The Cabinet Office has indicated there are plans to develop a new National Security Vetting System (NSVS), while retaining IT and business consultancy CGI to manage the existing solution.
It has published a transparency notice on the renewal of the company’s contract to host and manage the current system for the UK Security Vetting (UKSV) Agency.
The notice contains no details of duration or value, but says it is not possible to get a new solution in place in time for the current contract’s planned expiry in February of next year. CGI owns a component of the intellectual property, the system involves a specific set of security controls and the Cabinet Office says there is no suitable off-the-shelf alternative for a quick procurement.
Under the new agreement CGI will be required to provide enhanced performance management and reporting with clear exit obligations and commercial model that shows value for money.
“These new provisions will mean that the UKSV transformation programme can open up options for a long term replacement solution for NSVS,” the notice says.
Transformation progress
The legacy system is about 10 years old and in need of transformation, which is being looked at by UKSV.
Work on the transformation has been delayed by a surge in demand for security vetting caused by the war in Ukraine and a backlog from Covid-19. It has resumed but it is not practically possible to have a replacement systems in place by the time of the current contract’s expiry.
“NSVS is faced by highly sophisticated attacks conducted by nation states with near limitless resources,” the notice says. “A complex set of specific requirements are needed to help keep NSVS (and more importantly the vetting data that it holds) safe and secure, which are being developed as part of the planning for a replacement system and service.
“The current system is held in a high trust environment in the MoD estate, accredited to a set of standards set by the UK Government's national technical authorities including the National Cyber Security Centre and the National Protective Security Authority (NPSA, formerly CPNI). The system is subject to monitoring and access control procedures that are conducted by the MoD, tailored to the configuration of the NSVS system and platform.”