Schellman becomes The First ISO 42001 ANAB Accredited Certification Body!

Learn More
866.254.0000
Contact Us
Services
SOC & Attestations
Payment Card Assessments
ISO Certifications
Privacy Assessments
Federal Assessments
Healthcare Assessments
Penetration Testing
Cybersecurity Assessments
Crypto and Digital Trust
Schellman Training
ESG & Sustainability
AI Services
Build Your Compliance Roadmap
Industry Solutions
Cloud Computing & Data Centers Meet a broad range of regulatory and industry compliance mandates for your customers
Financial Services & Fintech Cybersecurity assessments for both the banking industry and the financial service providers
Healthcare Reporting to manage risk and adhere to applicable laws and regulations
Payment Card Processing Validate compliance with the various forms of the PCI DSS
US Government Achieve authorization to work for federal agencies, DoD, and the associated contractor base
Higher Education & Research Laboratories Reinforce your commitment to securing your student's and institution's data.
View All Industry Solutions
Learning Center
Our Technology
About Us
Leadership Team
Careers
Corporate Social Responsibility
Strategic Partnerships
Visit About Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
View All Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
Learning Center
Our Technology
About Us
About Us
About Schellman
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships
Talk with a Specialist

«  View All Posts

What’s New in Version 9 of Microsoft’s DPR Blog Feature
CHRIS LIPPERT

By: CHRIS LIPPERT

Print/Save as PDF

What’s New in Version 9 of Microsoft’s DPR

Privacy Assessments

When Microsoft released version 9 of their Data Protection Requirements (DPR) back in October 2023, the new framework contained several important updates, as well as a few brand new requirements, including the addition of new considerations for suppliers processing protected health information (PHI).

As a preferred assessor associated with the SSPA program for several years, we’ve familiarized ourselves with the new version of the DPR and want to offer some insight.

In this article, we’ll briefly overview the DPR before getting into the updates in version 9—including a thorough detailing of the new PHI requirements—so that you can pivot to cover these developments more easily and maintain your relationship with Microsoft.

What is Microsoft’s DPR?

 

For anyone wanting to do business with Microsoft, you’ll first have to implement the tech giant’s DPR—a set of guidelines designed to help suppliers establish a tailored data protection framework that is meant to:

  • Ensure the security, privacy, and compliance of data across Microsoft’s cloud services through protection measures and privacy safeguards
  • Standardize data handling through a framework for data classification and required access controls
  • Guarantee incident response and management through the establishment of risk management practices and procedures in the event of a data breach
  • Provide further support for healthcare data protection through specific guidelines regarding the safeguarding of PHI at rest and when shared

 To achieve all that, the DPR outlines necessary security practices and compliance measures suppliers must implement, including controls around:

  • Data encryption
  • Access management
  • Data retention and deletion
  • Third-party management
  • Mandatory training and awareness

Once you’ve implemented those measures, suppliers must undergo the Supplier Security and Privacy Assurance (SSPA) process to validate their security efforts and the effectiveness of controls. To ease the experience, Microsoft has made the following documents available:

Document

What It Does

SSPA Program Guide
  • Details how the SSPA process works and what to expect in the initial stages and on an annual basis thereafter, from the supplier profile to the self-assessment, to the independent assessment.
  • Provides an overview of how a supplier’s answers in the supplier profile describing their processing can affect the risk associated with the supplier for the SSPA program.
  • Outlines the various “profiles” the supplier could fall into which would then determine their next SSPA steps.
    • Based on the profile they fit into, the supplier may be fine completing just the self-assessment, or they may have to have an independent assessment performed, or they may have to supply supporting compliance reports/certifications.

Preferred Assessor List
  • Provides suppliers with a list of vetted and preferred assessors who have been working with Microsoft over the years, as well as their contact information.
    • Why would this help? Because most assessors you find on the list have been working with Microsoft across several iterations of their requirements and updates to the program—therefore, they can speak to the process and intricacies of getting your company back in a “green status” in the supplier portal.
  • Supplies companies with an example report for the independent assessment that includes:
    • The information suppliers must include for Microsoft’s review; and
    • The approved format for the final report before its upload to Microsoft’s supplier portal.

Microsoft DPR
  • Walks suppliers through the requirements they are expected to meet when providing services to Microsoft, as not all of the requirements may be applicable based on your services provided (something that Microsoft will determine in the self-assessment phase).
    • For the ones that are applicable, this document also provides examples of the evidence of compliance that Microsoft would like to see in place, which will also serve as a starting point for your independent assessor.
  • Provides a glossary of terms to remove any ambiguity around how the requirements may apply.

 

What’s New in Version 9 of Microsoft’s DPR?

 

So then, what’s been updated in the latest version of Microsoft’s DPR? Some new additions include (but are not limited to):

  • Appropriate sanctions will be applied to employees who fail to comply with requisite privacy and security policies.
  • Suppliers must now maintain any data set from Microsoft with reduced identifiability—e.g., de-identified data—in the state in which it was received.
  • Suppliers must now conduct vulnerability scans every month and complete a high-level compliance report summarizing the prior 12 months.
  • Suppliers must now perform regular patching and updating of anti-virus and anti-malware software.

New Requirements for the Handling of PHI

Amidst those smaller updates, the biggest change to version 9 of the DPR involves the addition of new requirements to account for the protection of PHI.

Not only does v9 now require suppliers to have a Business Associates Agreement in place with Microsoft if they are involved in the processing of protected health information—that is, if they don’t have one already—but these suppliers must also perform HIPAA training, as well as periodic technical and non-technical evaluations of their PHI security.

Aside from mandatory training and awareness, here are some of the other updates in version 9 of the DPR that were made for more robust protection of PHI:

  • Enhanced requirements for:
    • Anonymization: When using personal health information in development or test environments, suppliers must make sure that the anonymization techniques they use meet the HIPAA de-identification standard.
    • Training: In addition to the standard security awareness training requirements, Microsoft now also expects suppliers to pay increased attention to security reminders, log-in monitoring, and the safeguarding of passwords for PHI.
  • A new focus on the security of PHI:
    • On top of the existing requirements for establishing, implementing, and maintaining an information security program, any suppliers processing PHI must also perform periodic technical and non-technical evaluations of its controls in response to changes to ensure that the supplier’s policies and procedures continue to meet the requirements of the HIPAA Security Rule.
  • Improved vendor management:
    • As part of the new, firmer requirements regarding the assessment and management of risks associated with your supply chain, specific clauses related to PHI protection must be included in your agreements with third parties (business associate agreements).

New Carve Out for HITRUST Certification

Given all this, it likely comes as no shock that V9 also promotes enhanced alignment with the HIPAA Privacy and Security Rules, but at the same time, it’s important to note that given these new specific mentions of PHI within the DPR, Microsoft has also updated their SSPA Program Guide to include carve-outs for HITRUST certification.

Previously, carve-outs for the Microsoft DPR were limited to:

  • ISO 27001;
  • ISO 27701; and
  • PCI assessments (though these only sufficed for requirements related to Payment Card Industry assurance).

That is, until now.

If you’re a covered entity or healthcare service provider in the U.S.—which you must be to qualify for this avenue—and you find that your organization falls into supplier profile #8 of the SSPA program guide as per the type(s) of processing you perform for Microsoft, you can now submit your HITRUST certification in lieu of going through any additional independent assessment related to the Microsoft DPR.

 

What is Microsoft’s DPR V9.1?

 

In addition to the standard updates that were made to what is now V9 back in 2023, Microsoft issued an emergency update in May 2024—Version 9.1—due to a recent privacy and security incident sparked when a supplier developed a small-scale application for Microsoft but negligently left credentials in the software’s code.

In light of this, Microsoft added requirement #53, which states that suppliers must “ensure that secrets are not embedded or hardcoded in the software at any stage of the development process.” To assist suppliers with proving their compliance, Microsoft also included guidance regarding acceptable potential evidence, which includes but is not limited to:

  • Use of a supported and current version of a credential exposure prevention tool such as GitHub Advanced Security (GHAS)) or similar service or tool.
  • Assurance that if source or configuration files did mistakenly include secrets, those secrets were documented as revoked upon discovery.
  • Assurance that any replacement or secondary credential was not pushed back into code.
  • Documentation of any false positives and their remediation.

Moving Forward with the Latest Version of Microsoft’s DPR

 

While the new requirements outlined above may not cause too much heartburn for existing suppliers, it’ll be important to make sure that you’ve covered them so that you can maintain your organization’s green status in Microsoft’s supplier portal.

If your organization is required to go through an independent assessment of your compliance with the DPR this year, or if you have any inquiries as they relate to the updated requirements, please contact Schellman’s privacy team at sspa@schellman.com.

About CHRIS LIPPERT

Chris Lippert is a Director and Privacy Technical Lead with Schellman and is based in Atlanta, GA. With more than 10 years of experience in information assurance across numerous industries, regulations, and frameworks, Chris developed a passion for and concentration in data privacy. He is an active member of the International Association of Privacy Professionals (IAPP), holds his Fellow of Information Privacy (FIP) designation, and advocates for privacy by design and the adequate protection of personal data in today’s business world.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.