In July 2007, several contractors of Los Alamos National Laboratory were fined a total of $3.3 million for failing to adequately protect data as required in their contracts. The Department of Energy (DOE) initiated formal enforcement actions against specific current and former contractors, the reports said that investigations revealed that the contractors failed to prevent “a subcontractor employee’s unauthorized reproduction of and removal of classified matter from the site.” The DOE also issued a Compliance Order to Los Alamos, requiring corrective action to increase physical protection and cyber-security to safeguard classified information.
This is another example that illustrates the importance of two areas of security policy related to third-party contractors. First, information security requirements should be included in all written contracts (apparently so in this case). Second, the organization must establish procedures for periodic monitoring of all third-party contractors for compliance with information security policies. Information security policies made easy includes over 100 separate security policy controls for managing third-party relationships.