I think that's a difficult question. I guess it would start off with whether the security requirement checklist was done before a task authorization or a contract was put forth. Once you set out the requirements in that task authorization, someone should have ensured that the resources that were proposed by the vendor met those requirements. Then you would have had to check a second time when the invoice came in that it was the actual individual.
There could be many points where this could have been flagged. In this instance, I don't know the details as to where that failure might have occurred. However, the fact remains that individuals who didn't have clearance carried out the work, and they shouldn't have.