Resetting the relationship between local and national government. Read our Local Government White Paper

Software vendors: Consultation on a proposed code of practice for software vendors

The Local Government Association (LGA), Society for Innovation, Technology and Modernisation (Socitm) and iNetwork provided a joint response to the Department for Science, Innovation and Technology's (DSIT) call for views on a proposed code of practice for software vendors.


About us

The Local Government Association (LGA) is the national voice of local government. We are a politically led, cross-party membership organisation, representing English councils. Our role is to support, promote and improve local government, and raise national awareness of the work of councils. Our mission is to improve the secure and inclusive use of digital technology by councils and communities. 

The Society for Innovation, Technology and Modernisation(Socitm) is a membership organisation of more than 2,500 digital leaders engaged in innovation and modernisation of public services. Established for more than 30 years, our network combines to provide a strong voice, challenge convention, and inspire change in achieving better place-based outcomes for people, businesses, and communities. 

iNetwork is a membership led partnership for local public sector based organisations. Established 20 years ago, we currently have over 120 members across the North West and Yorkshire and Humber. We have a strong collective voice empowered to confront the most pressing challenges in the local public sector to drive innovation and change to enhance service delivery for our residents, patients, tenants and service users. 

Key Messages

  • Local government faces a significant compliance burden due to the absence of a unified software supply chain standard. This forces individual councils to develop their own standards, consuming valuable resources and hindering productivity in a sector already grappling with workforce shortages.
  • The concentrated nature of software markets serving local government limits competition and reduces council bargaining power. Government intervention is needed to foster a fairer market and encourage innovation.
  • The current landscape of voluntary codes and standards lacks clarity and coherence. This hinders compliance and weakens council purchasing power. A unified, simple and strengthened approach for both vendors and buyers is essential to streamline the process and improve overall software security.
  • To build trust and confidence in the software supply chain, rigorous independent verification and certification are required. Reliance on self-assessment is insufficient.
  • While the code's increased clarity on vendor responsibilities following a cyber incident is a welcome step, it falls short of ensuring adequate protection for vulnerable residents. We advocate for mandatory cooperation and communication between vendors and councils during cyber incidents.
  • Effective software procurement requires a holistic approach that extends beyond vendor responsibilities. Local authorities need comprehensive support to build procurement capacity and acquire secure and resilient software.

Introduction

The LGA, Socitm and iNetwork welcomes DSIT's call for views on the proposed code of practice for software vendors. Given the modular approach adopted by DSIT, this response should be considered in line with our artificial intelligence (AI) and cyber security code of practice response, and both responses reflect the interdependencies between software and AI security. 

Local government forms a significant part of the public sector, with £121 billion[1] annual spend and a workforce of 1.32 million[2] – second only to the NHS. Local government is responsible for a range of vital services for people and businesses throughout the UK, interacting with every household in Britain at different points of the lifecycle. Services include support to the most vulnerable in our society through adult and children’s social care, and housing, as well as schools, licencing, business support, registrar services and planning.

Cyber resilience and supply chain security are critical challenges for local government. Supply chain vulnerabilities pose a significant threat to councils, necessitating a national response. The dramatic surge in software supply chain attacks—a 742 percent average annual increase between 2019 and 2022[3]—has inflicted substantial damage and disrupted essential services in local government. There has been an increase in the number of supply chain incidents that councils have been managing over the past two years. In the context of adult and children’s social care, this can involve data breaches of services that support councils’ most vulnerable residents. Whilst not all supplier incidents are reported publicly, high-profile attacks in recent years have underscored the urgency of this issue.

Councils continued digital transformation offers unprecedented opportunities to enhance public services for citizens. However, the sector’s increasing reliance on software has exposed councils to heightened vulnerabilities. Yet, as councils seek to deliver services that are ‘secure by design’, there is rapidly growing concern about the security of the supply chain, and that cyber security practices are failing to keep pace with innovation and introduce risk to the sector. The software supply chain carries particular risks that are reflected in this response.

Cyberattacks, fuelled by rapid technological advancements, including AI, pose a significant threat to essential services and resident data. The critical importance of supply chain security highlights the urgent need for robust cybersecurity practices that can keep pace with innovation and mitigate risk. The LGA has been supporting councils with supplier incidents and been engaging with Government on the software supply chain, including responding to the software resilience call for views last year[4], and facilitating engagement between DSIT and councils as these proposals were developed. This response has been informed through this continual engagement with the sector.

The proposed code of practice for software vendors is a welcome step in addressing the critical cyber threat facing local government. Whilst councils are taking steps towards improving their own cyber resilience and posture, councils urgently require support to mitigate supply chain risks. We believe a robust standard is essential to enhancing software security and protecting public services. However, local authorities operate within a complex environment with unique procurement challenges.

Key Considerations for Local Government

Council context

Local Government context and compliance burden

Local authorities exhibit a wide range of capacities and capabilities. Significant disparities exist in council size, financial resources, and workforce, with large upper tier councils often employing over 5,000 staff while district councils may have fewer than 500 staff. These differences are often particularly pronounced in IT and procurement functions. Procurement team cultures vary widely across councils, software procurement processes often involve oversight from IT teams, although this is not a universal practice and differs between authorities. Furthermore, while larger councils often have dedicated software procurement teams, smaller authorities may lack specialist expertise and capacity to implement new processes. The sector-wide inconsistency in software procurement practices could impede the effective implementation of the code of practice. 

In supporting councils’ organisational cyber resilience, the LGA has been hugely supportive of the development of the Local Government Cyber Assessment Framework[5]. Currently, councils face a significant compliance burden with duplicative and conflicting standards imposed on them in their data sharing with central government. The LGA has been advocating for the LGCAF’s potential as the central assurance framework for councils. In the absence of this clarity and coherence, the current landscape undermines the streamlined approach envisioned by the Government Cyber Security Strategy, and can lead to the misemployment of limited resources, distracting councils from more holistic, whole organisation cyber security improvements.

In the absence of one clear software supply chain standards regime, an additional burden is placed on councils to establish their own standards and methods of assurance to secure their systems and manage risk. Each of the 317 councils in England, must do this individually, which impacts productivity and places a further resource strain on the sector, when local government workforce pressures are already significant.

Additionally, the imminent introduction of the Procurement Act 2023[6] in October is placing significant strain on local council procurement teams, who are already grappling with substantial mandated changes to their practices. This heavy workload limits councils' capacity to fully consider and implement this new code of practice within the broader policy landscape, and it’s unclear whether this proposed software code of practice has considered the Procurement Act and the opportunities its presents to drive adherence.

The code of practice does not clearly define the role of a developer. Many councils with advanced digital capabilities develop their own tools to address specific service challenges by configuring existing software or building upon it as a platform. Although the code claims to cover all organisations that develop or sell software, it fails to address the creation of these unique tools. This leaves ambiguity about whether councils building tools in this way are subject to the code. We have therefore focused on council as a buyer. 

Local government market dynamics

The concentrated nature of various software markets that councils interact with the deliver their statutory duties presents a significant challenge for local authorities. This can result in an imbalance of market/buying power between councils and suppliers, with suppliers dictating terms and conditions to local authorities with limited alternatives. This lack of competitive pressure diminishes the urgency for vendors to prioritise software updates and security patches, creating an increased cyber risk for councils. It also leaves councils with less power to negotiate security improvements that could strengthen the security of vital council systems. In some instances, this imbalance can also stifle innovation. 

The exorbitant costs of switching software suppliers significantly exacerbate the power imbalance between councils and their providers. These financial barriers hinder councils' ability to seek alternative solutions, even when existing software suppliers do not meet recommended standards.

To counteract this imbalance and foster a fairer market, the Code of Practice should prioritise measures that stimulate competition, promote fair dealing, and enhance transparency. This could include provisions that encourage market entry for smaller innovative suppliers, establish clear guidelines for vendor conduct, and mandate regular security audits and vulnerability disclosures.

In addition to these market-based interventions, government support is essential to level the playing field. Central government can play a pivotal role in developing procurement strategies and relationships that supports collective negotiation and strengthens council buying power to negotiate more favourable terms and conditions. We welcome the CDDO’s review of strategic supplier relationships to the public sector and are working with them to ensure that local government suppliers and priorities to suppliers of both central and local government are incorporated. This strategic supplier engagement will be instrumental in driving adherence to this code through the coordinated buying power of the UK’s public sector. However, local government needs, and context must continue to inform this initiative, and councils must derive value from innovation funding that is achieved through strategic relationships.

By fostering collaboration between central and local government, shared purchasing power can be leveraged to achieve better outcomes. Additionally, targeted support for councils in managing complex supplier relationships can enhance their negotiating capacity and mitigate risks.

The Code

Coherence and clarity across different voluntary codes and standards

The current landscape is cluttered with a proliferation of codes and standards aiming to address security in the supply chain, which can compromise the objective of trust and assurance councils require in software suppliers to vital services. Councils have therefore been calling for one standard that clearly articulates good practice and expectations of suppliers. We welcome the clarity that has been provided regarding the modular approach by DSIT have adopted to this code, the AI and cyber security code, and the governance code of practice.  While cyber essentials[7] is referenced in the code, its relationship to other existing standards like ISO27001[8] and emerging AI standards such as those developed by the Responsible Technology Adoption Unit (AI Management Essentials[9]) remains unclear. This clarity and coherence are vital to achieve supplier adherence, and to strengthen council buying power. 

It is also unclear how this standard aligns with the Cyber Assessment Framework. The Ministry for Housing, Communities, and Local Government (MHLG) is currently piloting a Local Government Cyber Assessment Framework where, like GovAssure, they are adopting a critical systems approach. These critical systems will be underpinned by software, so it’s crucial that Government developed codes are coherent with the assurance mechanisms being introduced for the public sector. 

Voluntary nature 

While the proposed code of practice is a welcome step, its voluntary nature could significantly hinder its potential effectiveness. To ensure meaningful impact, we urge the government to strengthen its proposed approach, particularly in high-risk service areas. While incentives like public recognition for compliant suppliers may be beneficial, they are unlikely to be sufficient to address the systemic challenges posed by a voluntary approach. 

The code's increased clarity on vendor responsibilities following a cyber incident, including timely communication and support, is a positive step (Principle 4: Communication with customers). However, stronger measures are needed. We advocate for mandatory cooperation and communication in cyber incident response so councils can manage their risk to residents (often the most vulnerable) in the wake of a supplier incident. This regulatory approach mitigates the impact of cyberattacks by ensuring robust vendor support. We look forward to reading more details on the Cyber Resilience Bill[10] planned. 

External verification/auditing

A more rigorous framework is essential to build trust and confidence in the software supply chain. This should include independent assessment and certification mechanisms to verify supplier compliance. Reliance solely on supplier self-attestation is insufficient. 

In our previous call for views[11], we called for an enhanced role for Crown Commercial Services and other Public Buying Organisations (PBOs) in leading this for buyers purchasing through their frameworks. More consideration must be given to how this can be done centrally, particularly for suppliers deemed to be strategic across the public sector. This would save time and resources rather than multiple departments and councils doing it separately, would strengthen the security of councils with less capacity and resources to do so, and would make the best use of the auditing/verification expertise that exists. 

We understand from previous engagement with DSIT that the National Cyber Security Centre's (NCSC) Principles Based Assurance scheme was being considered as a means to externally verify suppliers should they choose to adhere to this more rigorous assessment. A testing lab that met international standards delivered by a globally renowned centre of excellence such as the NCSC could work well if imposed for software suppliers deemed higher risk by central and local government. 

Capacity building 

Buyer Support

While the code of practice is primarily targeted at suppliers, the successful implementation hinges on active participation from buyers. Councils must seamlessly integrate code of practice requirements into their procurement processes to maximise its benefits.

Alongside comprehensive support for IT service leads, a concerted effort must be dedicated to equipping procurement teams with the necessary tools and knowledge to effectively incorporate the code of practice into their software purchasing cycle. 

To ensure a smooth transition and widespread adoption, fostering ongoing dialogue with software buyers is crucial. This engagement should focus on understanding the challenges faced by ICT and procurement teams, gathering feedback on the code of practice’s practicality, and providing tailored support to facilitate implementation. 

Smaller councils are particularly vulnerable due to limited resources and budgetary constraints. To address these challenges, we recommend providing tailored guidance and potential funding to support smaller authorities in implementing the Code of Practice. This targeted support will help to bridge the capability gap and ensure equitable adoption across the sector.

Supplier Support

A diverse supplier market, encompassing both large tech firms and SMEs, is essential to drive innovation and improve service delivery within local government. The code of practice should proactively outline support mechanisms to assist suppliers, particularly SMEs, in meeting the required standards. Given the significant disparities in resources and capabilities between large enterprises and SMEs, smaller suppliers may face greater challenges in complying with the code. 

This disparity underscores the critical importance of tailored support to level the playing field and prevent the code from inadvertently reinforcing existing market dominance. Neglecting to support SMEs could exacerbate market concentration and limit the potential benefits of the code.

Simplifying the adoption process for this code of practice benefits both councils and SMEs. Councils will reduce the high administrative and compliance burden while SMEs will encounter fewer barriers to entry, fostering a more competitive market for innovative suppliers.

Beyond the Code of Practice 

While the code of practice is a positive step towards greater supply chain transparency, it is essential to recognise that robust software procurement requires a holistic approach extending beyond vendor responsibilities. Local authorities need comprehensive support to effectively procure secure and resilient software.

  • Contractual Provisions: Developing standardised, enforceable contract clauses is crucial to safeguarding local authority interests. The code of practice should provide clear guidance on essential provisions such as service level agreements, data protection, and exit strategies. However, additional support is needed to develop, standardise, and enforce these clauses effectively.
  • Wraparound Support: To fully realise the benefits of the code of practice, local authorities require access to cybersecurity expertise and resources to support system upgrades. A comprehensive support package should be provided to address these needs.
  • Procurement Capacity Building: Equipping procurement teams with the necessary skills and knowledge to identify and mitigate supply chain risks is essential. Specific focus should be placed on training procurement professionals to safeguard critical assets and sensitive data. By empowering procurement teams with the tools and expertise to assess supplier security posture and contractual obligations, councils can significantly enhance their resilience against cyber threats. Procurement teams are currently under significant pressure due to the implementation of the Procurement Act 2023. While this presents challenges, it also offers opportunities to enhance supply chain cybersecurity. Initiatives such as the central digital platform, which mandates supplier disclosure of specific information, provides a significant opportunity.
  • Transparency in the software supply chain: Suppliers' lack of transparency in software development poses a significant challenge. Councils struggle to assess risks due to limited information about software components and architecture. This opacity hinders vulnerability management and incident response. Government must consider how to Introduce secure mechanisms for sharing information about vulnerabilities and malicious code between local government, developers, distributors and researchers.

By adopting a coordinated approach that includes both vendor responsibilities and buyer capabilities, the government can create a more secure and resilient software ecosystem for local authorities.

Key Contacts

LGA: Jenny McEneaney
Senior Improvement Policy Adviser: Cyber, Digital, and Technology
[email protected]

LGA: Tom Hindmarch
Improvement Policy Adviser: Cyber, Digital, and Technology
[email protected] 

Socitm: Martin Ferguson
Director of Policy & Research
[email protected]

iNetwork: Shelley Heckman
Partnership Director
[email protected] 

Endnotes

[4] LGA (2024). Software resilience: LGA and Socitm response to call for views on software resilience and security for businesses and organisations: https://www.local.gov.uk/our-support/cyber-digital-and-technology/cyber-digital-and-technology-policy-team/software-resilience