National Audit Office finds UK government IT merger delayed national security vetting
As a result of IT failings, it took 15 months for the formation of the UKSV
The National Audit Office (NAO) has revealed that an IT upgrade stalled national security vetting and is still costing the government significant money because the system is so inefficient.
The NAO looked into how the government was running security checks after it received numerous complaints from people using the government's UK Security Vetting (UKSV) following the merger of the Defence Business Services National Security Vetting (DBS) and Foreign & Commonwealth Services National Security Vetting (FCOS) - the two bodies previously responsible for checking the security credentials of individuals.
Following the merger of the two organisations, work was still split between the public sector services and the confusion meant checks were delayed.
This was made worse by the introduction of the National Security Vetting Solution (NSVS), which was not ready to be launched when it did. In fact, the programme board responsible for making decisions around the merger warned that the launch shouldn't go ahead, describing it as "under-resourced, under-planned and underfunded."
The original plan was to launch the new systems on the two separate platforms before the organisations merged. The DBS deployed the system first, in October 2016 and, at that time between 10 and 13 of its essential functions didn't work as they should.
"In October 2016, DBS upgraded to NSVS at a cost of 14 million. In the first week following the implementation of the IT upgrade, 10 out of 13 of NSVS's essential functions were having consistent or sporadic issues, some of which were having a major impact on UKSV's normal operations. In its first four weeks, NSVS failed to store information and run automated checks correctly. At one point, 8,500 files containing personal data attached to cases were unreadable when accessed. Most of these files were recovered, of which 3,400 had to be manually reattached to their respective cases. In addition, 93% of automated checks against the police national computer failed," the NAO report stated.
It continued: "As a consequence of NSVS failures, officials had to re-process failed security checks manually, reload files, recover data, and conduct additional assurance checks. Between July and September 2016, DBS completed an average of 516 cases per day. DBS had planned a two-week IT outage, which ended in October 2016, while it implemented NSVS. Taking this into account, the number of cases DBS completed dropped 39% to an average of 313 cases per day between October and December. DBS returned to its pre-NSVS rate of cases completed in January 2017. By this time, the number of cases waiting to be completed had increased from around 17,600 in September 2016 to almost 22,000 (a 25% increase)."
This meant that checks couldn't be fulfilled by DBS because it had software that didn't work, as well as resulting in the two organisations becoming even further fragmented than they previously were. As such, they weren't able to switch to the unified UKSV until 15 months after they were supposed to.
The problems are still continuing and now the cabinet has started developing an alternative solution that it anticipates will launch at the beginning of 2020. This hiccup led to higher operating overheads than the DBS and FCOS cost as separate entities, as the government had to invest in extra staff.
The essential guide to cloud-based backup and disaster recovery
Support business continuity by building a holistic emergency planDownload now
Trends in modern data protection
A comprehensive view of the data protection landscapeDownload now
How do vulnerabilities get into software?
90% of security incidents result from exploits against defects in softwareDownload now
Delivering the future of work - now
The CIO’s guide to building the unified digital workspace for today’s hybrid and multi-cloud strategies.Download now