How to Leverage HITRUST Certification into Microsoft SSPA
For any organization committed to robust cybersecurity hygiene, due diligence isn’t just for your interior systems, operations, facilities, and people—it also requires vetting your service relationships with suppliers to ensure they’re also secure. This is something Microsoft clearly understands, given their rigorous Supplier Security & Privacy Assurance (SSPA) Program they require. And for said suppliers participating in the SSPA Program, there are benefits to further extending your security compliance through HITRUST certification.
In fact, HITRUST certification might be the right move even if you’re not a Microsoft vendor (yet)—concerns about supplier security extend to just about any business relationship as cyber threats continue to grow more sophisticated. No one wants to make the next headlines about a data or security breach, so it’s important to seek solutions now that can help prove to your supply chain that your organization is trustworthy.
Still, there’s a clear link between the Microsoft SSPA Program and HITRUST certification, and as trusted providers of assessments for both initiatives—we’re on Microsoft’s SSPA Preferred Assessors List—we’re here to help you understand it.
In this article, we’ll briefly overview what the Microsoft SSPA Program and HITRUST CSF are before highlighting the benefits of leveraging the latter for the former. We’ll also touch on some considerations to make before going this route so that should you move forward, you can do so with greater understanding.
What is the Microsoft SSPA Program?
Per Microsoft, “strong privacy and security practices are critical to our mission, essential to customer trust, and in several jurisdictions required by law”—those words are taken directly from its Supplier Security & Privacy Assurance (SSPA) Program, which the company uses to evaluate the security/privacy practices of its suppliers.
Engendered as a partnership between Microsoft Procurement, Corporate External and Legal Affairs (CELA), and its Corporate Security divisions, SSPA is a global program that ensures the protection of Microsoft data as suppliers handling it must meet the established Supplier Data Protection Requirements (DPR)—essentially a baseline of Microsoft-defined supplier security/privacy controls. To do business with Microsoft, a supplier must become SSPA-approved, which means satisfying the DPR.
In terms of the data that must be protected, Microsoft recognizes two broad categories:
Microsoft Personal Data (MPD) |
Microsoft Confidential Data (MCD) |
---|---|
Personally identifiable information, including:
|
Microsoft intellectual property and proprietary data, which fall into two classes:
|
Whether you process MPD and/or MCD, you will be required to enroll in the SSPA and become approved (keep in mind that Microsoft defines “processing” to include data transmission and storage).
To get started, you’ll need to complete a Data Processing Profile (DPP)—a questionnaire that characterizes your risk in terms of specific service factors. DPP questions address details such as:
- Data processing scope (e.g., Confidential or Personal/Confidential)
- Data processing location (e.g., Microsoft, customer, or supplier premises)
- Data processing role (e.g., controller, processor, or subprocessor)
You’ll also have to answer whether your services involve:
- Software-as-a-Service (SaaS) offerings
- Website hosting
- Subcontractor usage
- Payment card and/or healthcare data processing
Your responses will determine the specific DPR requirements you must meet, and these span several security and privacy domains, including:
- Data protection management
- Data use notification, choice, and consent
- Data collection, retention, and quality
- Data subject rights
- Data protection monitoring and enforcement
- Subcontractor security
- Supplier security
Those whose responses indicate high-risk sensitive profiles—e.g., those involving subcontractors, payment card data, or healthcare data—will have more stringent mandates to meet within the program than less sensitive profiles.
You’ll have ninety (90) days to demonstrate satisfaction of your designated requirements through a self-attestation that’ll then be reviewed by Microsoft’s SSPA Team who will make the ultimate Green Light (approval) or Red Light (denial) decision. Once successfully Green Lit, you’ll be approved to execute service contracts with Microsoft, though you will have to annually re-attest to remain within the program and continue providing services.
That being said, high-risk sensitive profiles may need to complete an additional Independent Assessment within that 90 days—that would mean also having to retain a third-party assessment organization (3PAO) to assess your DPR compliance.
Other Options for Your Microsoft SSPA Independent Assessment
While that assessment can directly evaluate you against the DPR, you also have the option to be assessed against a Microsoft-designated framework equivalent (as indicated in the DPP):
- International Standards Organization (ISO) 27001 (Security)
- ISO 27701 (Privacy)
- Payment Card Industry (PCI) Data Security Standard (DSS)
- For suppliers that will process payment card data, a Tier 1 assessment is required that results in a PCI DSS Report on Compliance (ROC)—PCI DSS Self-Assessment Questionnaires (SAQs) are not accepted.
- HITRUST CSF Certification
No matter which you choose, you must receive a clean final report—i.e., with no noted deficiencies or exceptions—that you submit as part of your separate SSPA self-attestation that every Microsoft supplier must complete, no matter their risk profile.
What is HITRUST Certification?
Let’s talk more about that HITRUST option—if you process healthcare data for Microsoft, you’ll need to undergo a HITRUST CSF Validated Assessment resulting in a Certification Report (as Health Information Portability and Accountability Act (HIPAA) Security/Privacy Rule attestations are not accepted).
First, some basics—HITRUST oversees the HITRUST Assurance Program, which governs the CSF control framework and assessment methodology that encompasses information protection requirements harmonized from a vast array of authoritative sources. Codified within the HITRUST Assessment Handbook and Risk Management Handbook, the entire CSF is regularly updated by HITRUST to account for an evolving cybersecurity threat landscape.
Like the SSPA, your HITRUST requirements are also risk-based and driven by specific scoping factors that you set within HITRUST’s web-based MyCSF Assessment Platform. Your Validated Assessment—also be completed and submitted in MyCSF—will involve an external assessor performing maturity-based requirement scoring when evaluating your information security controls.
Submissions undergo rigorous HITRUST Quality Assurance (QA) review to validate assessment adequacy, sufficiency, accuracy, and conformity. To accommodate organizations with differing levels of cybersecurity and organizational maturity, certification can be attained in any of three assessment types that represent increasing levels of assessment rigor and compliance assurance:
- e1: Foundational, 1-Year (e1) Assessment Essentials
- i1:Implemented,1-year (i1) Assessment Leading Practices
- r2: Risk-based,2-year (r2) Assessment Expanded Practices
Any of these three HITRUST options is considered sufficient coverage for your Microsoft SSPA Independent Assessment. And given that the HITRUST e1 Validated Assessment covers a compact 44 “e”ssential cybersecurity requirements, this could be both an efficient and worthwhile approach for many organizations choosing a path forward for their Microsoft SSPA Independent Assessment.
Considerations When Leveraging HITRUST CSF Certification in SSPA
Whether or not you currently process healthcare data, if you’re a supplier intending to enroll—or are already enrolled—in SSPA, there’s value in choosing HITRUST certification as your independent assessment. HITRUST certification is widely respected across multiple industries—something Microsoft understands quite well, being a HITRUST Certification holder itself—so it could serve as a market differentiator beyond your SSPA needs.
However, should you elect to use a HITRUST CSF certification as your SSPA independent assessment, there are some nuances to consider:
- HITRUST certifies only live production-grade systems—think the core technology stack, supporting network and security infrastructure, physical facilities, and outsourced services—so developmental, testing, or prototype systems are ineligible for certification.
- Before moving forward with a HITRUST Validated Assessment, confirm your intended assessment type with the SSPA Team, as they may have a preference in mind.
- Your HITRUST certification scope must fully encompass your MPD/MCD data scope to count for SSPA.
- As gaps and CAPs become apparent during the process, determine whether any will materially impact your DPR requirements and communicate with the SSPA Team as materially impactful deficiencies may impede SSPA approval—even if you obtain HITRUST certification.
Learn More About HITRUST Certification
As organizations increasingly rely upon suppliers for technical and operational support, supplier security and privacy assurance continue to grow more critical. Supplier security/privacy risk to organizational data is real, and it cannot be blithely accepted, transferred, or ignored—unless, of course, you’re okay with the risk of becoming the next blazing data breach headline.
Microsoft isn’t, hence its SSPA program that is required for vendors—if you currently work with or wish to work with them, you’ll be required to complete it, and that may mean having an independent assessment performed against an approved framework. HITRUST certification may be the right one for you, and to learn more about it, check out our other content dedicated to its details:
- HITRUST CSF v11: An Overview of the Update
- How to Get HITRUST Certified: 4 Steps
- Understanding the HITRUST Scoring Rubric
Given our extensive experience with the framework, Schellman can help with your HITRUST Validated Assessment—we’re even endorsed by Microsoft to do so, as we’re on their list of preferred independent assessment firms, having demonstrated high levels of technical competency, subject matter expertise, and recognized accreditation. If you’d like to learn more about undertaking SSPA with HITRUST, feel free to reach out to Schellman Director Chris Lippert to get started.
About Michael Williams
Michael T. Williams is a Senior Associate at Schellman, where he serves as a HITRUST Common Security Framework (CSF) certified assessor for a diverse array of client organizations. Prior to joining Schellman in February 2020, Michael was a Senior Consultant with a national audit firm where he delivered security assessment and advisory services in its Healthcare and Life Sciences practice for four years. Preceding this, Michael performed security remediation and information assurance work for several component agencies of the US government. Michael is thus well-versed in the Federal Information Security Management Act (FISMA) and Federal Risk and Authorization Management Program (FedRAMP) frameworks, as well as the HITRUST CSF and Health Insurance Portability and Accountability Act (HIPAA) Security, Privacy, and Breach Notification Rules.