Committee publication · Correspondence · 12 March 2026

Letter from the Permanent Secretary at the Department for Science, Innovation and Technology relating to recommendation 3a of the Committee’s Fifty-eighth Report on Government services: Identifying costs, 23 February 2026

Inquiry: Government services: Identifying costs and generating income

Summary

The Permanent Secretary at the Department for Science, Innovation and Technology responds to the Public Accounts Committee's recommendation 3a by submitting a baselined dataset of legacy systems assessed using the Legacy Risk Assessment Framework. The data covers systems scoring above 3 in likelihood criteria, with severity ratings across seven dimensions. DSIT requests confidentiality citing security risks and outlines future plans to automate data collection and publish a Technology Modernisation Action Plan.

Key findings

DSIT has submitted a dataset of legacy systems with scores indicating severity of legacy condition rather than operational criticality, assessed via 2024 commission using the Legacy Risk Assessment Framework
Systems are rated 1–6 across seven criteria: end of life, expired vendor contracts, lack of knowledge/skills, inability to meet business needs, unsuitable physical environment, known security vulnerabilities, and historically recorded issues
DSIT requests the data remain confidential to prevent drawing attention to vulnerabilities and opportunistic attacks on personal data and services
The dataset is not exhaustive: not all public sector organisations were commissioned, not all commissioned organisations responded, and MoD systems are excluded (classified SECRET)
DSIT will shift from manual commissions to automated data capture or sampling methodologies to reduce administrative burden on departments, and plans to publish a Technology Modernisation Action Plan later in 2026

Tone

Procedural

Topics

digital-infrastructurepublic-financecybersecuritygovernment-operations

Key actors

Emran Mian, Sir Geoffrey Clifton-Brown, Department for Science, Innovation and Technology, Public Accounts Committee, Ministry of Defence, Treasury

Notable line

“DSIT advises that these systems are not publicly referred to as being legacy. DSIT also requests that the Committee keep the information provided confidential.”

Key Quotes

“Due to the nature of legacy systems, they are often harder to secure than more up to date systems. As such they can present an easier target for both hostile states and criminal groups to attempt to exploit.”
— Emran Mian · Explaining rationale for confidentiality request

“The scores indicate the severity of a system's legacy condition rather than its operational criticality. Consequently, this should not be viewed as a prioritised ranking of the Government's highest-risk legacy systems.”
— Emran Mian · Clarifying how dataset should be interpreted

“The data set reflects the most recent assessment conducted and has not been refreshed during the 2025 calendar year. As a result, some systems included in the assessment may have since been remediated, while others may have transitioned to legacy status since the conclusion of the assessment period.”
— Emran Mian · Noting data quality limitations

“… this data set is not exhaustive. Not all public sector organisations were commissioned to participate in the assessment and none outside Government Departments and ALBs.”
— Emran Mian · Explaining scope limitations of the dataset

View original document →

Source · parliament.uk record ↗