Demystifying the Microsoft SSPA Attestation Program
Unpacking the Microsoft SSPA Requirement
In today’s digital world, strong data privacy and security practices are critical bedrocks to information sharing and data processing by third-party vendors. Microsoft’s Supplier Security and Privacy Assurance (SSPA) program requires vendors that process Microsoft personal and/or confidential information to demonstrate compliance with Microsoft’s Supplier Data Protection Requirements (DPR) on an annual basis.(1)
Let’s look at how the program works from the vendors’ (or suppliers’) point of view. Each supplier makes Data Processing Profile selections that align to the goods and/or services they perform for Microsoft. These selections trigger corresponding requirements to provide compliance assurances to Microsoft before work is performed. These standards are communicated through the DPR and include various requirements applicable to each supplier profile.
The latest DPR Guide (2) was released by Microsoft in June 2022 (Version 8), which identifies 50 requirements across 10 domains.
Upon onboarding, and annually thereafter, all suppliers must submit a self-attestation of compliance to the DPR for Microsoft approval, during which, a vendor must respond to each DPR. Responses include “Compliant,” “Not Compliant,” “not applicable,” “Legal Conflict” and “Contractual Conflict.”
For lower risk vendors, the annual SSPA exercise stops with approval by Microsoft and acceptance of your self-attestation. However, for most suppliers, Microsoft demands a higher level of assurance. Most often this is achieved through an independent assessment performed by a qualified assessor.
Next Steps: How To Engage an Independent Assessment
Not all assessors are equal. Qualified assessors, like Cherry Bekaert, must be affiliated with the International Federation of Accountants (IFAC) or the American Institute of Certified Public Accountants (AICPA), or must possess certifications from other relevant privacy and security organizations, such as the International Association of Privacy Professionals (IAPP) and the Information Systems Audit and Control Association (ISACA).(2)
Independent assessors will use the self-attestation submitted to and approved by Microsoft to conduct an audit to validate the self-attestation and provide assurance to Microsoft that it is accurate and compliant.
During the first year of the supplier’s DRP program, the qualified assessor tests the design of the process controls to ensure conformity with the DRP. Subsequent assessments test both the design and the operating effectiveness of the controls. This test involves more substantive control testing, thus a more rigorous audit, but a good assessor will facilitate this initiative through clear supporting evidence and testing requirements.
Once the testing has concluded, the qualified assessor issues an attestation report restricted to the supplier and Microsoft. Upon successful upload to the Microsoft portal, and approval from procurement, your status will remain “green” until it’s time to submit the self-attestation and undergo review in the subsequent year.
Taking a Closer Look: Data Protection Requirements
As previously mentioned, the 50 Microsoft DPRs are spread across 10 domains. Those domains are as follows:
Section A: Management – This section demonstrates your organization’s ability to operate in accordance with Microsoft’s contracts, documented instructions, awareness of security and privacy training, and best practices.
Section B: Notice – Should your organization handle, collect or retain personal data on behalf of Microsoft, these requirements govern the notice your organization provides to data subjects upon collection.
Section C: Choice and Consent – Privacy commitments extended to Section C where, when applicable, the supplier obtains and records a data subject’s consent prior to collecting the data subject’s personal data. Organizations must also consider other applicable laws (e.g., EU Laws).
Section D: Collection – This section requires the supplier to monitor the collection of Microsoft data to ensure that the only data collected is that which is required to perform agreed upon work, including obtaining data from children (subject to applicable privacy laws).
Section E: Retention – Retention requirements ensure retention of Microsoft data for no longer than necessary to perform agreed-upon work (unless required by law) and to return data to Microsoft or destroy data upon Microsoft’s discretion.
Section F: Data Subjects – Data subject requirements enable data subjects to exercise their rights under law, including the right to access, delete, edit, export, restrict and object to processing of data. This requirement also stipulates that organizations must have measures in place to respond to requests and obligations, as well as identifying data subjects exercising their rights.
Section G: Subcontractors – This section introduces requirements for a supplier’s use of a subcontractor to process Microsoft data. The supplier must notify Microsoft prior to work performed by subcontractors or replacement of subcontractors. The supplier is responsible for documentation of confidential information or data handled by subcontractors, and to the extent that the data they handle is applicable to their scope of services.
Section H: Quality – The supplier must maintain processes and procedures to preserve data integrity for Microsoft’s Personal Data, ensuring accuracy, completeness and relevancy for the stated purposes.
Section I: Monitoring and Enforcement – Section I requirements focus on incident response and the organization’s ability to respond accordingly with documented procedures.
Section J: Security – The supplier must establish, implement and maintain an information security program which includes policies and procedures that protect and secure Microsoft Personal and Confidential Data in accordance with good industry practice and as required by law. The supplier is also subject to perform an annual network security assessment, maintain scan results and change logs, as well as access rights management procedures to avoid unauthorized access to any of Microsoft’s data.
More Than One Way To Reach Compliance: Acceptable Alternatives
Microsoft offers acceptable alternatives to verify DPR compliance if you have assurance mechanisms in place or want to pursue other compliance initiatives. Here are two alternative options to consider when making decisions about your Microsoft SSPA program requirements:
- International Organization for Standardization (ISO)
The ISO 27701 (privacy) and ISO 27001 (security) are relied upon to provide close mapping to the DPR. If the scope of your services are covered by your ISO certification(s), separate SSPA independent assessment is not required.(2)
If a supplier is a healthcare provider in the U.S. or a covered entity, Microsoft will accept a HITRUST report for privacy and security coverage.(2)
Your customer base most likely extends beyond Microsoft and said customers are probably unfamiliar with the Microsoft SSPA and DPR. As such, your annual SSPA audit is unlikely to fulfill vendor risk management requests beyond Microsoft—not to mention the final report is confidential and restricted to your organization and Microsoft–so you are unable to share the report with other customers.
As a result, we recommend you leverage more widely adopted frameworks to meet the Microsoft SSPA requirements. These can include ISO, HITRUST and SOC 2. Advantages include:
- Reduced audit fatigue
- Enhanced marketability and organizational reputation
- Leveraged a more cost-effective solution to meet compliance
System and Organization Controls (SOC) 2 Reporting
A SOC 2 report is another popular mechanism to communicate your organization’s security posture and ability to achieve service level commitments. Since these reports are designed for service organizations, they could be an attractive and beneficial instrument. Similar to ISO, your controls and processes used to achieve security and privacy can be included within the scope of the report. As a result, you can use one audit to satisfy Microsoft and customer requests — given the scope of the report also includes the services you provide to Microsoft.
Note, Microsoft does not accept a SOC 2 report in lieu of the SSPA requirements. However, your qualified assessor can satisfy this requirement through a separate deliverable that will derive from the SOC 2 audit. As such, you can still maintain a cost-effective solution that reduces audit fatigue amongst your team.
How Cherry Bekaert Can Help
Compliance is the baseline and does not dictate your organization’s security and privacy program. Your organization should continually assess risk and implement the controls necessary to reduce risk or threats. As a result, when unique or specific compliance requirements such as the Microsoft SSPA arise, you can leverage your program and an assessor’s efforts to fulfill more widely known and accepted assurance mechanisms like ISO and SOC. Let Cherry Bekaert’s Information Assurance & Cybersecurity practice help design your security program to meet industry best practices and mitigate organizational risk. For more information about your Microsoft SSPA certification, SOC 2 report, ISO 27001 information security management system framework or other security and privacy assurance services, contact our risk advisors today.
(1)Microsoft Supplier Data Protection Requirements – https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4gQoY
(2)Microsoft Procurement, Supplier Security & Privacy Assurance (SSPA) Program Guide, Version 8, June 2022 – https://www.microsoft.com/en-us/procurement/sspa?activetab=pivot1%3aprimaryr6