The Cabinet Office recently published a new Digital, Data and Technology (“DDaT”) Playbook, and accompanying guidance on Mitigating and Preventing Legacy IT. The Playbook provides guidance on how HMG should assess, procure and deliver DDaT projects, and largely follows the same structure and approach as the Cabinet Office’s Sourcing and Consultancy Paybooks.
Usefully, the Paybook addresses three key areas in any DDaT contract:
- Legacy IT;
- Cyber security; and
- Data and code portability.
It is a clear acknowledgement by HM Government that greater progress must be made to tackle the “multi-billion pound problem” of legacy IT and the accompanying risks to the operational resiliency and legal compliance of some of government’s most critical IT systems.
What is the Playbook and when will it apply?: The DDaT Playbook was published by Cabinet Office on 28 March 2022 and applies to all new DDaT procurements from the date of publication on a “comply or explain” basis.
It is built around 11 core policies designed to facilitate key government objectives for DDaT work, namely to:
- take an outcome-based approach to the delivery of products and services focusing on user needs, not specific solutions;
- avoid and remediate legacy IT and tackle technical debt;
- ensure cyber security to maintain operational resilience;
- enable innovation through continuous improvement to transformative new products and services and increased data sharing and use of open-source software;
- drive environmental, economic and social sustainability through the collective buying power of the public sector;
- level the playing field for SMEs to enable economic growth, employment and investment opportunities.
Compliance with the Playbook is being driven through departments’ governance processes, central Cabinet Office controls (projects over £10 million per transaction) and the Treasury Approvals Process, and further guidance around implementation is expected throughout 2022.
Tackling legacy IT: Both the DDaT Playbook and the accompanying Legacy IT guidance demonstrate an intention by government to tackle the high levels of legacy infrastructure retained on HMG’s estate, much of which remains critical to the delivery of core public services. Cabinet Office recognises the high risks which result from the extent of that legacy estate. These include an adverse impact on operational resiliency where legacy IT sits at the heart of unsupported critical business infrastructure, as well as government’s ability to comply with data protection obligations and the inability of legacy infrastructure to keep up with growing cyber threats.
The Playbook asks contracting authorities to place plans for the mitigation and prevention of legacy IT at the heart of any DDaT procurement. At a fundamental level, it aims to do this by ensuring flexibility is built into contracts upfront, preventing IT lock-in, and through effective contract management. Contract guidance recommends the use of “evergreen” provisions to ensure relevant software is always a currently supported version as well as carefully defining what is meant by “up-to-date” (latest version versus a supported older version).
This highlights the constant need in DDaT sourcing to have clear requirements, high-quality contract drafting and effective contract management.
Better focus on cyber risk: Having been absent from the preceding Sourcing Playbook, it is particularly helpful that cyber security has been made a key focus of the DDaT Playbook, recognising the critical importance of applying a robust and appropriate level of cyber security to better safeguard public data when delivering DDaT projects. While tackling legacy IT will undoubtedly help government to improve the resiliency of its cyber controls, the Playbook also requires authorities to undertake cyber security assessments at each stage of a DDaT procurement, assessing their own and suppliers’ cyber security levels to inform contract design, particularly around the minimum security standards which should be imbedded into the contract, and giving consideration to potential vulnerabilities across the broader supply chain. The Playbook recommends supplier reporting requirements and authority controls to ensure that any minimum security standards set as part of the procurement are maintained through the life of the contract.
While the Playbook reminds authorities that the NCSC’s Cyber Essentials Scheme will be mandatory for all new central government contracts handling personal information, departments retain the discretion, informed through a sufficiently thorough cyber security assessment, to set an adequately robust minimum security standard for their suppliers, for example aligning with ISO 72001.
Use of interoperable data and software: The Playbook places particular emphasis on the use of open-source software and code which is platform agnostic and can therefore be shared. While the requirement that all software be open-source by default is not a new one, the Playbook goes further with respect to data, requiring contracting authorities to utilise open data wherever possible unless the sensitivity of the relevant data sets (for example data pertaining to citizens’ lives) makes open access unsuitable.
These provisions follow a general trend by Cabinet Office to promote better and more effective data sharing and transparency across government in order to better exploit and generate efficiencies from HMG’s considerable data wealth. This is in line with the Cabinet Office’s National Data Strategy and is undoubtedly influenced by the COVID-19 pandemic which demonstrated the criticality of enabling data sharing across suppliers and government. There will be other advantages too in that by making data more interoperable, DDaT contracts will help to generate a more healthy and competitive market by removing the competitive advantage of incumbent suppliers and avoiding vendor lock-in.
However, this approach has the potential for conflict with the trend towards more cloud-based service provision and the use of vendor-specific cloud platforms for service delivery. This may preclude some common procurement routes for DDaT services and lead to greater costs through using alternative routes and incorporating additional coding and data portability requirements.
The Playbook provides a high-level blueprint to running quality DDaT procurements. Its focus on security, portability and legacy is welcome. We look forward to seeing the more detailed guidance from the Cabinet Office over the coming months.