UK Cabinet Office hands stalled Microsoft migration to another department
- Reference: 1758090610
- News link: https://www.theregister.co.uk/2025/09/17/cabinet_office_microsoft_migration/
- Source link:
The project, which began in May 2022, aimed to move around 15,000 Cabinet Office users to M365.
A [1]recent report from the National Infrastructure and Service Transformation Authority (NISTA), the HM Treasury unit that advises government on major projects, said the initial approach was for the Cabinet Office to build its own IT system for this change, dubbed the "Falcon programme."
[2]
In its recent report, NISTA said that the Cabinet Office's management of the project "was not the most cost-effective option."
[3]
[4]
"We have now approved a new plan. This involves moving our digital services to a shared government service called Integrated Corporate Services (ICS), which is managed by the Department for Energy Security and Net Zero (DESNZ)," the NISTA report said.
"While this new approach means the project will take a bit longer to complete, it will save money in the long run by using an existing government service."
[5]
The NISTA rating for the project remained "red" in line with an earlier assessment from the Infrastructure and Projects Authority (which NISTA replaced) for the final quarter of the 24/25 financial year.
"This is primarily due to concerns that the Programme does not have the resources to transition the Cabinet Office Business Units (BUs) to the new services within the planned time frame. The delay in the Pilot, now projected for completion by September 2025, has contributed to this assessment," NISTA said.
However, in moving the project under the wing of DESNZ, the government hopes to save money. NISTA noted that the whole life cost of the project was expected to fall from £51 million to £23 million. The savings come from the Cabinet Office no longer having to build its own platform, "outsourcing to another government department and securing migration resource from Microsoft and partners at no investment cost."
[6]
The NISTA report said it was important to move off Google because it is different from the Microsoft systems used by most of the Cabinet Office's partners both inside and outside of government. "This difference can make working together and sharing information difficult," the report said.
[7]UK.gov decides tech projects worth billions are major but not 'mega'
[8]Get paid like a prime minister to tame Home Office IT chaos
[9]So much for the paperless office: UK government inks £900M deal for printers etc.
[10]Faced with £40B budget hole, UK public sector commits £9B to Microsoft
"Moving to Microsoft 365 will help us work more effectively and efficiently. It's becoming more and more important for us to collaborate easily with people from other organisations, who might be in different places, using different devices, and working at different times. This change will also allow us to use new Artificial Intelligence (AI) tools that are being developed across government."
The project is yet to move staff and data from the old Google system to the new Microsoft platform.
The Register [11]revealed last year that the Cabinet Office paused its migration away from Google Workspace to M365 after ditching the Microsoft contract.
At the time, a Cabinet Office spokesperson said a "planned pause" had always been on the cards after the discovery phase, in order for the Cabinet Office "to submit the full business case and fully embed all work and learnings to inform our progress."
The Cabinet Office initially hired French IT giant Capgemini to provide services for the migration, in a deal worth between £12 million and £15 million.
The Register has offered the Cabinet Office the opportunity to respond.
The Cabinet Office once included Government Digital Services, which began its "journey" with Google Workspace in 2010-2011. The GDS has now become part of the Department for Science, Innovation and Technology (DSIT). A separate Cabinet Office IT platform, which included the Google tools, was rolled out in 2014-2015.
With the Falcon programme now under the wing of DESNZ, The Register wonders if the Cabinet Office has managed to stay on the project timeline for organizing Google's leaving drinks in a nearby brewery. ®
Get our [12]Tech Resources
[1] https://www.gov.uk/government/publications/nista-annual-report-2024-2025
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offprem/saas&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aMqGuIZQk6iRcUzdhmfjfAAAABg&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offprem/saas&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aMqGuIZQk6iRcUzdhmfjfAAAABg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offprem/saas&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aMqGuIZQk6iRcUzdhmfjfAAAABg&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offprem/saas&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aMqGuIZQk6iRcUzdhmfjfAAAABg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offprem/saas&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aMqGuIZQk6iRcUzdhmfjfAAAABg&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[7] https://www.theregister.com/2025/09/15/ukgov_decides_tech_projects_are/
[8] https://www.theregister.com/2025/09/10/home_office_cdio/
[9] https://www.theregister.com/2025/09/08/uk_government_printer_deal/
[10] https://www.theregister.com/2025/08/07/uk_microsoft_spending/
[11] https://www.theregister.com/2024/02/15/cabinet_office_microsoft/
[12] https://whitepapers.theregister.com/
Even worse than that, I think.
Case in point, UK police use Office 365 for sensitive information that is stored in Microsoft's cloud. Scottish policing authorities have been asking questions about that probably because of the impact of the US Cloud Act. From: https://www.computerweekly.com/news/366629871/Microsoft-refuses-to-divulge-data-flows-to-Police-Scotland:
"Other than Microsoft declining to provide information about transfers “for reasons of confidentiality”, the DPIA identified a range of other issues, including that Microsoft is in possession of the encryption keys (meaning it would be able to access all the data held and hand it over to the US government if required to under the country’s invasive laws), and is refusing to allow UK police to vet Microsoft employees who could be accessing the data from overseas."
and
"This effectively gives the US government access to any data, stored anywhere, by US corporations in the cloud."
Confused. (And not in any way an MS defender.)
I tried clicking through to the article within the article about Microsoft being in possession of encryption keys but it seems to be mentioning a 3rd party rather than MS themselves in the headline.
I didn't read full article because I didn't want to sign up for yet another news site to spam me with constant mails.
I also thought customers could supply their own encryption keys rather than using MS provided ones.
I've not looked at the nitty gritty of that though so I'm presuming there is some wriggle that MS could do to access data outside of the Customer Lockbox idea.
“You hold the keys” is the classic reassurance, but it’s a half-truth. Keys only matter if you also control the machines that use them - and in the cloud, you don’t.
A US court order under the CLOUD Act doesn’t need to steal your key. It can compel Microsoft (or AWS, Google, etc.) to:
- Run decryption on your behalf. Even with BYOK, the key has to pass through the provider’s HSMs or APIs. They can be ordered to use it and hand over plaintext, without your knowledge.
- Intercept data in transit. Providers control TLS and backbone keys. Compel those, and they can silently read traffic before your encryption at rest ever applies.
- Sabotage your control. They can freeze key deletion, snapshot your systems, or push a “security update” that quietly extracts what’s needed.
- Erase the evidence. Gag orders mean the provider is legally barred from telling you they complied. They can be forced to lie by omission, suppress warrant canaries, and act as if nothing happened. From your perspective, the system keeps running - but your data may already be in Washington (and then take a day trip to Moscow, courtesy of Krasnov).
Lockbox, BYOK, all of it - theatre for customers. It might stop a rogue admin, but it doesn’t stop the state actor that might turn hostile tomorrow.
If your critical data lives in a US provider’s cloud, access ultimately lives at the discretion of American courts. Pretending otherwise isn’t security - it’s self-delusion.
DESNZ
They're giving control of the project to move to AI-centred work to the department which is ideologically commited to reducing energy consumption at any cost?
Pass the popcorn.
Re: DESNZ
DEES NUTZ
Frying pan and fire come to mind.
The Only Phrase In This Report..............
......which seems to be in line with reality is "...Google remains a red risk....".
Just saying!
Ikea Cabinet Office
The Cabinet Office is patting itself on the back for cutting “costs” by crawling onto Microsoft’s carpet. £51m down to £23m - a nice accounting trick. But those millions aren’t savings. They’re subsidies to the US economy, paid for by British taxpayers, while our own economy circles the drain.
At a time when the cost of living crisis deepens, growth flatlines, and British firms struggle to survive, government policy is literally exporting jobs, skills, and money overseas. Instead of paying British engineers to build sovereign capability, we’re wiring cash to foreign megacorps whose shareholders don’t live here, don’t pay tax here, and don’t care what happens here.
Dependency is bad enough. But this is dependency that actively hollows out our domestic economy. Every licence, every migration fee, every support contract strengthens someone else’s GDP, while the UK’s shrinks. It’s the digital equivalent of deindustrialisation - shutter the factories, then rent them back from abroad at a markup.
And we’re told it’s all worth it because “collaboration will be easier” and “AI tools” are coming. The truth: Britain is paying tribute to foreign tech empires because Whitehall can’t be bothered to invest in its own talent. Sovereign capability was sold for the price of a few rounds at Google’s leaving drinks.
And let’s not mention the Cloud Act... One bad day in Washington and the Cabinet Office is locked out of its own house.
IMHO, moving from Google to Microsoft is not going to change a shred in protecting confidentiality. Still subject to the Cloud Act and other mechanisms.
It's actually worse with MS because they also control the OS and the authentication path.