Government contractors doing work for the government are governed by NISPOM - National Information Security Program Objective Memorandum - guidelines for handling and securing classified information and is managed/overseen by the Defense Security Service. Official agencies of the government are not, and have their own guidelines, and in my experience are sometimes more lax in their stewardship.
But they all have one thing in common - networks set up specifically to handle classified information (e.g., SIPRNET or others for higher level classifications). These are NOT open internetbased email systems without a physical layer hardware encryption.
Hillary’s contractors were most likely (I’d say definitely) not even cleared to handle or transmit classified information - they probably never heard of NISPOM or DSS.
What has happened here is a serious breach of Federal Law committed through grossly negligent behavior or by outright criminal intent by an employee (or former employee) of the US Government.
They don’t need to “investigate” e-mail security - it is automatically considered to be unsecure on its face for classified information. This aspect of the news is total BS and diversionary, IMO.
National Industrial Security Program Objective Memorandum.....my bad.