<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1977396509252409&amp;ev=PageView&amp;noscript=1">

SUITE OF SERVICES services menu




Microsoft Supplier Security and Privacy Assurance (SSPA) Program Attestation

Microsoft Supplier Security and Privacy Assurance (SSPA) Program Attestation

Written by AMBER WELCH on Feb 11, 2019

If your organization is a current or aspiring Microsoft vendor, you’re probably familiar with the Microsoft Supplier Security and Privacy Assurance Program (SSPA) program (previously called the Vendor Privacy Assurance Program). Vendors providing services with a high business impact may be required to provide a letter of attestation from a qualified independent assessor such as Schellman. You might be wondering what this requirement means for your business and what to expect during the attestation process.

Choosing an Independent Assessor

Microsoft doesn’t provide a list of pre-approved independent assessors, but there are a few qualifications to look for:

  • The attestation is required to be performed in accordance with the American Institute of Certified Public Accountants (AICPA), which means the assessor chosen is required to be a CPA firm. The firm should be in good standing with the AICPA, (you can search for a firm name such as “Schellman” here).
  • As Microsoft’s vendor contracts are heavily affected by the European Union’s new privacy law, the GDPR, a qualified assessor should have experience with both US and European privacy attestations and audits.
  • Look for a firm whose auditors hold privacy-specific certifications such as the CIPP/E and CIPP/US by IAPP.

Completing the Attestation Process

Before the attestation, check the Data Protection Requirements (DPR) and make any necessary changes to meet the criteria. Your auditor will ask for some evidence to show that you’ve met these requirements, so be sure to keep some documentation of your work and controls. When the assessment is complete, you’ll be given a letter of attestation which you can submit to Microsoft. If you choose Schellman as an assessor, your auditor can point out areas for improvement and help you identify weaknesses in your current practice to avoid jeopardizing your Microsoft contract. If your organization is subject to other types of IT audits, discuss the option of combining the Microsoft DPR attestation with other audits or assessments to determine if there is an overlap in testing efforts or documentation to ease the burden of multiple audits.

Considering a Readiness Assessment

If you’re anticipating a requirement to provide a letter of attestation for the Microsoft DPR but aren’t yet prepared, Schellman can help you identify control gaps where your organization doesn’t meet the criteria with a readiness assessment. You’ll have an opportunity to identify potential issues before committing to a formal attestation. When you’ve remediated the gaps, your auditor can return to complete the formal attestation. A readiness assessment could also be a benefit if you’re currently bidding on a Microsoft contract and want to show your competitive, proactive approach to privacy compliance.

Wherever you are in compliance with the Microsoft Supplier Security and Privacy Assurance Program requirements, Schellman can help. Speak with a privacy assessment specialist about your organization’s Microsoft Supplier needs today.




Amber Welch is a Privacy Technical Lead for Schellman & Company, LLC. With more than 6 years of experience as a technical writer and privacy and security governance consultant, she is dedicated to GDPR and other privacy-focused engagements. Amber has served as a panelist during Black Hat and published several articles on recent privacy developments. She holds a master’s degree from the University of Nebraska, as well as the CIPP/E and CCSK designations from the International Association of Privacy Professionals and the Cloud Security Alliance.