Question to the Department for Education:

To ask the Secretary of State for Education, with reference to the guidance by the Central Digital and Data Office entitled Guidance on the Legacy IT Risk Assessment Framework, published on 29 September 2023, how many red-rated IT systems are used by her Department; and how many red-rated IT systems have been identified since 4 December 2023.

The Central Digital and Data Office (CDDO), in the Cabinet Office, has established a programme to support departments managing legacy IT. CDDO has agreed a framework to identify ‘red-rated’ systems, indicating high levels of risk surrounding certain assets within the IT estate. Departments have committed to have remediation plans in place for these systems by next year (2025).

It is not appropriate to release sensitive information held about specific red-rated systems or more detailed plans for remediation within the Department for Education’s IT estate, as this information could indicate which systems are at risk, and may highlight potential security vulnerabilities.