alunablue - stock.adobe.com
Outdated IT infrastructure poses growing risk to UK Security Vetting
Delays to UKSV’s important work in safeguarding the country’s national security are in part down to a legacy IT estate in dire need of modernisation, says the NAO
A pattern of chronic underperformance arising in part from a legacy IT estate in dire need of modernisation has left the Cabinet Office-backed UK Security Vetting (UKSV) service facing delays to its work and missed targets, according to a National Audit Office (NAO) report released today.
UKSV, which was set up in 2017, has a remit to vet job applications to roles that have access to sensitive government information, locations or equipment. It most usually performs vetting in three categories – Counter Terrorist Checks (CTC), Security Checks (SC) and Developed Vetting (DV), which is an enhanced procedure for more sensitive assets. Its largest customer is the Ministry of Defence, although it also recently started performing checks for the commercial aviation sector.
However, according to the NAO, UKSV has failed to meet its targets for CTC and SC clearances since August 2021, while targets for DV clearances have been missed since May 2021. Processing of CTC and SC clearances is meant to take 25 days in 85% of cases, but in September 2022, it met that target in just 15% of cases. Processing of DV should take 95 days in 85% of cases, but this was achieved in only 7% of cases in April 2022.
The NAO said it was also failing to meet targets for follow-up checks on DV clearances, which take place between the initial clearance and full renewal after seven years and are designed to capture and reflect changes in personal circumstances that may occur. Again, this is supposed to be done within 95 days 85% of the time, but this has not happened for five years.
“Our investigation finds unacceptable delays continue to hamper security vetting, which is of vital importance to the effective functioning of government, and in particular, national security work,” said NAO head Gareth Davies.
“UKSV must build on initiatives from its stabilisation plan to ensure that it is on a sustainable path to meet the increasing demand for vetting. And it is essential that the Cabinet Office set a clear pathway for meaningful reform, including recruiting and retaining talent to implement and manage sustainable improvements.”
The NAO said that UKSV was already on the back foot because actual demand for its services outstripped forecast demand by 60% (57% for DV clearances) during 2021-22, and the unit had been left under-resourced during the period, with a shortfall in its needed headcount of over 250.
Read more about the NAO’s work
- Some 30% of Defra’s applications are currently unsupported, magnifying cyber risk as the government department struggles to make progress on a digital transformation programme.
- BBC warned it may lack resources to achieve its desired digital ambitions, with particular worry over best practice in managing data and potential exposure to reputational risk.
A stabilisation plan did help it push more clearances through during 2022-23 – this was focused on prioritising new DV clearances over renewals, improving productivity, and automating and enhancing existing IT systems. As a result, it increased DV clearances by 49% between April and November 2022, and CTC/SC clearances by 12%.
The NAO reported that the overall situation appears to be hampered by an as-yet unfulfilled pledge to modernise UKSV’s “key IT infrastructure”, which is not really expected to bear fruit before 2024-2025.
It said the Cabinet Office’s initial efforts to modernise its IT had gone 50% over budget, and that £2.5m of taxpayers’ money had to be written off. As a result, UKSV is still using an IT system that it first said it wanted to abandon in 2018 because it lacked capacity, was too slow, and needed too many manual workarounds to keep it up and running.
The NAO’s full report, which can be read here, calls on the Cabinet Office to urgently ramp-up the modernisation of UKSV and implement the previously agreed plan for transformation. It also highlights a need for more transparent performance metrics, and a need to build more resilience into UKSV so it can react to events outside of its control that could increase its workload.
Mark Gibbs, EMEA president at UiPath, a supplier of process automation software, said failings in such a vital service potentially put the UK’s national security at risk.
“Security vetting is a vital service, and the cornerstone of sound decisions with tremendous impact,” he said. “It is essential that the relevant government departments ensure they address the technological debt as well as upskill the civil servants working in the most impacted departments.
“From a technology point of view, automation is a solution that could help to clear the existing backlog. Automation works in tandem with employees to improve efficiencies and has a solid track record of tackling this challenge. Automation implementation, then, can help the government boost productivity, allowing greater responsiveness and improved services.”