Question to the Department for Science, Innovation & Technology:

To ask the Secretary of State for Science, Innovation and Technology, with reference to HCWS1249, what estimate he has made of the number of legacy digital systems in use across government; what timetable exists for decommissioning the highest-risk systems, what resources are available to support “secure by design” requirements; and what assessment has been made of the impact of the government vulnerability scanning service.

The most recent assessment of the scale of legacy systems across the public sector was conducted as part of the State of Digital Government Review, which found that 28% of public sector systems were identified as legacy IT. Individual departments remain responsible for addressing their highest risk systems. While DSIT provides oversight, it does not hold central information on all these plans.

The Secure by Design approach provides delivery and project teams with clear principles and activities to follow to increase the cyber resilience and security of new and emerging systems, services and technology infrastructure. A central DSIT team supports them through a community of champions, nominated by their respective organisation.

Over 700 public sector organisations have now signed up to the vulnerability scanning service, with the service finding and helping fix over 100 critical vulnerabilities a month.