Question to the Ministry of Justice:

To ask the Secretary of State for Justice, with reference to the guidance by the Central Digital and Data Office entitled Guidance on the Legacy IT Risk Assessment Framework, published on 29 September 2023, how many red-rated IT systems are used by his Department; and how many red-rated IT systems have been identified since 4 December 2023.

Answered by Mike Freer - Parliamentary Under-Secretary (Ministry of Justice)

The Central Digital and Data Office (CDDO), in the Cabinet Office, has established a programme to support departments managing legacy IT. CDDO has agreed a framework to identify ‘red-rated’ systems, indicating high levels of risk surrounding certain assets within the IT estate. Departments have committed to have remediation plans in place for these systems by next year (2025).

It is not appropriate to release sensitive information held about specific red-rated systems or more detailed plans for remediation within the Ministry of Justice’s IT estate, as this information could indicate which systems are at risk, and may highlight potential security vulnerabilities.

Question to the Cabinet Office:

To ask the Minister for the Cabinet Office, with reference to the guidance by the Central Digital and Data Office entitled Guidance on the Legacy IT Risk Assessment Framework, published on 29 September 2023, how many red-rated IT systems are used by his Department; and how many red-rated IT systems have been identified since 4 December 2023.

Answered by Alex Burghart - Parliamentary Secretary (Cabinet Office)

The Central Digital and Data Office (CDDO), in the Cabinet Office, has established a programme to support departments managing legacy IT. CDDO has agreed a framework to identify ‘red-rated’ systems, indicating high levels of risk surrounding certain assets within the IT estate. Departments have committed to have remediation plans in place for these systems by June next year (2025).

It is not appropriate to release sensitive information held about specific red-rated systems or more detailed plans for remediation within Cabinet Office’s IT estate, as this information could indicate which systems are at risk, and may highlight potential security vulnerabilities.

Question to the Department for Work and Pensions:

To ask the Secretary of State for Work and Pensions, with reference to the guidance by the Central Digital and Data Office entitled Guidance on the Legacy IT Risk Assessment Framework, published on 29 September 2023, how many red-rated IT systems are used by his Department; and how many red-rated IT systems have been identified since 4 December 2023.

Answered by Paul Maynard - Parliamentary Under-Secretary (Department for Work and Pensions)

I refer the hon. Member to a previous response I provided to Question UIN 3652. There have been no changes following the previous response. We continually monitor our Legacy IT systems to ensure any emerging risks are recorded and managed effectively.

Question to the Home Office:

To ask the Secretary of State for the Home Department, with reference to the guidance by the Central Digital and Data Office entitled Guidance on the Legacy IT Risk Assessment Framework, published on 29 September 2023, a) how many red-rated IT systems are used by his Department; and how many red-rated IT systems have been identified since 4 December 2023.

Answered by Chris Philp - Minister of State (Home Office)

The Central Digital and Data Office (CDDO), in the Cabinet Office, has established a programme to support departments managing legacy IT. CDDO has agreed a framework to identify ‘red-rated’ systems, indicating high levels of risk surrounding certain assets within the IT estate. Departments have committed to have remediation plans in place for these systems by next year (2025).

It is not appropriate to release sensitive information held about specific red-rated systems or more detailed plans for remediation within Home Office IT estate, as this information could indicate which systems are at risk, and may highlight potential security vulnerabilities.

Question to the Ministry of Defence:

To ask the Secretary of State for Defence, whether his Department has made an assessment of the potential national security risks associated with IT infrastructure operated by (a) his Department's arm’s-length bodies and (b) private firms under contract to his Department.

Answered by Andrew Murrison - Parliamentary Under-Secretary (Ministry of Defence)

The Ministry of Defence (MOD) takes the security of its IT infrastructure, that of its arm’s length bodies and of its suppliers, very seriously. However, the MOD does not comment on specific details of individual risk assessments as this could give useful information to potential adversaries.

Defence employs a Cyber Risk Management Framework that regularly reviews and escalates risk. This uses evidence from a variety of sources including as the Cabinet Office’s Gov Assure ‘Cyber Assessment Framework’ (CAF). All Defence Organisations, including ALBs, sit within this framework. MOD contracts are subject to a risk assessment which is used to determine the nature of the control measures should be applied to the contract.

The Cyber Resilience Strategy for Defence is driving a programme of work to improve Defence’s cyber security. In the longer term the MOD’s Secure by Design approach will ensure security is built into our capability programmes from the outset and managed effectively on a through life basis. The MOD is also reducing the cyber security risk across its complex legacy estate by improving its ability to respond to and detect cyber incidents, improve cyber awareness across the workforce, and improve resilience in it supply.

Question to the Ministry of Defence:

To ask the Secretary of State for Defence, with reference to the guidance by the Central Digital and Data Office entitled Guidance on the Legacy IT Risk Assessment Framework, published on 29 September 2023, how many red-rated IT systems are used by his Department; and how many red-rated IT systems have been identified since 4 December 2023.

Answered by James Cartlidge - Minister of State (Ministry of Defence)

It is not appropriate to release sensitive information held about specific red-rated systems or more detailed plans for remediation within the Ministry of Defence’s IT estate, as this information could indicate which systems are at risk, and may highlight potential security vulnerabilities.

Question to the Foreign, Commonwealth & Development Office:

To ask the Deputy Foreign Secretary, with reference to the guidance by the Central Digital and Data Office entitled Guidance on the Legacy IT Risk Assessment Framework, published on 29 September 2023, how many red-rated IT systems are used by his Department; and how many red-rated IT systems have been identified since 4 December 2023.

Answered by David Rutley - Parliamentary Under-Secretary (Foreign, Commonwealth and Development Office)

The Central Digital and Data Office (CDDO), in the Cabinet Office, has established a programme to support departments managing legacy IT. CDDO has agreed a framework to identify 'red-rated' systems, indicating high levels of risk surrounding certain assets within the IT estate. Departments have committed to have remediation plans in place for these systems by next year (2025). It is not appropriate to release sensitive information held about specific red-rated systems or more detailed plans for remediation within the FCDO's IT estate, as this information could indicate which systems are at risk, and may highlight potential security vulnerabilities.

Question to the Department for Education:

To ask the Secretary of State for Education, with reference to the guidance by the Central Digital and Data Office entitled Guidance on the Legacy IT Risk Assessment Framework, published on 29 September 2023, how many red-rated IT systems are used by her Department; and how many red-rated IT systems have been identified since 4 December 2023.

Answered by Damian Hinds - Minister of State (Education)

The Central Digital and Data Office (CDDO), in the Cabinet Office, has established a programme to support departments managing legacy IT. CDDO has agreed a framework to identify ‘red-rated’ systems, indicating high levels of risk surrounding certain assets within the IT estate. Departments have committed to have remediation plans in place for these systems by next year (2025).

It is not appropriate to release sensitive information held about specific red-rated systems or more detailed plans for remediation within the Department for Education’s IT estate, as this information could indicate which systems are at risk, and may highlight potential security vulnerabilities.

Question to the Department for Business and Trade:

To ask the Secretary of State for Business and Trade, with reference to the guidance by the Central Digital and Data Office entitled Guidance on the Legacy IT Risk Assessment Framework, published on 29 September 2023, how many red-rated IT systems are used by her Department; and how many red-rated IT systems have been identified since 4 December 2023.

Answered by Alan Mak - Minister of State (Department for Business and Trade) (jointly with the Cabinet Office)

The Central Digital and Data Office (CDDO), in the Cabinet Office, has established a programme to support departments managing legacy IT. CDDO has agreed a framework to identify ‘red-rated’ systems, indicating high levels of risk surrounding certain assets within the IT estate. Departments have committed to have remediation plans in place for these systems by next year (2025).

It is not appropriate to release sensitive information held about specific red-rated systems or more detailed plans for remediation within the Department for Business and Trade’s IT estate, as this information could indicate which systems are at risk, and may highlight potential security vulnerabilities.

Question to the Department for Environment, Food and Rural Affairs:

To ask the Secretary of State for Environment, Food and Rural Affairs, with reference to the guidance by the Central Digital and Data Office entitled Guidance on the Legacy IT Risk Assessment Framework, published on 29 September 2023, how many red-rated IT systems are used by his Department; and how many red-rated IT systems have been identified since 4 December 2023.

Answered by Mark Spencer - Minister of State (Department for Environment, Food and Rural Affairs)

The Central Digital and Data Office (CDDO), in the Cabinet Office, has established a programme to support departments managing legacy IT. CDDO has agreed a framework to identify ‘red-rated’ systems, indicating high levels of risk surrounding certain assets within the IT estate. Departments have committed to have remediation plans in place for these systems by next year (2025). It is not appropriate to release sensitive information held about specific, red-rated systems or more detailed plans for remediation within Defra’s IT estate, as this information could indicate which systems are at risk and may highlight potential security vulnerabilities.

Question to the Ministry of Justice:

To ask the Secretary of State for Justice, pursuant to the Answer of 13 May 2024 to Question 25013 on Ministry of Justice: ICT, for what reason his Department considers publishing the latest available figures on the number of red-rated systems it holds a security risk, in the context of the publication of the Central Digital & Data Office's guidance entitled, Guidance on the Legacy IT Risk Assessment Framework on 29 September 2023.

Answered by Mike Freer - Parliamentary Under-Secretary (Ministry of Justice)

In response to question 25013, the department responded with a cautionary response to withhold releasing information on the red-rated systems due to potential security risks. However, upon revising our previous response we have concluded that we are able to release the requested figures.

These figures are already in the public domain and can be found on slide 21 of the CDDO progress update below:

https://data.parliament.uk/DepositedPapers/Files/DEP2024-0230/Future.pdf.