CONTACT US
SC&H / Insights / Achieving Microsoft SSPA Compliance: A Supplier’s Guide to DPR v9 Updates

Achieving Microsoft SSPA Compliance: A Supplier’s Guide to DPR v9 Updates

BlogRisk
Updated on: March 20, 2024

By Anthony DiGiulian, Director | Risk

As a Microsoft supplier, safeguarding the data entrusted to you by Microsoft and its customers is important. To ensure the highest level of data protection while reducing risk, Microsoft requires its suppliers to demonstrate their compliance with the Data Protection Requirements (DPR) and the Supplier Security and Privacy Assurance (SSPA) program. This is performed annually through self-attestation and independent assessment.

In line with evolving industry standards and customer expectations, the latest updates to the DPR and SSPA program will affect your organization and its related tasks. Read on to understand the impacts on your business and how to respond.

11 DPR Requirement Updates in 2024

The 2024 DPR version 9 (v9) has enforced 11 changes to existing requirements involving language refinements and clarifications, including the integration of protected health information (PHI) data:

  1. DPR v9 #2: Supplier must have a documented privacy and security program.
  2. DPR v9 #4: Supplier must have a documented privacy and security training program.
  3. DPR v9 #27: Supplier must limit subcontractor access to personal data.
  4. DPR v9 #36: Supplier must conduct network assessments at least annually.
  5. DPR v9 #38: Supplier must maintain an inventory of assets that store, process, or transmit personal data.
  6. DPR v9 #39: Supplier must implement access management controls for personal data.
  7. DPR v9 #40: Supplier must implement encryption controls for personal data.
  8. DPR v9 #41: Supplier must implement backup and recovery controls for personal data.
  9. DPR v9 #43: Supplier must implement logging and monitoring controls for personal data.
  10. DPR v9 #45: Supplier must implement incident response and notification controls for personal data.
  11. DPR v9 #52: Supplier must comply with Microsoft security standards.

New and existing suppliers must adhere to these updated requirements in FY24. If you’re a supplier who processes PHI data, there is additional complexity and scrutiny of your data protection and security compliance.

New Requirements for Suppliers Processing PHI Data

A key update in the 2024 DPR v9 is the designation of processing PHI data as a high-risk activity. Therefore, suppliers handling PHI data for Microsoft should also note the following updates:

  • An independent assessment is required annually to verify your compliance with the DPR.
  • PHI specifics have been added to the “personal data by data type” table included and defined within the latest SSPA program.
  • Two new requirements have been introduced to enhance supplier accountability and responsibility when handling PHI data:
    • DPR v9 #5: Demonstrable sanctions must apply when an employee fails to comply with privacy and security company policy.
    • DPR v9 #13: When a supplier receives data with reduced identifiability, they’re not to re-identify but to maintain the data in the state received.

Microsoft has also introduced a subprocessor role. Subprocessors are subcontractors hired by Microsoft to perform work that may require access to data managed by suppliers. The subprocessor role will be added to a supplier account based on identification and approvals from internal privacy teams. Subprocessors will help enforce supplier adherence to the data protection and security rules.

Benefits of a Microsoft Preferred Assessor for Your SSPA

Annual attestation and independent assessments are required for all Microsoft suppliers who meet the data processing requirements defined within the approvals section of the SSPA program. Working with an experienced third-party assessor can help organizations simplify and accelerate the SSPA certification process (or become a supplier), including:

  • Achieving SSPA compliance in 60 days or less
  • Accessing knowledgeable experts versed on the latest DPR requirements
  • Implementing efficient, automated processes with cloud-based technology
  • Gaining exceptional service at a competitive price aligned with your budget

Stay ahead of the curve with the latest Microsoft DPR and SSPA updates. With evolving requirements and increased scrutiny, supplier accountability is necessary, and a Microsoft-preferred assessor can streamline your SSPA journey. To learn more or to speak with an SC&H SSPA expert, please send us a message.

Related Insights

Blog

What is Microsoft Fabric? The AI-Powered Tool for Advanced Analytics

Blog | Case Study

Driving Growth: How a Trucking Company Increased its Revenue by 41%

Blog

2023 Community Impact Report: Empowering Change Through Community Service

Blog

6 Key Value Drivers for Pump Distribution Companies During M&A

VIEW MORE INSIGHTS

Subscribe to our Insights

A collection of insights about our capabilities, solutions, people, and client successes.

SERVICES

Accounting

Advisory & Transformation

Audit

Capital

Risk

Tax

Technology

Wealth

ABOUT

Client Experience

Community Impact

INSIGHTS

Press Releases

In the News

Events

INDUSTRIES

LEADERSHIP TEAM

CAREERS

CONTACT

© 2024 SC&H Group, Inc. All Rights Reserved

Legal Disclaimer

Privacy Policy

Data Privacy

Services
Services Overview
Advisory & Transformation
Advisory & Transformation Overview
Finance Transformation
ERP Advisory & Implementation
Data Strategy & Analytics
Managed Services
OneStream Software
Oracle EPM
Corporate Restructuring
Technology
Technology Overview
Cloud Strategy & Infrastructure
Cybersecurity Advisory & Assessment
ERP Advisory & Implementation
Fractional CTO & CIO
Managed Services
Software Selection
Risk
Risk Overview
Contract Compliance Audit
Cybersecurity Advisory & Assessment
Internal Audit
ISO Certification
IT Audit & Risk Advisory
Microsoft SSPA Attestation
SOX Compliance & Advisory
Third Party Risk Management
Accounting
Accounting Overview
CFO Advisory
Cloud Accounting & Automation
Outsourced Accounting
Outsourced HR & Payroll
Sage Intacct
Tax
Tax Overview
Business Tax
Corporate Tax & Provisions
Cost Segregation
Individual Tax Planning & Advisory
International Tax Provisions
Audit
Audit Overview
Financial Statement Audits
Due Diligence
Employee Benefit Plans Audits
SOC Audits
Capital
Capital Overview
Mergers & Acquisitions
Special Situations Investment Banking
Business Valuation
Employee Stock Ownership Plans
Representative Transactions
Wealth
Wealth Overview
Financial Advisory
Individual Tax Planning & Advisory
Industries
Industries Overview
Affordable Housing
Construction
Education
Energy
Financial Services
Government Contracting
Healthcare
Hospitality & Entertainment
Manufacturing & Distribution
Media, Technology, & Telecommunications
Nonprofits
Pharmaceuticals & Life Sciences
Private Equity
Professional Services
Real Estate
Retail
Transportation
Technology Partners
About
About
Client Experience
Community Impact
Leadership
Careers
Careers
Internships
Insights
Insights
Press Releases
In The News
Events
Client Login Contact Us ×

FEATURED INSIGHTS