Amtrak (the company) has been moving its technology systems and data to the cloud to provide on-demand access to shared services and reduce its dependence on in-house servers and databases. Migrating applications and data to the cloud, however, poses inherent security risks, exposing the company to an increased risk of cyberattacks. Accordingly, our objective was to assess the extent to which the company has implemented effective governance processes and security controls for cloud computing. In July 2025, we issued an interim report on this audit to alert the company to two pressing cybersecurity issues related to its cloud computing. In this report, we provide an update on the company’s progress on these issues and an overall assessment of its cloud computing practices. Given the sensitive nature of the report’s information, however, we are summarizing the results in this public version of the report.
Our assessment of the company’s governance processes and security controls of its cloud applications resulted in nine recommendations. In commenting on a draft of this report, the Executive Vice President for Digital Technology and Innovation agreed with our recommendations and described ongoing and planned actions to address them.
