Explained: Microsoft’s SSPA Program

Any supplier or vendor that does business with Microsoft must enroll in the Microsoft Supplier Security and Privacy Assurance (SSPA) program before beginning work with Microsoft. They will then be required to complete SSPA compliance each year.

If it’s the first time you’re being asked to provide the documentation to verify your compliance, it can be a bit daunting. Let’s break it down for you. We’ll explain what a Microsoft SSPA is, the cost and time involved, what it takes to pass the SSPA, and whether SOC or ISO assessments will satisfy the requirements.

What Is Microsoft SSPA?

SSPA, formerly known as the Vendor Privacy Assurance Program, is a Microsoft initiative to regulate data privacy for employees, customers, and vendors. You must submit documentation that you comply with SSPA and, in most cases, provide documentation from qualified third parties showing you have met the standards and requirements.

SSPA assesses vendors in three categories:

  1. Low Business Impact
  2. Moderate Business Impact
  3. High Business Impact

Depending on which category (data processing profile) your business falls into, it will dictate the data protection requirements (DPRs) and documentation that you need to provide to Microsoft.

Low Business Impact

If you are a vendor in this category, it means you are not handling personal information. You will need to complete the Microsoft Personal Information (MPI) inventory annually like all Microsoft vendors. However, you will not need to fulfill any other SSPA requirement.

Moderate Business Impact

If you handle Personally Identifiable Information (PII), you fall into the moderate impact category. Information can include:

  • Name
  • Address
  • Email Address
  • Phone Number
  • IP Address
  • Social Media Posts
  • Login IDs
  • Geolocation, biometric, or behavioral data

Vendors in the moderate business impact category are required to self-certify compliance with SSPA.

High Business Impact

High business impact vendors handle additional information besides those in the moderate category. This includes authentication credentials, credit card information, medical profiles, or financial reports. These organizations must also provide a Letter of Attestation from a qualified third party that they adhere to Microsoft’s DPRs.

The Cost and Effort Involved with a Microsoft SSPA

If you want to do business with Microsoft, you will need to comply with the SSPA requirement.

Complying with the SSPA may require you to get a third-party evaluation of your compliance to conduct business with Microsoft. An SSPA independent assessment can take a few weeks to a few months, so if you get an assessment letter from Microsoft, you will want to act quickly.

You only have 90 days from submitting your DPR self-attestation to provide a completed assessment. If deficiencies are discovered, you will also need to fix them before submitting them — which can also take time.

An assessment can be straightforward and efficient if you have the right governance in place and are complying with it. If not, the SSPA assessment process can be intense, time-consuming, and expensive.

It will depend on how prepared you are and whether you have the appropriate measurements and documentation already in place. That’s why most organizations will conduct an assessment before working with Microsoft or as soon as possible after starting to resolve any issues as quickly as possible.

How to Pass an SSPA Assessment

If you get a request from Microsoft to comply with SSPA, you will need to get an independent evaluation of your compliance. While Microsoft maintains a list of preferred assessors, you are not required to use one from the list and may pick your own qualified third party.

Qualified third parties need to be qualified to conduct Generally Accepted Privacy Principles (GAPP) assessments and a member of the American Institute of Certified Public Accountants (AICPA) or the International Federation of Accountants (IFAC) or have the appropriate certifications from the International Association of Privacy Professionals (IAPP) or the Information Systems Audit and Control Association (ISACA).

Your best strategy for an SSPA assessment is preparation. A third-party assessment company will handle the preparation and documentation necessary to fulfill the requirements.

An assessment will look at how you collect, handle, store, and use data and probe for gaps across fifty-six separate DPRs. Most requirements fall in the areas of security, data subjects, and disclosure to third parties.

Here are some of the common topic areas where gaps are found:

  • Data classification, retention, and deletion
  • User access, identification, and management practices
  • Security, threat identification, and data loss prevention
  • DPR compliance oversight
  • Disaster recovery and business continuity planning (and testing)

If any gaps are discovered, the assessment company can provide recommendations for remediation so that you can correct any deficiencies. The third-party attestation must be unqualified. In other words, you must resolve any non-compliant issues before the confirmation letter can be submitted.

How Much Evidence Does a SSPA Assessment Require?

According to the SSPA Program Guide, the required controls should be assessed over a period of time. This means that the assessor should inspect samples over a period of time to opine on both the design and operating effectiveness of the controls.

If it is your first SSPA assessment, the assessor is permitted to perform a point-in-time assessment which only requires looking at enough evidence to demonstrate that the controls have been designed and placed in operation.

Can SOC or ISO Assessments Satisfy SSPA Requirements?

The short answer is maybe.

If you process only Microsoft confidential data and no personal data, ISO 27001 Certification or SOC 2 Type 2 reports will satisfy the requirement currently. If you process confidential data and personal data, you will need to be assessed for compliance with all the DPR requirements.

However, Microsoft has announced that they will no longer accept SOC 2 reports with security coverage as appropriate documentation beyond December of 2021. Going forward, they will accept ISO 27001 certification in lieu of the security portion of the DPR and ISO/IEC 27701 in lieu of the privacy portion of the DPR.

If you attain both ISO 27001 and ISO/IEC 27701 certifications together, you should satisfy Microsoft SSPA requirements.

Will I Need Other Certifications or Assessments?

Your SSPA assessment will uncover whether you need other certifications to do business with Microsoft. If you handle payment card information on Microsoft’s behalf, for example, you must be certified to comply with PCI DSS standards.

If you provide Software as a Service (SaaS) to Microsoft, you will also need a valid ISO 27001 certificate. However, Microsoft no longer requires separate third-party data center certification.

According to its SSPA Program Guide, Microsoft considers subcontractors a high-risk factor in evaluating organizations. Suppliers or vendors that use subcontractors to process data covered by the DPR must notify Microsoft.

SSPA Compliance

SSPA compliance can be complex. An assessment will help you navigate the intricacies of Microsoft’s SSPA policies and ensure you are in full compliance, so you can focus your energy on growing your business. If you need help preparing for, or completing, an SSPA assessment, contact us today!