Federal Reports

Like other organizations, Amtrak (the company) faces the inherent cybersecurity risk that employees or contractors are “insider threats”—that is, that they could maliciously or unintentionally use information systems or data in a manner that harms the company. Insider threats may cause more harm and are more difficult to detect than external cyber‐attackers because individuals within an organization already have access to systems and data. Amtrak Office of Inspector General’s (OIG) recent investigations identified company employees and contractors who misused or took advantage of their system access and exposed sensitive company information. Accordingly, our objective was to assess the effectiveness of company controls to protect its information systems and data from insider threats. Our recommendations included conducting an insider threat risk assessment, establishing a policy for insider threat activities, and developing a process to track and enforce company access requirements. In commenting on a draft of this report, company executives agreed with our recommendations and identified actions that the company plans to take to address them.THE TRANSPORTATION SECURITY ADMINISTRATION AND THE DEPARTMENT OF TRANSPORTATION HAVE DETERMINED THAT THIS REPORT CONTAINS SENSITIVE SECURITY INFORMATION (SSI) that is controlled under 49 CFR parts 15 and 1520 to protect Sensitive Security Information exempt from public disclosure. For Amtrak OIG, public disclosure is governed by 5 U.S.C. § 552 and 49 CFR parts 15 and 1520. This public version of the report has been redacted.