Skip to main content
Report File
Date Issued
Submitting OIG
Amtrak (National Railroad Passenger Corporation) OIG
Other Participating OIGs
Amtrak (National Railroad Passenger Corporation) OIG
Agencies Reviewed/Investigated
Amtrak (National Railroad Passenger Corporation)
Report Number
OIG-A-2024-001
Report Description

Like other organizations, Amtrak (the company) faces the inherent cybersecurity risk that employees or contractors are “insider threats”—that is, that they could maliciously or unintentionally use information systems or data in a manner that harms the company. Insider threats may cause more harm and are more difficult to detect than external cyber‐attackers because individuals within an organization already have access to systems and data. Amtrak Office of Inspector General’s (OIG) recent investigations identified company employees and contractors who misused or took advantage of their system access and exposed sensitive company information. Accordingly, our objective was to assess the effectiveness of company controls to protect its information systems and data from insider threats. Our recommendations included conducting an insider threat risk assessment, establishing a policy for insider threat activities, and developing a process to track and enforce company access requirements. In commenting on a draft of this report, company executives agreed with our recommendations and identified actions that the company plans to take to address them.THE TRANSPORTATION SECURITY ADMINISTRATION AND THE DEPARTMENT OF TRANSPORTATION HAVE DETERMINED THAT THIS REPORT CONTAINS SENSITIVE SECURITY INFORMATION (SSI) that is controlled under 49 CFR parts 15 and 1520 to protect Sensitive Security Information exempt from public disclosure. For Amtrak OIG, public disclosure is governed by 5 U.S.C. § 552 and 49 CFR parts 15 and 1520. This public version of the report has been redacted.

Report Type
Audit
Agency Wide
Yes
Number of Recommendations
5
Questioned Costs
$0
Funds for Better Use
$0

Open Recommendations

This report has 4 open recommendations.
Recommendation Number Significant Recommendation Recommended Questioned Costs Recommended Funds for Better Use Additional Details
2 Yes $0 $0

Based on the results of the risk assessment, develop and implement a plan to better control, monitor, and block identified data and user activities for its systems.

3 Yes $0 $0

Establish a policy that clearly defines departmental roles and responsibilities for insider threat activities, including responding to insider threats.

4 Yes $0 $0

Establish a process to track and enforce access management requirements for the company’s non-financial systems, including ensuring system owners are aware of and complete required access reviews.

5 Yes $0 $0

Prioritize and develop a strategy for DT to implement available access management tools across company systems while minimizing disruption to company operations.

Amtrak (National Railroad Passenger Corporation) OIG

United States