Understanding Microsoft’s SSPA Program and the DPR

Millions of companies around the globe rely on Microsoft products for their business processes. Over 1.3 billion devices run Windows 10, and Office365 is one of the most widely used business tools of all time. Given how ingrained Microsoft products are into the tech and business worlds, privacy and security are paramount for Microsoft vendors and suppliers. 

Microsoft’s Supplier Security and Privacy Assurance (SSPA) program was created to deliver data processing instructions to suppliers of Microsoft products. The Data Protection Requirements (DPR) are the requirements that certain members of the program must conform to. These requirements include privacy controls like notice, choice and consent, and data retention, as well as security controls like access management, vulnerability management, and data loss prevention. 

Typically, the Microsoft suppliers that are required to participate in the program are those who collect, store, or process Microsoft Personal or Confidential Data. Microsoft Personal Data is defined as any Personal Data processed by or on behalf of Microsoft and includes any information referring to a data subject, such as customer content data, captured and generated data, and account information. Microsoft Confidential Data includes any data which, if compromised, could result in financial or reputational loss for Microsoft, such as product development data or pre-release marketing information. 

Suppliers must be enrolled in the SSPA before they begin working with Microsoft. Depending on the security rating of the data the supplier works with, they’re often required to provide an independent third-party assurance report to Microsoft that assesses their controls against the DPR. The third-party report is one of the services we offer here at BARR. 

The Process

When a company becomes a Microsoft supplier, they are asked to complete a Microsoft Personal Information (MPI) inventory to determine the type of data they handle. Depending on the type of data, the SSPA reporting guidelines group vendors into three categories: high business impact, moderate business impact, and low business impact. Let’s take a closer look at these groups: 

• Low business impact: Suppliers are considered low business impact if they do not handle any personal information. Typically, Microsoft does not require further action for low business impact suppliers. 
• Moderate business impact: Suppliers are considered moderate business impact if they handle personally identifiable information (PII) that is not highly sensitive. This type of data includes names, addresses, phone numbers, and emails. Suppliers in this group must adhere to the DPR and are required to certify compliance 90 days after submission of the MPI inventory during their second compliance cycle, and annually from that point on. 
• High business impact: Suppliers are considered high business impact if they handle highly sensitive PII, such as credit card numbers, financial profiles, medical profiles, and authorization credentials. High business impact suppliers must adhere to the DPR and submit a letter of attestation from an approved third-party within 90 days of the submission of the MPI inventory. 

For those high business impact organizations, the amount of time it takes to get an attestation against Microsoft DPR varies from company to company and depends on a variety of factors, such as the organization’s current security posture, the size of the organization, and its complexity. An organization could significantly decrease the amount of time spent preparing for the attestation if they already have a SOC 2 report and have kept those controls in place. For a brand new Microsoft supplier with no previous security certifications, it will typically take one month to complete a readiness assessment, two to three months to implement the required controls, and one month for the third-party auditor to complete the independent assessment. 

Microsoft DPR has a significant overlap with ISO 27001 (Information Security Management Standard) and ISO 27701 (the privacy extension to ISO 27001). In some cases, Microsoft allows suppliers subject to the DPR to substitute an ISO 27001 and 27702 certification for an independent assessment over the DPR. While obtaining an ISO certification is a significantly larger undertaking than a DPR assessment, ISO is an internationally recognized framework. BARR performs both ISO certifications and independent assessments against the DPR, and we can help you determine which assessment is the best fit for your organization. 

BARR’s Approach

Here at BARR, we do everything we can to help organizations meet SSPA program requirements and comply with the DPR as smoothly as possible. For companies considering working with Microsoft in the future, we recommend getting started with a readiness assessment against the DPR as soon as possible to give you a headstart. The sooner your gaps are identified, the better. As part of the readiness assessment, we’ll dig through your environment, conduct walkthroughs, and identify gaps that need remediation. 

Even if your organization isn’t considering working with Microsoft in the future, a readiness assessment using the DPR framework has other benefits, too—it will get you fairly close to meeting GDPR requirements. With GDPR compliance becoming a goal for more organizations, a DPR readiness assessment can provide your organization with internal assurance that you’re meeting GDPR requirements that you may be subject to. 

As part of our readiness assessments, we can map your organization’s controls and identify gaps to other frameworks outside of the DPR (such as SOC, ISO, HITRUST, etc.) so that you’ll know specifically what you need to implement to meet additional frameworks. Here at BARR, we take a “test once, use many” approach to our engagements, so you can work towards meeting the requirements of multiple frameworks all after going through one readiness assessment.

Whether you’re a current Microsoft supplier, interested in becoming one, or simply want to improve your organization’s security posture using the Microsoft DPR, BARR can help. Contact us for a quick and free consultation today.