Authored by Ryan Sefchick | Staff IT Risk Management Consultant
As a Microsoft supplier, safeguarding personal and confidential data entrusted to you by Microsoft is critical. To do so, Microsoft requires its suppliers to demonstrate their compliance with the Supplier Security and Privacy Assurance (SSPA) program, outlined in the Data Protection Requirements (DPR).
Microsoft released Version 12 of its DPR in March 2026. If you’re an enrolled Microsoft supplier, here’s what you need to know before your next SSPA cycle to ensure you stay compliant.
What changed in Microsoft DPR v12?
Most of the DPR remains familiar. For suppliers operating against prior versions, Version 12 is better understood as a targeted update rather than a full rewrite. The total requirement count moved from 67 to 63, which consisted of a few removals, consolidations, and two net-new additions found in Sections J & K.
These changes clarify expectations, add a more explicit network security requirement, and refine AI-related obligations for suppliers using AI systems.
Key changes at a glance
Now, let’s take a deeper look at what this means when preparing for your next SSPA cycle.
The biggest change in v12: Network security (Section J)
The most notable baseline change appears in Section J, and it applies to all suppliers. Microsoft now states network security expectations more explicitly through a new standalone requirement that covers:
- Secure transmission across networks
- Traffic segmentation to reduce risk exposure
- Maintained network diagrams and configuration baselines
- Separation of network administration responsibilities from general IT operations
Since these are now captured in a dedicated requirement and no longer implied across other sections, each element is independently assessable and needs to be addressed on its own. Before your next assessment, confirm your documentation covers each one specifically.
What changed for suppliers using AI systems (Section K)?
Version 12 places added attention on suppliers that use AI systems in connection with Microsoft. Section K is more streamlined, consolidating several requirements to reduce duplication, with greater emphasis on governance and transparency.
Two changes in particular are worth calling out.
- Prohibited practices added: New requirement stating that suppliers must not design, develop, deploy, or use AI systems for Microsoft work if those systems fall into a prohibited-practice category.
- Red teaming removed: The red teaming requirement from Version 11 has been removed. This signals a shift away from a single testing expectation and toward broader operational accountability across the AI system lifecycle.
Broader AI incident response expectations
Microsoft’s updated language makes clear that AI incidents are not limited to traditional cybersecurity breaches. Suppliers should be prepared to respond when an AI system behaves in a way that affects its intended use, reliability, safety, or expected performance.
That may include system failures, harmful or incorrect outputs, hallucinations, misuse, or other issues that show the AI system is not operating as intended. Version 12 continues to expect documented response procedures, including notification, rollback capability, feature shutoff support, update processes, and communication planning.
Additional updates to the SSPA Program Guide
Beyond Sections J and K, Version 12 also includes updates to the SSPA Program Guide worth noting.
New definitions for AI supplier roles
The Program Guide now explicitly defines two types of AI system suppliers: Publishers, who develop or own the AI system, and Deployers, who use a third-party AI system to deliver their services. Independent assurance requirements apply to both.
Key changes to sensitive data classifications
The Program Guide has reorganized how data types are classified. Sensitive Personal Data and Protected Health Information were added to the Highly Confidential classification, and End-user Pseudonymized Information was moved to its own category. Suppliers handling these data types should confirm that their processing profiles and controls reflect these updated classifications.
Non-compliance now has formal consequences
Version 12 also introduces explicit sanctions language. Suppliers who fail to provide evidence of compliance upon request, or who do not respond to incident requests, may now be formally placed in Red Status. This consequence existed in practice before, but its formal inclusion in Version 12 signals that Microsoft intends to enforce it more explicitly going forward.
What suppliers should do now
If you’re preparing for your assessment, start by downloading DPR Version 12 and the FY26 SSPA Program Guide from the SSPA homepage to confirm which requirements apply to your services. If you use AI systems in connection with Microsoft work, pay close attention to Section K and be prepared to clearly show how you govern, monitor, and respond to AI-related risks.
This is also a good time to review your current evidence, policies, and internal procedures against Version 12 and make any updates needed before your next SSPA cycle.
How a Microsoft preferred assessor can help
As Microsoft’s requirements continue to evolve, working with an assessor who already understands the SSPA program can help suppliers move more efficiently through the review process.
At SC&H, we help organizations understand what applies to them, identify potential gaps, and prepare practical evidence that supports a smoother assessment experience.
We help you:
- Achieve SSPA compliance in 60 days or less
- Have access to knowledgeable experts well-versed on the latest DPR requirements
- Implement efficient, automated processes with cloud-based technology
- Gain exceptional service at a competitive price aligned with your budget
SSPA Compliance in 60 Days or Less
Achieve SSPA compliance faster with a Microsoft-preferred assessor
so you can stay focused on growing your business.
