Schellman becomes The First ISO 42001 ANAB Accredited Certification Body!

Contact Us
Services
Services
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships

What’s New in Version 9 of Microsoft’s DPR

Privacy Assessments

When Microsoft released version 9 of their Data Protection Requirements (DPR) back in October 2023, the new framework contained several important updates, as well as a few brand new requirements, including the addition of new considerations for suppliers processing protected health information (PHI).

As a preferred assessor associated with the SSPA program for several years, we’ve familiarized ourselves with the new version of the DPR and want to offer some insight.

In this article, we’ll briefly overview the DPR before getting into the updates in version 9—including a thorough detailing of the new PHI requirements—so that you can pivot to cover these developments more easily and maintain your relationship with Microsoft.

What is Microsoft’s DPR?

 

For anyone wanting to do business with Microsoft, you’ll first have to implement the tech giant’s DPR—a set of guidelines designed to help suppliers establish a tailored data protection framework that is meant to:

  • Ensure the security, privacy, and compliance of data across Microsoft’s cloud services through protection measures and privacy safeguards
  • Standardize data handling through a framework for data classification and required access controls
  • Guarantee incident response and management through the establishment of risk management practices and procedures in the event of a data breach
  • Provide further support for healthcare data protection through specific guidelines regarding the safeguarding of PHI at rest and when shared

 To achieve all that, the DPR outlines necessary security practices and compliance measures suppliers must implement, including controls around:

  • Data encryption
  • Access management
  • Data retention and deletion
  • Third-party management
  • Mandatory training and awareness

Once you’ve implemented those measures, suppliers must undergo the Supplier Security and Privacy Assurance (SSPA) process to validate their security efforts and the effectiveness of controls. To ease the experience, Microsoft has made the following documents available:

Document

What It Does

SSPA Program Guide

  • Details how the SSPA process works and what to expect in the initial stages and on an annual basis thereafter, from the supplier profile to the self-assessment, to the independent assessment.
  • Provides an overview of how a supplier’s answers in the supplier profile describing their processing can affect the risk associated with the supplier for the SSPA program.
  • Outlines the various “profiles” the supplier could fall into which would then determine their next SSPA steps.
    • Based on the profile they fit into, the supplier may be fine completing just the self-assessment, or they may have to have an independent assessment performed, or they may have to supply supporting compliance reports/certifications.

Preferred Assessor List

  • Provides suppliers with a list of vetted and preferred assessors who have been working with Microsoft over the years, as well as their contact information.
    • Why would this help? Because most assessors you find on the list have been working with Microsoft across several iterations of their requirements and updates to the program—therefore, they can speak to the process and intricacies of getting your company back in a “green status” in the supplier portal.
  • Supplies companies with an example report for the independent assessment that includes:
    • The information suppliers must include for Microsoft’s review; and
    • The approved format for the final report before its upload to Microsoft’s supplier portal.

Microsoft DPR

  • Walks suppliers through the requirements they are expected to meet when providing services to Microsoft, as not all of the requirements may be applicable based on your services provided (something that Microsoft will determine in the self-assessment phase).
    • For the ones that are applicable, this document also provides examples of the evidence of compliance that Microsoft would like to see in place, which will also serve as a starting point for your independent assessor.
  • Provides a glossary of terms to remove any ambiguity around how the requirements may apply.

 

What’s New in Version 9 of Microsoft’s DPR?

 

So then, what’s been updated in the latest version of Microsoft’s DPR? Some new additions include (but are not limited to):

  • Appropriate sanctions will be applied to employees who fail to comply with requisite privacy and security policies.
  • Suppliers must now maintain any data set from Microsoft with reduced identifiability—e.g., de-identified data—in the state in which it was received.
  • Suppliers must now conduct vulnerability scans every month and complete a high-level compliance report summarizing the prior 12 months.
  • Suppliers must now perform regular patching and updating of anti-virus and anti-malware software.

New Requirements for the Handling of PHI

Amidst those smaller updates, the biggest change to version 9 of the DPR involves the addition of new requirements to account for the protection of PHI.

Not only does v9 now require suppliers to have a Business Associates Agreement in place with Microsoft if they are involved in the processing of protected health information—that is, if they don’t have one already—but these suppliers must also perform HIPAA training, as well as periodic technical and non-technical evaluations of their PHI security.

Aside from mandatory training and awareness, here are some of the other updates in version 9 of the DPR that were made for more robust protection of PHI:

  • Enhanced requirements for:
    • Anonymization: When using personal health information in development or test environments, suppliers must make sure that the anonymization techniques they use meet the HIPAA de-identification standard.
    • Training: In addition to the standard security awareness training requirements, Microsoft now also expects suppliers to pay increased attention to security reminders, log-in monitoring, and the safeguarding of passwords for PHI.
  • A new focus on the security of PHI:
    • On top of the existing requirements for establishing, implementing, and maintaining an information security program, any suppliers processing PHI must also perform periodic technical and non-technical evaluations of its controls in response to changes to ensure that the supplier’s policies and procedures continue to meet the requirements of the HIPAA Security Rule.
  • Improved vendor management:
    • As part of the new, firmer requirements regarding the assessment and management of risks associated with your supply chain, specific clauses related to PHI protection must be included in your agreements with third parties (business associate agreements).

New Carve Out for HITRUST Certification

Given all this, it likely comes as no shock that V9 also promotes enhanced alignment with the HIPAA Privacy and Security Rules, but at the same time, it’s important to note that given these new specific mentions of PHI within the DPR, Microsoft has also updated their SSPA Program Guide to include carve-outs for HITRUST certification.

Previously, carve-outs for the Microsoft DPR were limited to:

  • ISO 27001;
  • ISO 27701; and
  • PCI assessments (though these only sufficed for requirements related to Payment Card Industry assurance).

That is, until now.

If you’re a covered entity or healthcare service provider in the U.S.—which you must be to qualify for this avenue—and you find that your organization falls into supplier profile #8 of the SSPA program guide as per the type(s) of processing you perform for Microsoft, you can now submit your HITRUST certification in lieu of going through any additional independent assessment related to the Microsoft DPR.

 

What is Microsoft’s DPR V9.1?

 

In addition to the standard updates that were made to what is now V9 back in 2023, Microsoft issued an emergency update in May 2024—Version 9.1—due to a recent privacy and security incident sparked when a supplier developed a small-scale application for Microsoft but negligently left credentials in the software’s code.

In light of this, Microsoft added requirement #53, which states that suppliers must “ensure that secrets are not embedded or hardcoded in the software at any stage of the development process.” To assist suppliers with proving their compliance, Microsoft also included guidance regarding acceptable potential evidence, which includes but is not limited to:

  • Use of a supported and current version of a credential exposure prevention tool such as GitHub Advanced Security (GHAS)) or similar service or tool.
  • Assurance that if source or configuration files did mistakenly include secrets, those secrets were documented as revoked upon discovery.
  • Assurance that any replacement or secondary credential was not pushed back into code.
  • Documentation of any false positives and their remediation.

Moving Forward with the Latest Version of Microsoft’s DPR

 

While the new requirements outlined above may not cause too much heartburn for existing suppliers, it’ll be important to make sure that you’ve covered them so that you can maintain your organization’s green status in Microsoft’s supplier portal.

If your organization is required to go through an independent assessment of your compliance with the DPR this year, or if you have any inquiries as they relate to the updated requirements, please contact Schellman’s privacy team at sspa@schellman.com.

About CHRIS LIPPERT

Chris Lippert is a Director and Privacy Technical Lead with Schellman and is based in Atlanta, GA. With more than 10 years of experience in information assurance across numerous industries, regulations, and frameworks, Chris developed a passion for and concentration in data privacy. He is an active member of the International Association of Privacy Professionals (IAPP), holds his Fellow of Information Privacy (FIP) designation, and advocates for privacy by design and the adequate protection of personal data in today’s business world.