Report an OSD/JS Breach

  1. Report the Breach to US-CERT. NOTE: Non-cyber related (paper) incidents should not be reported to US-CERT, they should be reported to your agency's privacy office within one hour of a suspected or confirmed breach. If this is a paper breach skip to step 2.

    Select the link below within one hour after discovery to access the US-CERT Incident Reporting System. Review the instructions provided and complete the on-line questionnaire at

  2. Report the Breach to your Senior Component Official for Privacy and OSD/JS Privacy Office.
    If there is a Privacy breach, report it immediately, fill out the DD Form 2959, Breach of Personally Identifiable Information (PII) Report.
    After you complete the form, submit it to the OSD/JS Privacy Office at OSD/JS Privacy Office inbox within 24 hours after discovery. NOTE: This form should also be used to report updates to previous submissions.

  3. The OSD/JS Privacy Office, in conjunction with the reporting component, will submit the DD Form 2959 to the Defense Privacy and Civil Liberties Division within 48 hours.

  4. If determined and approved by your senior leadership notify the affected individuals of the breach.
    Notification must be made within 10 days of the discovery of the incident. You will need to have the mailing address for each affected individual and be able to address the unique issue(s) pertaining to each breach. See DoD 5400.11-R, Appendix 2 for a sample notification letter.
    For further information, see DoD 5400.11-R, paragraph C10.6, Lost, Stolen or Compromised Information.