This article was updated on October 9, 2023, to reflect Version 8 (released August 2022).
Since the emergence of specialty service providers, data sharing between companies has grown at an exponential rate. As a result, specialty service providers are increasingly being asked to demonstrate their ability to protect confidential corporate data and private personal information as a condition of being hired.
Microsoft, who leverages specialty service providers extensively, has been a leader in driving compliance practices relative to security and privacy concerns with their Supplier Security and Privacy Assurance program (SSPA). According to their program guide, “SSPA is a partnership between Microsoft’s Procurement, Corporate External and Legal Affairs, and Corporate Security groups to ensure privacy and security principles are followed by its suppliers.”
Any supplier that processes Microsoft’s confidential information or the personal data of its employees and/or customers must comply with this program as a condition of being hired by Microsoft. And, while the SSPA program was designed to be a one-size-fits-all solution, the steps in the annual compliance cycle can vary greatly depending on the type of information being processed, the data’s location, and the size of the organization.
What follows is general information to help suppliers navigate the SSPA program and better understand the flow of a single compliance cycle with the SSPA program, from beginning to end.
Components of the SSPA Process
First, let’s understand the various components and major steps in the process. Each compliance cycle involves (a) an update to the supplier profile, (b) an update to individual requirements of the SSPA program by Microsoft, known as the Data Protection Requirements (DPR), (c) an annual self-attestation to a supplier’s compliance with the DPR, and, in some circumstances, (d) an independent assessment, also known as an audit.
Let’s look at each one in turn.
An SSPA profile provides buyers at Microsoft with a variety of information about compliant companies and helps them understand which suppliers are able to fulfill different Statements of Work (SOWs), based on the specifications required. Profiles contain information like where a supplier is located, the relative size of the supplier, and a supplier’s current SSPA status (i.e., green for compliant, or red for non-compliant), but it also answers more specific questions like the following, among others:
- Is this supplier approved to process both personal and confidential information, or just one or the other?
- Is this supplier able to process information outside of a Microsoft-controlled environment?
- Is this supplier approved to use subcontractors?
- Does this supplier use freelancers?
- Is this supplier an approved Software-as-a-Service (SaaS) provider?
As referenced in the first question above, the SSPA program classifies data handled, or “processed” in the SSPA vernacular, into two main categories: Personal Data and Confidential Data. These are defined terms, and Microsoft provides several examples of each in the SSPA Program Guide:
Personal Data ranges from simple contact information to government identification numbers and credit card/bank account numbers.
Confidential Data refers to pre-release marketing information on unannounced Microsoft products; information relating to the development, testing, or manufacture of Microsoft products, which includes software and other intangible products; as well as unannounced corporate financial data, among others.
The data provided is used to build a profile for each supplier. The SSPA program has 10 defined profiles (as of Version 8 of the program, released in August 2022). Each profile is designed to help Microsoft buyers understand which suppliers can perform on SOWs they are creating. And each profile comes with a unique set of compliance responsibilities.
Suppliers are able to update their profile at any time, so long as they do not have an open task within the SSPA compliance portal. Open tasks would represent an incomplete self-attestation or independent assessment, described further below. It is important for suppliers to be aware that changes to these questions may change the pre-defined profile assigned to them. For example, while changing your profile from Confidential Data only to both Personal and Confidential Data may allow you to perform more work for Microsoft, it may require additional compliance steps as well.
Data Protection Requirements
At the heart of the SSPA program is the Data Protection Requirements, or DPR. The DPR is a list of 50 requirements (as of Version 8 of the program, released in August 2022) broken into 10 topical sections, as follows:
|Section||Number of Requirements|
|Choice and Consent||2|
|Disclosure to Third Parties||8|
|Monitoring and Enforcement||3|
The DPR is typically updated once a year, in November. The topics noted above have been consistent since 2017, but the specific requirements have had subtle modifications over the years. In addition, the evidence expected to be provided to demonstrate compliance is updated each year as well.
Depending on the assigned profile, the list of requirements presented in the DPR task may include just a subset of the entire 50-requirement program. For example, suppliers that handle sensitive Confidential Data, but do not handle Personal Data, will only be required to attest to their compliance with Sections A, E, and J. The other sections relate primarily to handling of Personal Data and, therefore, are excluded from the self-attestation task entirely.
Regardless of the profile to which a supplier has been assigned, if they process any kind of Personal Data or Confidential Data they must review and complete a self-attestation of their compliance with the DPR once a year. The launch of the self-attestation task, also referred to by Microsoft as the DPR task, generally coincides with the supplier’s anniversary date as a supplier with Microsoft.
Upon receiving the self-attestation task, a supplier will need to review each requirement and select from the following possible answers: Compliant, Does Not Apply, Local Legal Conflict, or Contractual Conflict.
Compliant and Does Not Apply are the two most common answers. If a supplier selects Does Not Apply as a response, the supplier will need to add an explanation for why the requirement does not apply. For example, a requirement that does not apply for any suppliers is requirement 50, which relates to anonymizing personal data used in a test of development environment. A response of Does Not Apply will prompt a response such as “Supplier does not utilize personal data in a test or development environment in our work for Microsoft.” Upon completing the task, the supplier will submit their responses.
The SSPA team will then review the submission from the supplier. This review will focus on any responses that are other than Compliant. Reviewers check engagement activity associated with a supplier account to validate the selection of Does Not Apply. The SSPA team may ask for clarification of one or more selections. As such, it is important for suppliers to be detailed in their explanations. “Local Legal Conflict” and “Contract Conflict” are only accepted if the supporting references are provided and the conflict is clear.
Suppliers have 90 days to complete the self-attestation task. If the task is not submitted within this timeline, the status of the supplier will turn to red and no new purchase orders will be allowed to process until the status returns to green. The self-attestation task is meant to be completed and approved by the SSPA team prior to the independent assessment, which we will cover next. The independent assessment goes much smoother when the supplier has the scope of requirements pre-approved by SSPA. The assessor will be able to use that scope as a starting point, and it will cause fewer questions when the independent assessment is ultimately reviewed and approved by Microsoft.
In addition to the self-attestation task, certain defined profiles also require an independent assessment task to be completed. This step provides third-party verification that a supplier is compliant with the SSPA program. This task is generally launched following the completion of the self-attestation task. It is the supplier’s responsibility to find and hire an assessor at their own cost. Microsoft has a list of pre-approved assessors, which is available at this link. The independent assessment task must be completed within a 90-day window, although a one-time extension of 90 days is generally available upon request.
It is important to note that the self-attestation and the independent assessment are separate steps, but they cover the same 50 requirement program. The self-attestation is required of all suppliers in the Microsoft ecosystem that handle sensitive information, but the independent assessment is only needed by a subset of those suppliers. For purposes of the self-attestation, a supplier stating they are compliant with a requirement means that they have a practice in place to address the underlying issue. For purposes of the independent assessment, not only does a supplier need to have a practice in place to comply with the applicable requirements, but they also need to have evidence that can be presented to an assessor to demonstrate their compliance.
For example, Section E of the program has to do with retention of data. To comply with the requirements in this section, generally, a supplier will need to have a practice around destroying data in accordance with the terms and conditions in their statements of work with Microsoft. An unwritten routine is sufficient for compliance with the self-attestation, but a higher standard of documentation is required for the audit. This additional documentation can be a policy, a flow chart, a screenshot of a system used to manage retention/destruction of data, etc.
The assessor will complete the independent assessment and issue a report. The report is brief and provides a summary of a supplier’s compliance with the DPR, as opposed to a detailed presentation of evidence of compliance with each requirement. The supplier will then need to submit the assessor’s report to Microsoft through the compliance portal. Like the self-attestation task, if the independent assessment is not submitted timely, the supplier’s status will change to red, and no new purchase orders will be allowed to process until the status returns to green.
This process is repeated on an annual basis centered around the supplier’s anniversary date as a supplier for Microsoft. Assuming a supplier continues to process the same kind of information and perform the same kind of work for Microsoft, they can expect to complete the same steps on an annual basis. On the other hand, if a supplier’s work changes, they will have an opportunity to update their profile, which may cause changes to the number of requirements scoped into the DPR task and may change the necessity of the independent assessment task.
The SSPA program serves as a stage gate in the procurement process for Microsoft. At a minimum, the SSPA program provides assurance to Microsoft about the ongoing state of security and privacy controls in place at its suppliers. Beyond that, the program helps suppliers understand the additional responsibilities that come along with new work awarded to them and helps Microsoft make sure those requirements are in place prior to the work commencing.
If you have questions about SSPA compliance and what your next steps should be, send me an email and I’d be happy to connect.
©2021 Clark Nuber PS. All rights reserved.