What is the SSPA Process?

So if you are a vendor or a supplier wanting to work with Microsoft, you may have been referred to their SSPA program, or software security and privacy assurance program, for more details on how to work with Microsoft in this video, we'll talk about whether it's an annual assessment.

Hi my name is Debbie Zeller. I am the chief operating officer at Schellman. Schellman is one of Microsoft's preferred assessors under their SSPA program. We have performed almost 100 assessments and perform them almost weekly. Microsoft requires a process in order to get to the point that you need an independent assessment:

  1. It first starts with completing a profile on their portal.
  2. Once the profile is complete, it will outline the applicable requirements within the self-assessment.
  3. The supplier would need to complete the self-assessment and then
  4. Microsoft would review that self-assessment to determine if an independent assessment is required.

An independent assessment is required from one of the preferred assessors that are listed on Microsoft's website.

Microsoft will require the independent assessment to be completed within a certain time frame, and that's usually about 90 days. So from the time the supplier contacts one of the preferred assessors, the full assessment can actually take anywhere from one month to two months. So it's very important to start that process early to make sure that the preferred assessor is chosen, contracted with, and you can actually complete the assessment within that 90 day period. Microsoft does allow a one time extension to that 90 day period, but that is only if your organization has contracted with a preferred assessor.

So now that you've completed an independent assessment, you might be wondering, do I have to do this every year? And the answer is yes. The spa program does require an annual assessment to be completed every year, and we always give our clients tips on looking at the Microsoft portal frequently because they do change their requirements. And when they change the requirements, they may require you to complete another assessment so it could be annual or more frequent than annual.

For more information, go to our website and complete the contact us form. One of our privacy professionals will reach out to you to provide more details on this process. 

About the Author

Debbie Zaller

Debbie Zaller is Chief Operating Officer at Schellman. Debbie is responsible for maintaining and driving operational results and executing the firm's strategic goals. Debbie oversees all daily operations of the firm while spearheading the development, communication and implementation of effective growth strategies and processes. Debbie has over 21 years of IT compliance and attestation experience. Debbie led the firm's Midwest, Southeast, and Northeast regions along with the national service lines of SOC 2 and Privacy service lines as Managing Principal before assuming the position of COO in 2021. Debbie holds a Master of Accounting degree from the University of Florida. She is a Certified Public Accountant, Certified Information Privacy Professional/United States, Certified Data Privacy Solutions Engineer, Certified Information Systems Security Professional, Certified Information Systems Auditor, and Certified Cloud Security Knowledge. She is currently an AICPA-approved and nationally listed SOC Specialist and speaker on various privacy topics. Debbie was on the AICPA Task Force for the Advanced SOC for Certification Exam, was a member of the Florida Institute of Certified Public Accountants Board of Governors and served on the Finance and Office Advisory Committee.

More Content by Debbie Zaller
Previous Video
What is a Critical Control Security Failure
What is a Critical Control Security Failure

Next Video
The Differences Between the Defined and Customized Approach in PCI DSS v4.0
The Differences Between the Defined and Customized Approach in PCI DSS v4.0