Microsoft’s Supplier Security and Privacy Assurance (SSPA) program received a major update with Version 10, which took effect on September 23rd, 2024. This update introduced new requirements, particularly around artificial intelligence (AI) and ISO 42001 compliance.
The SSPA program applies to all Microsoft suppliers that process confidential or personal data. It serves as Microsoft's internal vendor risk management framework, ensuring suppliers meet security and privacy expectations. Companies must comply during procurement and annually thereafter through self-assessment and independent evaluations.
The latest version brings Section K, which focuses on AI governance. This section applies to any Microsoft suppliers that use AI in their services provided to Microsoft. It is important to note here that Microsoft Copilot (their AI solution) is carved out. Key elements of Section K include:
With growing global interest in ISO 42001, the AI management system standard, Microsoft is integrating it into the SSPA program as a potential solution. Suppliers using AI have two pathways for compliance:
If you’re a Microsoft supplier leveraging AI, now is the time to assess your AI governance and compliance readiness. Our team is mapping SSPA’s Section K requirements to ISO 42001, and we’ll be sharing further insights soon.
Stay tuned for our full breakdown of SSPA Version 10 and what it means for your compliance strategy!