have made of which services are operated, whether directly or through third parties, from which servers in which data centres across the government IT estate.
Answered by Baroness Jones of Whitchurch
No central assessment has been made of which services and servers are operated from which data centers across the government estate. Whilst we would expect individual organisations to have an understanding of the physical locations that are associated with the running of their digital services to support business continuity planning this is not information that is recorded centrally. In the public cloud the information required by organisations is different and they should understand the cloud regions in which their services are hosted rather than the physical location of servers, especially for modern cloud-native workloads which are abstracted from physical servers.