Digital and technology spend control version 6
Updated 27 March 2025
© Crown copyright 2025
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/digital-and-technology-spend-control-version-6/digital-and-technology-spend-control-version-6
What the digital and technology spend control is for and how it works
Spend controls exist to provide functional assurance of central government spending. This is in order to achieve greater efficiency and better outcomes across the whole of government. This is explained more in the Cabinet Office controls policy, along with the different types of Cabinet Office spend controls that need to be followed.
The Government Digital Service (GDS) is responsible for the digital and technology spend control with assurance that focuses on:
- following digital standards to make services better and cheaper to run
- eliminating duplication of digital spend across government and organisations
- making sure that activities are aligned with the government’s digital strategy
- helping novel, complex and high-risk activities succeed
Your department should check the Cabinet Office Controls policy for information on other controls that you must comply with as well. You should ask for advice from your departmental assurance teams for guidance and to find out if there are other requirements or internal governance that your organisation wants you to meet as well.
Pipelines
The digital and technology spend control is based on central government organisations maintaining a forward looking pipeline of planned digital and technology spend.
Your organisation’s assurance function will provide assurance of your plans and activities. They will consider risks and how well the proposed activity and your approach complies with digital and technology standards used for assurance. These standards are intended to make sure projects are successful in meeting their objectives. You must follow these standards from the outset in order to put yourself in a good position for getting approval for your spend request.
Check when spend approval is needed
You must make sure that you get spend approval before committing to any digital or technology spend which are above the spend thresholds.
Any spend that is related to digital or technology delivery is in scope of this control. This includes spending on resources.
Spend thresholds to be aware of
GDS has certain thresholds that apply depending on what it is you want to do and how much you want to spend. This applies to all spend requests, including business as usual (BAU) activities.
The thresholds apply to the spend amount that you want approval for. If this amount is not the full anticipated cost, then you need to make clear any potential projected spend in the supporting information you provide with the spend request. If your spend request is below the threshold but the potential whole life cost is above the threshold, then you must also submit your spend request for approval.
| Your spend is related to | You must get approval if you’re planning to spend more than |
| Crypt-Key in accordance with the Crypt-Key Control | £0 |
| A public facing service | £100,000 |
| All other spend on digital, data and technology | £1,000,000 |
If you are not sure which of the above thresholds apply to your spend, please get in touch with your organisation’s internal assurance team or your nominated GDS adviser. You can contact the GDS assurance team using the following email address: gdsassurance@digital.cabinet-office.gov.uk.
Spend approval points
You need to get approval at important points of your planned spend timeline. Approvals must be sought at the following stages:
- Strategic Outline Case (SOC) or Programme Business Case (PBC) if you already are planning to spend any money at that stage
- Outline Business Case (OBC)
- when you are buying something, before you start your procurement in going out to market
- when you are buying something, after you finished your procurement but before you award the contract
- at the start of each agile delivery phase (discovery, alpha, and beta), after each phase before you move to the next one
Any approval you ask for will be based on your progress to date and includes any changes you’ve made to your planned approach going forward.
Digital and technology standards used for assurance
Digital and technology assurers will apply their professional judgement when reviewing cases, whether they are part of your organisation’s assurance function or GDS.
They will take into consideration the value for money of the proposal and the following standards and guidance:
- Risk and importance rating of the proposed spend activity
- Technology Code of Practice
- Alignment to strategic commitments that check how well the spend is aligned with the government’s digital strategy
If you are building a service, you should check if you need to meet the Service Standard or get an assessment.
The level of detail in the evidence you provide should be proportionate to the risk, size and complexity of your spend activity. This will help digital and technology assurers easily find the important information they need to review your spend case.
Assurers may ask you follow-up questions or ask for more information. This can be necessary before giving you a response to your approval request. It is important that you answer their requests in full and in a timely manner to avoid delays.
How to get approval to spend
You must submit your digital and technology case on the get approval to spend service when you start to plan or up to 12 months before you expect to start spending. You can continue to add information as you develop your plans.
Your organisation will have the option to bulk upload cases through your internal assurance team. The service also allows for any appropriate person from the organisation to load individual cases. This might be a delivery professional with budget responsibilities, someone they delegate to, or an assurance professional.
You will use the get approval to spend service and go through the steps to determine a:
- risk and importance rating which will determine a high, medium or low rating of your case
- assurance rating which will establish if your spend is meeting standards and help determine whether your case is rated as assure, monitor, control or pending
An assurance board will review your information and you will be given a spend approval decision with an outcome of either approved or rejected.
If your case needs to be reviewed by GDS then there is a 28 day service level agreement (SLA) in place. This starts at the point at which GDS is satisfied that sufficient information has been provided for assurance. If GDS has any clarification questions, the 28 day SLA will pause, only starting again when GDS is happy that they have a full answer.
Risk and importance rating
Cases are scored against the risk and importance criteria using the risk and importance framework on the get approval to spend service. These ratings form part of the overall assessment for a digital and technology case, helping to determine how the case will ultimately be assured and approved.
Your case will be given one of these risk and importance ratings:
- high
- medium
- low
The rating is calculated automatically as part of the submission. You will be told if your case has a high, medium or low rating.
High risk and importance
If your request is scored as being of high risk and importance, GDS needs to be consulted in the assurance rating. This will include supporting your organisation’s assurance function and helping to decide what level of assurance a case receives.
Medium risk and importance
If your request is scored as being of medium risk and importance, GDS needs to be involved in the assurance rating. The only exception is if GDS has granted your organisation greater autonomy for spend assurance decisions. The get approval to spend service will tell you if this applies to your organisation.
Low risk and importance
If your request is scored as being of low risk and importance, no further assurance is needed from GDS. You can proceed with the spend in accordance with any internal governance or assurance processes.
For the vast majority of cases these are areas of low complexity, repeat, commoditised or routine spend that are required to support business as usual (BAU) activities.
Assurance rating
After the risk and importance rating is determined, the digital and technology assurers will assign an assurance rating. The ratings applied are as follows:
- assure
- monitor
- control
Assure
A rating of ‘assure’ means that a spend case meets digital standards and there are no concerns about the successful delivery of the expected outcome.
Monitor
A rating of ‘monitor’ means a spend case has delivery or technical challenges which need further action before it can be classed as ‘assure’.
Control
A rating of ‘control’ means a case is novel, complex or contentious which will need further assurance to approve.
If your case does not have enough detail, or more information is needed to assess the case, it will remain as a ‘draft’.
When you are notified of the outcomes of your spend request, the assurance rating may come with conditions. For example you may be asked to do something else such as a service assessment. If there are conditions, you will be asked to report on progress and demonstrate that you have met them.
High risk or control cases
Cases that are high or medium risk will be assured by your organisation’s assurance board involving your GDS adviser. This could result in the rating being changed to ‘control’. An example is a case that is misaligned to standards or is contentious.
Cases that are high risk or control will be assured in more detail by your organisation’s assurance function against the Digital and data function’s strategic commitments, and if the spend relates to a service, the service standards. You will be asked to answer some more questions on the get approval to spend service. Your organisation’s assurance board or GDS assurance adviser may also ask you to provide more information to support your spend approval request.
Earned autonomy is where GDS gives greater autonomy in digital and technology spending to organisations with a high level of assurance capability, for low and medium risk cases as described in the risk and importance framework. This means that the organisation’s assurance function does not need GDS involvement in approving low and medium risk cases.
If your organisation is operating with Earned Autonomy you still need to complete a service assessment where necessary. You can check if you need to meet the Service Standard or get an assessment.
Cases that are submitted to GDS will be approved by either your organisation’s GDS adviser or the GDS assurance board depending on the level of risk of that case.
Outcomes of your spend request
The possible outcomes of your digital and technology spend request are:
- approved
- approved with conditions
- rejected
Request approved
Your case has been approved with no conditions and you can proceed with the spend.
Request approved with conditions
Your case has been approved with conditions that will need to be met to improve the planned spend. You will need to complete the conditions before you apply for approvals again.
Request rejected
Your case has been rejected. You may need to resubmit your case with additional detail or explore different ways to do what you were planning.
Your GDS adviser will support you through this resubmission.
If your assurance board provides you with an outcome rated as assure or monitor, and there are no conditions that must be met prior to starting work, you may proceed with spending. Cases rated as control will require further scrutiny by GDS.
Ministerial cases and process
Certain cases that represent significant risk, expenditure or are highly contentious may be flagged to a Cabinet Office minister for spend approval.
Your GDS adviser will manage the ministerial approval process for you and communicate the results.
Control cases that are determined by GDS to need ministerial approval will be assessed at the ministerial spend control panel. GDS will provide advice and recommendations to the minister for approval.
Setting up a digital assurance function
Your organisation is expected to set up an assurance function as outlined in the digital functional standard.
This expectation includes partner organisations that have capacity to assure their digital programmes.
If your organisation does not have its own assurance function or can’t use another organisation’s, you still use the get approval to spend service for approvals. GDS will review the case and engage with you directly on managing the assurance of the case.
To use the digital and technology spend control process, your organisation’s assurance function must:
- create a digital and technology spend controls pipeline in the get approval to spend service
- set up a spend controls assurance board that will decide on spend approvals
- manage and follow internal and external approval routes
- manage processes to re-evaluate spend activity if there are changes to a case after it is initially assessed
- work with GDS to review spend activity
- record and track stated conditions from the spend approval process
- ensure you are seeking approval from all other relevant Cabinet Office functional assurance teams should your spend hit the thresholds for multiple spend controls
Crypt-Key Control
Within the digital and technology spend control process, GDS monitors all investment in Crypt-Key above a threshold of £0. Any spend on Crypt-Key needs to be assured by the National Cyber Security Centre’s National Crypt-Key Centre, to make sure that spend is aligned with the National Crypt-Key strategy. This is in addition to the digital and technology assurance as defined in the rest of this policy.
If this applies to you, contact your organisation’s Crypt-Key lead and GDS adviser to ensure compliance with the Crypt-Key spend controls. You can contact spendcontrols@ncsc.gov.uk if you do not know who your Crypt-Key organisational lead is.
Contact
Email gdsassurance@digital.cabinet-office.gov.uk for questions on the digital and technology spend control process.