As a Microsoft supplier, safeguarding personal and/or confidential data entrusted to you by Microsoft is critical. To ensure the highest level of data protection, Microsoft requires its suppliers to demonstrate their compliance with the Supplier Security and Privacy Assurance (SSPA) program. This is performed annually through self-attestation and Independent Assessment (InA), as applicable.
As industry standards and customer expectations evolve, the latest updates to the DPR and SSPA program will affect your organization and its related tasks. Read on to understand the impacts on your business and what steps you need to take to stay compliant.
Updates for Compliant Use of AI Systems
On September 23, 2024, FY25 Data Protection Requirements (DPR) v.10 and AI Compliance updates went live. These updates address how to improve security and promote responsible and compliant use of AI Systems at or on behalf of Microsoft.
Here’s what the updates entail:
- There are new security requirements for Multi-Factor Authentication (MFA), code scanning, and people training. For more information, please see section J of the DPR. These changes impact all suppliers, while the addition of AI compliance in Section K only applies to those using AI systems.
- The Scope for SSPA enrollment was expanded. All AI Systems suppliers who process non-dummy data, and manage, own, or subcontract for AI Systems are required to enroll and get compliant with the SSPA DPR and InA before data processing begins. As a reminder, non-dummy data is real, authentic data that is representative of real people and businesses.
- New AI Systems requirements were added in Section K of the DPR. These requirements state that suppliers must indicate on their SSPA Profile that their Microsoft engagement utilizes AI Systems.
- AI Systems Suppliers must use a Preferred Assessor to complete their independent assessment and upload an unqualified Letter of Attestation of compliance before work can begin.
- If the AI Systems service delivery includes Sensitive Use, the engagement is required to undergo a Sensitive Use internal review by Microsoft Office of Responsible AI. If confirmed that the service includes an AI Sensitive Use scenario, the Supplier must provide an ISO 42001, which can also be used as a substitute for the InA of Section K of the DPR.
Sensitive Use of AI is when the reasonably foreseeable use or misuse of an AI System could affect an individual in the following ways:- Consequential impact on legal position or life opportunities
- Risk of physical or psychological injury,
- Or threat to human rights.
Key Updates From DPR v9
As a reminder, a key update to the previous 2024 DPR v9 was the designation of processing PHI data as a high-risk activity. Therefore, suppliers handling PHI data for Microsoft need to note these updates:
- An independent assessment is required annually to verify your compliance with the DPR.
- PHI specifics were added to the “personal data by data type” table, included and defined within the latest SSPA program.
- These requirements were introduced to enhance supplier accountability and responsibility when handling PHI data:
- DPR v9 #5: Demonstrable sanctions must apply when an employee fails to comply with privacy and security company policy.
- DPR v9 #13: When a supplier receives data with reduced identifiability, they’re not to re-identify but to maintain the data in the state received.
Microsoft also introduced the subprocessor role. Subprocessors are subcontractors hired by Microsoft to perform work that may require access to data managed by suppliers. The subprocessor role was added to a supplier account based on identification and approvals from internal privacy teams. Subprocessors help enforce supplier adherence to data protection and security rules.
Steps Suppliers Must Take for FY25 & AI Compliance
All suppliers should start by visiting the SSPA homepage and downloading DPR v10 and the FY25 SSPA Program Guide to review applicable requirements. AI System Suppliers should also download and review the AI Systems Section K requirements.
Suppliers with an SSPA Anniversary date after September 23, when the FY25 v10 requirements launch, will be assigned new tasks on their Anniversary date, following update of their supplier profile. If the AI Systems use is considered high risk based on SSPA’s review, the supplier will need the new AI Systems approval, which can be obtained by completing the FY25 DPR and InA.
If your services include AI Systems, published by you or by your subcontractor, you will need to complete FY25 DPR Section K and the InA with a Preferred Assessor, regardless of your anniversary date. Both the FY25 DPR Section K and InA must be completed before opening a PO or any Data Processing can begin.
Benefits of a Microsoft Preferred Assessor for Your SSPA
Stay ahead of the curve with the latest Microsoft DPR and SSPA updates. With evolving requirements and increased scrutiny, supplier accountability is necessary, and a Microsoft-preferred assessor like SC&H can streamline your SSPA journey.
Annual attestation and independent assessments are required for all Microsoft suppliers who meet the data processing requirements defined within the approvals section of the SSPA program. Instead of trying to figure things out on your own, work with an experienced third-party assessor who can help your organization simplify and accelerate the SSPA certification process (or become a supplier).
Businesses who partner with us for SSPA Assessments will:
- Achieve SSPA compliance in 60 days or less
- Have access to knowledgeable experts well-versed on the latest DPR requirements
- Implement efficient, automated processes with cloud-based technology
- Gain exceptional service at a competitive price aligned with your budget
To learn more or to speak with an SC&H SSPA expert, please send us a message.
SSPA Compliance in 60 Days or Less
Achieve SSPA compliance faster with a Microsoft-preferred assessor
so you can stay focused on growing your business.
