Kenya's public investment in information and communications technology has expanded substantially over the past decade. The World Bank's Kenya Digital Economy Acceleration Project, approved in 2023 at a value of $390 million, is among the largest single ICT investments in East African public administration.<sup>1</sup> The government's Digital Masterplan 2022–2032 commits to the digitalisation of eighty percent of public services, the establishment of open source development infrastructure, and the creation of a unified Government Enterprise Architecture.<sup>2</sup> Against these commitments, the empirical record of government ICT system performance presents a persistent and troubling contrast. Forensic audits have documented billions of shillings in losses attributable to system failures; critical government platforms have experienced repeated, extended outages; a nationally deployed identity management system was halted by court order after over Sh10 billion had been expended; and the country's principal public financial management system has repeatedly been identified as a primary enabler of large-scale procurement fraud.<sup>3</sup>
This pattern of failure is neither incidental nor reducible to individual malfeasance, though corruption is demonstrably present in specific cases. The failures share a common structural origin: Kenya's Public Procurement and Asset Disposal Act (2015) and the institutional practice it governs treat software as a procurable commodity — a category of acquisition that can be fully specified before development commences, priced through competitive bidding, and delivered as a finished product. This classification encodes a set of epistemological assumptions that are fundamentally false for software systems. The result is a procurement architecture that makes successful software development not merely difficult but structurally improbable, regardless of vendor capability or institutional intent.
I. The Procurement Framework and Its Embedded Assumptions
The Public Procurement and Asset Disposal Act (PPADA) 2015 governs all government acquisitions, including ICT and software systems. The Act mandates that procurement be conducted in a manner that is "fair, equitable, transparent, competitive and cost-effective."<sup>4</sup> These are principled objectives. The procedural architecture through which they are pursued, however, is designed for the acquisition of commodities: goods with stable, knowable specifications, between which competing suppliers offer commensurable products, and in which the lowest compliant price represents the most efficient use of public funds.
The Public Procurement Regulatory Authority's implementing guidance for ICT procurement instructs evaluating agencies to identify the "lowest evaluated offer taking into account total cost of ownership."<sup>5</sup> The acknowledgement of total cost of ownership represents a rhetorical gesture toward software's distinctive economics, but it is not operationalised in evaluation methodology. The framework contains no provision for iterative delivery, no mechanism for adaptive requirement specification, no contractual structures for post-award learning, and no instruments for measuring vendor capability in software development as distinct from vendor capacity to produce a compliant written proposal. These are not marginal omissions. They are definitional features of successful software development — and their absence is the root of the problem.
The Core Mechanism
The procurement process as structured by PPADA requires that procuring entities publish a detailed statement of requirements before inviting bids, that vendors respond to those requirements in full, and that contracts be awarded on the basis of the evaluated response. The entire architecture presupposes that requirements can be known — with sufficient precision — before development commences. This assumption is reasonable for the procurement of office furniture. It is epistemically false for complex software systems serving adaptive institutional needs.
II. Software as a Non-Commodity: The Theoretical Case
The characteristics that render commodity procurement logic appropriate for physical goods — specifiability, fungibility, stable value over time — are systematically absent in software systems.
Software requirements are emergent rather than fixed. Complex systems serve human institutional processes that are themselves adaptive; the requirements of a system can only be fully understood through the process of building and operating it, not prior to that process. This is not a failure of planning but a structural property of complex sociotechnical systems. As Beck et al. argued in the Agile Manifesto (2001), the appropriate response to this property is iterative development — continuous delivery of working software with regular feedback cycles — rather than exhaustive upfront specification.<sup>6</sup>
Software also depreciates continuously without active maintenance. Unlike physical goods, which degrade through use, software degrades through inaction: security vulnerabilities accumulate, dependent systems evolve, and the organisational contexts the software serves change. A software system that is not actively maintained becomes a liability rather than an asset. Procurement frameworks that treat software as a deliverable — something invoiced and received on a specific date — systematically exclude the ongoing stewardship that software requires.
And unlike a desk procured from one supplier, a software system is not functionally equivalent to a system at the same price point from another vendor. Quality depends on architectural decisions, code structure, security practices, and implementation approach — factors that cannot be assessed from written proposals and that vary enormously between vendors.
The empirical consequence of misapplying commodity logic to software has been extensively documented. The Standish Group's CHAOS Report, tracking software project outcomes since 1994, found that only thirteen percent of large government IT projects succeed; success rates fall further as project scale increases, while small, iterative projects succeed at approximately ninety percent.<sup>7</sup> Balter (2012), analysing the United States federal procurement context, demonstrated that regulations mandating complete upfront specification structurally force waterfall development methodologies that are incompatible with complex software delivery.<sup>8</sup> Kenya's regulatory architecture replicates this structural tension.
III. The Kenyan Evidence Base
IFMIS: Infrastructure Procured for Accountability, Deployed for Fraud
The Integrated Financial Management Information System (IFMIS) is the central instrument of public financial management in Kenya, governing expenditure across national and county governments. The Mashariki Research and Policy Centre's assessment of the system found that data is transmitted without encryption, leaving it "largely compromised and prone to interception and security breach."<sup>9</sup> Network architecture is described as "poor," with county downtime ranging from two to four days — a recurring operational condition in a system governing continuous public expenditure.<sup>10</sup>
The security failures are not incidental system defects. They are the predictable consequence of a procurement process that selected for price compliance rather than security architecture. Auditor-General investigations documented that middle-level staff were forging directors' signatures to create fictitious transactions — a fraud enabled not by breaking into the system but by exploiting its architectural weaknesses.<sup>11</sup> The 2016 Ministry of Health scandal, in which KES 5 billion remained unaccounted for, and the 2018 National Youth Service scandal, in which KES 1.8 billion was stolen through manipulated system payments, both required IFMIS as an enabling infrastructure.<sup>12</sup>
Data transmitted through the system in plain text without encryption was largely compromised and prone to interception and security breach.
— Mashariki Research and Policy Centre
The system was procured to a specification. The specification did not adequately capture the security and governance requirements that would have prevented these outcomes, because procurement frameworks do not provide contracting officers with the technical instruments to impose such requirements, evaluate bids against them, or enforce them post-award. A system designed to govern accountability became a mechanism for defeating it.
eCitizen: The Structural Risks of Monolithic Vendor Dependence
The eCitizen platform consolidates access to more than 22,000 government services. An Auditor-General investigation published in 2024 found that Sh9 billion had been lost through the platform and Sh2.57 billion in receipts could not be matched to corresponding invoices.<sup>13</sup> The platform experienced significant downtime in March 2026, September 2025, and January 2025, and was targeted in a cyberattack in 2023 that disrupted passport, visa, and transport services.<sup>14</sup>
A structural risk at least as significant as these operational failures is the ownership and control architecture. A Daily Nation investigation documented that Webmasters Kenya Limited retains operational control of the platform, and that the government itself lacks full operational ownership of the system serving the entirety of its digital service delivery.<sup>15</sup> This is vendor capture in its most consequential form: a single private entity holds exclusive operational knowledge of infrastructure on which millions of citizens depend for access to public services, and the government has no credible exit option.
This outcome is the direct product of monolithic single-vendor procurement. A competitive tender awards a large contract to a single supplier; the supplier's proprietary implementation creates dependencies that cannot be unwound; the vendor becomes, in operational terms, irreplaceable. The competitive logic that was meant to protect public expenditure produces its inverse: permanent monopoly through procurement.
Huduma Namba / NIIMS: Procuring Without Constitutional Authority
The National Integrated Identity Management System (NIIMS) represents a case in which procurement proceeded in advance of the legal and constitutional framework required to sustain it. Over Sh10 billion was expended before the High Court halted registration proceedings on 30 January 2020, finding the governing legal framework "inadequate and totally wanting" and striking down provisions for the collection of DNA and GPS data as unconstitutional.<sup>16</sup> The contract with French biometrics firm IDEMIA was later subjected to parliamentary censure. Funding was cut by eighty-four percent and the project was abandoned in favour of a successor initiative.
The procurement process had assumed a completeness of requirements — constitutional, legal, and operational — that was factually absent. Tender documents specified a system whose foundational design choices had not been resolved at the level of law. This is the specification paradox at its most consequential: the requirement to specify fully before procuring, applied to a system whose requirements are genuinely unknowable before the relevant deliberative and legal processes are complete.
KRA iTax and NHIF: Operational Fragility as a Procurement Outcome
Kenya Revenue Authority's iTax system experienced portal failures in the hours immediately preceding tax filing deadlines, preventing taxpayers from filing returns; the Ombudsman publicly urged the Authority to waive resulting penalties.<sup>18</sup> An internal audit found that 265 tax compliance certificates were automatically generated for taxpayers with outstanding liabilities — a control failure with direct revenue implications.<sup>19</sup> The National Hospital Insurance Fund experienced a complete system outage, leaving patients stranded, requiring manual fallback procedures, and generating queues inconsistent with the purpose of digital service delivery.<sup>20</sup>
These are not dramatic failures that attract sustained political attention. They are chronic. The systems were procured to specification and delivered as contracted. The specifications did not adequately capture resilience, security, and operational continuity requirements, because procurement frameworks provide no instrument for doing so. Post-award maintenance obligations were either absent from contracts or priced at levels that made meaningful ongoing support unviable. The operational fragility documented in audit findings is a direct output of procurement architecture, not a deviation from it.
IV. The Political Economy of Tenderism
Tenderpreneurship as Structural Outcome
The Ethics and Anti-Corruption Commission's 2023 National Ethics and Corruption Survey identified procurement fraud as "the most pervasive and damaging form of corruption impeding service delivery in Kenya."<sup>21</sup> The cultural construct of the "tenderpreneur" — documented in domestic press coverage — describes individuals whose competitive advantage lies not in technical capability but in proximity to procurement decision-makers and familiarity with the procedural requirements of the tender process.<sup>22</sup>
Tenderpreneurship is not an aberration from the procurement system; it is a rational response to its incentive structure. A system that evaluates bids primarily on written compliance with specifications, and awards primarily on price, creates demand for precisely the skills the tenderpreneur possesses: the ability to produce a compliant document at a competitive price, regardless of capacity to deliver. The separation between the ability to win a tender and the ability to execute a software project is not a failure of implementation. It is an architectural feature of commodity procurement applied to a non-commodity medium.
The Anglo-Leasing contracts — eighteen procurement arrangements valued at $751 million, awarded without competitive bidding, including a passport equipment system priced at approximately €6 million by a qualified supplier and awarded to Anglo Leasing Finance at €30 million — established a paradigm that subsequent procurement governance has modified procedurally without eliminating structurally.<sup>23</sup>
The Anglo-Leasing Lesson
The procedural reforms introduced after Anglo-Leasing increased formal compliance requirements. They did not alter the evaluation frameworks, technical oversight mechanisms, or accountability structures that would prevent equivalent outcomes from recurring in digitised form. The problem was never absence of process. It was absence of the right process.
Incumbent Advantage and Vendor Capture
The procurement framework's treatment of institutional scale as a proxy for delivery risk produces a structural advantage for large incumbents that understand tender compliance as a core competency. The Nightingale Enterprises case — in which a company with alleged links to a Communications Authority board official was awarded ICT Authority contracts for fibre optic laying, while a competitor alleged submission of forged documents and falsely claimed prior works — illustrates the gap between procurement compliance and technical capacity that this structure enables.<sup>24</sup>
Once large vendors achieve initial contract award, the switching-cost dynamics of software create durable dependencies. Proprietary data formats, undocumented integrations, staff knowledge concentrated in contractor personnel, and absent source code escrow arrangements mean that a government wishing to terminate an underperforming contract faces costs that make continuation economically rational regardless of performance.
Risk Asymmetry Among Contracting Officers
The asymmetric distribution of institutional liability generates rational individual behaviour that produces systematically irrational aggregate outcomes. An officer who awards a contract to an established large firm and the project fails can attribute failure to the contractor, the complexity of the requirement, or inadequate post-award management — diffuse and deniable causes. An officer who awards to a smaller, innovative firm and the project fails bears concentrated and visible liability. The rational individual strategy is to award to incumbents regardless of comparative performance evidence. KICTANet has documented that this dynamic structurally excludes innovation hubs and technically capable smaller enterprises from government ICT procurement markets.<sup>25</sup>
The Computer Society of Kenya identifies corruption as the primary cause of government ICT project failure, with resistance to change and inadequate infrastructure as secondary factors.<sup>26</sup> This ordering is empirically defensible but analytically incomplete. Corruption is the proximate cause in documented cases of fraud; it is enabled by structural conditions — risk asymmetry, evaluation frameworks insensitive to technical quality, absent post-award oversight — that commodity procurement produces.
V. Reform Efforts and Their Limitations
Kenya has undertaken a series of reform initiatives that reflect genuine recognition of the failures documented above. The Digital Economy Blueprint (2019) and the Digital Masterplan (2022–2032) establish a six-pillar framework for digital transformation, including commitments to open source development, interoperability standards, and Government Enterprise Architecture.<sup>27</sup> The establishment of an Open Source Programme Office — the first on the African continent — represents a meaningful structural commitment to reducing vendor capture risk and producing public goods from public expenditure.<sup>28</sup> The Kenya Stack initiative has produced operational open source implementations in the health sector, including KenyaEMR and IQCare, demonstrating the model's viability.<sup>29</sup>
These reforms are substantive. Their limitation is that they address procurement outputs — what software is built, by whom, and under what licensing conditions — without addressing the procurement framework itself. PPADA 2015 remains structurally unchanged. Open source policy coexists with commodity procurement practice; the same tender logic that produced IFMIS's security failures and eCitizen's vendor capture applies equally to the procurement of open source systems.
The e-Government Procurement rollout of July 2025 illustrates this dynamic. Procurement officers in Tana River, Kakamega, and Isiolo counties were migrated to a new digital system without transition periods, training provision, or offline fallbacks, immediately encountering login failures and connectivity barriers.<sup>32</sup> The initiative digitised the procurement process without addressing the underlying framework's incompatibility with software procurement — adding a digital interface to a commodity procurement architecture does not convert it into an adaptive one.
The IMF governance diagnostic mission, formally requested by Kenya following the September 2024 mass protests and completed in July 2025, is examining governance weaknesses in procurement, public financial management, and expenditure policy.<sup>33</sup> The Digital Governance Policy, scheduled for completion in December 2026, remains aspirational. The conditions that produced the failures documented here remain operative.
VI. Towards a Reconceptualisation
The reform literature converges on a set of procurement instruments that address software's distinctive characteristics. Modular contracting — the disaggregation of large single-vendor contracts into smaller components subject to competitive re-evaluation at each stage — reduces vendor lock-in and creates accountability at the level of individual deliverables rather than multi-year mega-contracts.<sup>34</sup> Statements of Objectives, replacing detailed Statements of Work, define the outcomes government requires rather than the technical processes by which they are to be achieved — a shift from commodity specification to outcomes governance.<sup>35</sup> Agile contract formats that accommodate iterative delivery, adaptive requirements, and structured post-award oversight have been developed and tested in comparable public administration contexts.<sup>36</sup>
None of these instruments can be fully adopted within PPADA's current architecture without legislative amendment. The recommendation arising from this analysis is that PPADA be amended to establish software as a distinct category of acquisition, governed by a dedicated regulatory framework that: mandates modular contracting for systems above a defined complexity threshold; requires Statements of Objectives in place of complete upfront technical specifications; establishes technical evaluation capacity within the PPRA sufficient to assess software quality independent of price; provides for mandatory source code escrow and government ownership of all publicly funded software; and requires open licensing as default for all government-commissioned development.
The establishment of technical capacity within procuring agencies is a necessary complement to regulatory reform. Without procurement officers capable of evaluating software architecture, security practices, and implementation methodology, price will remain the only legible evaluation criterion regardless of the regulatory framework. The ICT Authority's existing training mandates provide a foundation on which specialised procurement capability can be built.
Conclusion
The failures catalogued in this essay — the security vulnerabilities and fraud facilitation of IFMIS, the vendor capture of eCitizen, the constitutional failure of NIIMS, the operational fragility of KRA iTax and the NHIF system — share a structural origin that individual accountability cannot address. They are the predictable outputs of a procurement architecture that encodes a false theory of what software is: a specifiable, deliverable good amenable to competitive price adjudication. The PPADA's commodity logic is not intrinsically defective. It is misapplied.
The September 2024 protests that prompted Kenya to formally request IMF governance intervention were not protests about software procurement. They were protests about a government that had failed to deliver — on services, on fiscal responsibility, on the basic obligations of public administration. The digital systems that were meant to enable those deliveries had themselves failed, in ways that auditors had documented and that reform initiatives had not reached. The connection between procurement architecture and public legitimacy is not abstract. It runs directly from what procurement frameworks assume software to be, to what citizens experience when they interact with the software that results.
Until software is governed as a distinct category of institutional acquisition — adaptive, iterative, requiring continuous stewardship, and generating public goods that demand public ownership — the cycle will continue. The instruments for change exist. The analytical case is unambiguous.
References
- World Bank Group, Kenya Digital Economy Acceleration Project (KDEAP): Project Appraisal Document, Report No. PAD4858 (Washington, DC: World Bank, 2023).
- Ministry of Information, Communications and the Digital Economy, Kenya Digital Economy Masterplan 2022–2032 (Nairobi: Government of Kenya, 2022).
- Office of the Auditor General, Report of the Auditor-General on the Financial Statements of National Government Ministries, Departments and Agencies, 2023/2024 (Nairobi: OAG, 2024).
- Republic of Kenya, Public Procurement and Asset Disposal Act No. 33 of 2015, Section 3(1).
- Public Procurement Regulatory Authority, Public Procurement Manual for Information and Communications Technology (Nairobi: PPRA, 2019).
- Kent Beck et al., Manifesto for Agile Software Development (2001), agilemanifesto.org.
- Standish Group, CHAOS Report 2020 (Boston: Standish Group International, 2020).
- Ben Balter, "Towards a More Agile Government: The Case for Rebooting Federal IT Procurement," Public Contract Law Journal 41, no. 1 (2012): 149–171.
- Mashariki Research and Policy Centre, Assessing the Vulnerabilities of the Integrated Financial Management Information System (IFMIS) (Nairobi: Mashariki RPC, 2021).
- Ibid.
- Nation Media Group, "How Officials Manipulate IFMIS to Steal Public Funds," Daily Nation, March 14, 2019.
- Nation Media Group, "Treasury Moves to Clean Up IFMIS as Audit Reveals Weak Checks," Daily Nation, September 8, 2021.
- Office of the Auditor General, Report on eCitizen Platform Financial Controls, 2023/2024 (Nairobi: OAG, 2024); Nation Media Group, "E-Citizen Flaws Exposed: Sh9bn Lost, Sh2.5bn Illegally Collected," Daily Nation, February 2024.
- Standard Media Group, "eCitizen Platform Records Multiple Outages Disrupting Government Services," The Standard, January 2025.
- Nation Media Group, "State Owns eCitizen — How Did Platform End Up in Webmasters' Hands?" Daily Nation, March 2024.
- High Court of Kenya, Nubian Rights Forum & Others v. Attorney General & Others, Petition No. 56 of 2019 (consolidated), ruling of 30 January 2020.
- National Assembly of Kenya, Hansard Debates, March 2021.
- Kenya Times, "Kenyans Report KRA Portal Errors Just Hours to Filing Deadline," The Kenya Times, June 2023; Commission on Administrative Justice, Press Statement on KRA iTax System Failures, July 2023.
- Kenya Revenue Authority, Internal Audit Report on iTax System Controls, 2022 (cited in Auditor-General Annual Report, 2023).
- Business Daily Africa, "NHIF System Outage Leaves Patients Stranded," Business Daily, August 2022.
- Ethics and Anti-Corruption Commission, National Ethics and Corruption Survey 2023 (Nairobi: EACC, 2023).
- Standard Media Group, "The Making of Faceless Tenderpreneurs," The Standard, October 2018.
- John Githongo, Memorandum to President Mwai Kibaki on Anglo-Leasing (Nairobi: Office of the President, 2004), released publicly February 2005.
- Tech Africa News, "ICT Authority Contract Controversy: Nightingale Enterprises and Allegations of Forged Documents," Tech Africa News, 2022.
- KICTANet, Submission to the National ICT Policy Review: SME Access to Government Procurement (Nairobi: KICTANet, 2023).
- Computer Society of Kenya, "Why Government ICT Projects Fail," CSK Technical Bulletin, 2022.
- Ministry of Information, Communications and the Digital Economy, Kenya Digital Economy Masterplan 2022–2032.
- ICT Authority, Open Source Programme Office: Establishment and Mandate (Nairobi: ICTA, 2023).
- Centre for Intellectual Property and Information Technology Law (CIPIT), Strathmore University, "Digitising Service Delivery: Exploring Use of Open Source vs Proprietary Software by State Agencies in Kenya," CIPIT Policy Brief (Nairobi: Strathmore University, 2023).
- Institute of Economic Affairs Kenya, Implementing Open Contracting Data Standards in Kenya's Public Procurement (Nairobi: IEA, 2022).
- ICT Authority, Strategic Plan 2020–2024 (Nairobi: ICTA, 2021).
- People Daily, "The True Cost of Kenya's Rushed Digital Reforms," People Daily, August 2025.
- International Monetary Fund, "Kenya: IMF Staff Completes Governance Diagnostic Mission," IMF Press Release No. 25/233, July 2, 2025.
- 18F, General Services Administration, "Improving Government Outcomes Through an Agile Contract Format," 18f.gsa.gov, November 30, 2017.
- US Digital Service, TechFAR Handbook for Procuring Digital Services Using Agile Processes (Washington, DC: USDS, 2016).
- New America Foundation, "Reconceptualizing Public Procurement: Toward Outcome-Oriented Frameworks for State Benefits Delivery" (Washington, DC: New America, October 2022).