Home Office renews £200k subscription for out-of-support software for internal forms
Department has been ‘made aware of the risks associated’ of continuing to use technology to process sensitive information
The Home Office has spent £200,000 renewing its subscription for software used to build internal forms – despite having been “made aware of the risks” of continuing to use a system that is no longer in support.
Newly published commercial documents indicate that the department entered into a one-year software licensing contract on 1 November covering the provision of an “e-forms” tool for use in its Horizon intranet system. The deal will be worth £197,225 to specialist provider Granicus. The annual fee covers the submission of 100,000 forms per year.
Procurement archives reveal that, since at least 2016, the Home Office has used forms-building technology from Firmstep – a London-based software house that was acquired by US firm Granicus in 2019.
The latest contract extension indicates that “Granicus has notified [the department] that the solution is discontinued and no longer be supported” by the company.
The supplier has also sought to make the Home Office “aware of the risks associated with [its] continued use of the solution… and [it] has determined it wishes to continue using the solution independently without any support from Granicus”, according to the contract.
The terms of the contract state, in continuing to use the software system, the department accepts that the software publisher “will only provide limited ongoing or future support or assistance of any kind related to the administration and functionality” of the product.
The technology will be used in an “Official-sensitive (IL3) environment” – meaning one in which the relevant security standards have been met to process government information.
Although still considered to be sensitive, ‘Official’ is the lowest of the three levels of classification of government data, and is applied to “the majority of information that is created or processed by the public sector”.
This “includes routine business operations and services, some of which could have damaging consequences if lost, stolen or published in the media, but are not subject to a heightened threat profile”.
Products that are “considered an end-of-life product, out of support from the supplier, impossible to update” are considered to be legacy technology as per guidelines from the Cabinet Office, which also covers systems that are “no longer cost-effective [and] now considered to be above the acceptable risk threshold”.
The guidance recommends that government entities “use continuous improvement planning to implement an iterative or phased migration, and help prevent the accumulation of future legacy technology”.
This will result in the “reduction of risks to your systems and infrastructure”, departments are advised.
Tackling legacy IT across government was a key focus of the November spending review, which pledged £2.6bn to help update ageing systems and improve cyber resilience. This came on top of £600m committed to address legacy tech during the one-year spending round of 2021 – which included £232m for the Home Office.
The Central Digital and Data Office is also currently working across government to develop a consistent view of the costs and risks of legacy systems through the rollout of a common legacy IT framework”, according to an update recently provided to parliament’s Public Administration and Constitutional Affairs Committee.
External supplier brought in to run the rule over government systems as rollout begins of ‘GovAssure’ programme
Assessment was commenced shortly after five days of outages – but identified ‘no immediate concern’, according to supplier
Department looks to enhance use of data products
Proposals will allow for more information – potentially including highly sensitive special-category data – to be processed in identity-verification