Blog CategoriesIndustrySecurityStrategy

Successfully Navigating a Microsoft SSPA and DPR Assessment

Along with being one of the largest employers in the greater Seattle area, Microsoft has also helped create a wide network of local vendors and suppliers — all of which are required to meet compliance standards. These standards are included in the Microsoft Supplier Security and Privacy Assurance (SSPA) Program in the form of the Microsoft Supplier Data Protection Requirements (DPR), which EXP has experience helping clients with. There are 56 requirements in all, and many can be bewildering to non-technical readers. Companies must confirm compliance with each one, and any noncompliance can put the company in danger of losing its vendor status  a major concern to say the least.  

Microsoft’s corporate program for delivering data processing instructions is called Supplier Security and Privacy Assurance (SSPA), with the instructions coming in the form of the Microsoft Supplier Data Protection Requirements (DPR). Vendors who want to work with Microsoft must participate in the SSPA program, which includes annual compliance reports.  

The SSPA and DPR compliance requirements focus primarily on two things: 


 1.  Protection of Personal Data 

Microsoft wants suppliers to take great care with Microsoft users personal data if they collect it. Among other things, they are primarily concerned with: 

  • Contractual coverage for personal data collection 
  • “Required to perform” data collection only 
  • Consent management 
  • Privacy policy notification 
  • Data retention and destruction 
  • Data anonymization 
  • Data subject rights (right to be forgotten, formal complaint process, etc.) 
  • Breach notification 


2.  Cyber security 

Microsoft wants suppliers to distinctly assign responsibility for cyber security and data protection, and the DPR includes a requirement to provide privacy and security awareness trainingEXP is here to help your company meet these requirements and implement the best practices in cyber security. 


How EXP Can Help with Microsoft SDPR 

The good news is that all Microsoft cyber security requirements align with the NIST (National Institute for Standards in Technology) recommendations we have been advocating over the last three years. These include: 

  • A formalized cybersecurity program 
  • Annual risk assessment and change control 
  • On-going “evergreen” security plan 
  • Mandatory security awareness training 
  • Written security policy 
  • Written cyber security incident response plan 
  • Annually tested disaster recovery and business continuity plans 
  • Firewall with intrusion prevention 
  • Vulnerability scanning 
  • Data encryption at rest and in transit 
  • Asset management 
  • Next-generation anti-virus and anti-malware 
  • Data classification and data loss prevention 
  • Rights management 
  • Patch management 
  • Multi-factor authentication 
  • Mobile device management 


Fortunately, most of the tools required to meet these requirements are now available in office 365 and we can help suppliers identify the correct subscription and fill any compliance gaps you may have. For more information, email or contact Pat Cooke, CISSP, EXP’s security practice leader.