Season 2 – Episode 4 – Navigating the Complexities of Research Security
Research security is about protecting the means, know-how, and products of U.S. research and development until they are ready to be shared. In 2021, the government issued a national presidential memorandum with updated requirements for institutions around research. This episode explains these new research security requirements and suggests how to grow or build a program to meet these updated requirements.
Episode Transcript
Click to expand/collapse
Dr. Emily Bradford: We have to balance the principles of unfettered and collaborative research with protecting our national interests, including our research, from foreign government interference. And we can’t do that by promoting fear, or xenophobia, or isolationism, because those are inherently antithetical to the way that academic research works.
Justin Osborne: Welcome to On Research with CITI Program, your favorite podcast about the research world, where we dive into different aspects of the industry with top experts in our field. I’m your host, Justin Osborne, and I appreciate you joining. Before we jump in, as a reminder, this podcast is for educational purposes only. It is not designed to provide legal advice or legal guidance. You should consult with your organization’s attorneys if you have questions or concerns about the relevant laws and regulations that may be discussed in this podcast. In addition, the views expressed in this podcast are solely those of our guests. At the top, you heard a click from Emily Bradford, my guest this episode. Dr. Bradford is the Assistant Director of Research Compliance at the University of Kentucky. Under the Office of Sponsored Projects, she oversees conflicts of interest, research security, export controls, and aspects of clinical trial compliance.
Today, Emily and I focus on the topic of research security. As many know, there have been recent updates and requirements around research security impacting everything from conflict of interest to export controls, but how exactly are those requirements being implemented or even understood by the research experts on the ground? We explore these topics and more with someone who has spent the past few years focusing on these very areas. So without further ado, I hope you enjoy my discussion with Emily.
So, Emily, thank you so much for joining. Thanks for coming on the podcast with me. So to start us off, can you please tell us a little more about your background, how you got into research, and then what your current role entails?
Dr. Emily Bradford: Yeah, sure. I’d like to start by thanking you for having me on your podcast. So I got into research administration by accident, actually, which I think is how most of us end up here.
Justin Osborne: True.
Dr. Emily Bradford: I went to school to get my doctorate in biochemistry and molecular genetics with the idea of running my own research lab someday. Clearly, that worked out well, right? So I followed that with some postdoctoral fellowships and became a research assistant professor, exactly as planned. But somewhere in the middle of that, I got more involved with the ethics and regulatory committees, and I really enjoyed it. So there was a point at which my institution’s grants office was looking to hire someone with an advanced science degree to do clinical trials compliance. And so I took the leap and I switched from faculty to administration. Now, that was five years ago, and from there, I’ve been slowly adding hats, and now I oversee conflict of interest, research security, and export controls as well. And I’m in the enviable position where we have well-established expertise in those areas already, and I’ve had a lot of support and time to grow into those roles, and I’m still growing into them, to be honest. So that’s how I ended up here.
Justin Osborne: Well, that’s great. Yeah, it sounds like you have a lot of hats that you wear, as a lot do in your kind of world. So just to jump into our topic, so we’re talking about research security. It touches a lot of the areas that you currently work in, of course. To step back, sort of as a high-level overview, I know there’s some new federal requirements and guidance that have come out somewhat recently. Can you give us a high-level overview of what those new requirements are?
Dr. Emily Bradford: Sure. This is a six-hour podcast, right?
Justin Osborne: Exactly.
Dr. Emily Bradford: Yeah. So I’ll preface this by saying that the research security requirements are still evolving, and there really isn’t a one-size-fits-all definition or even a standard approach to meeting those requirements yet. At a high level, research security is about protecting the means, know-how, and products of U.S. R&D until they’re ready to be shared, which is a pretty simple definition. What that really means is that we’re protecting U.S. federal money, our intellectual property, and our talent from being exploited by foreign governments. And right now, those foreign governments of concern are China, North Korea, Russia, and Iran. Although I will say that the U.S. and U.S. researchers continue to have very safe and productive collaborations in those countries in the midst of this concern.
Justin Osborne: Okay.
Dr. Emily Bradford: So I’m going to tell you the long back history of this.
Justin Osborne: Yeah, yeah, please.
Dr. Emily Bradford: So conceptually, research security goes back to World War II, when the U.S. needed to protect research advances in military intelligence and the things that were going on at Los Alamos, for example, from outside knowledge. In the years since, fundamental research from all sectors has really enjoyed the freedom of open publication, transparent data exchange, and robust international collaboration, which is great. Now, there have always been bad actors in that mix, but recently, starting around 2018 or 2019, the U.S. government raised concerns about maligned foreign government talent recruitment programs, Confucius Institutes, and some other mechanisms by which foreign governments might influence and exploit U.S. research.
So in 2021, the government issued National Presidential Memorandum 33, which we call NSPM-33, which is a fairly short document actually, and it instructs the federal agencies to strengthen protections of the U.S. R&D enterprise, and that set the stage for everything that was to come. So the NSPM did a couple of things that really impact research institutes. First of all, it required participants in federally funded R&D programs to disclose conflicts of interest and conflicts of commitment. That’s sort of a new step. And it required institutions that receive federal science and engineering support in excess of $50 million, so fairly big institutions, to create research security programs. And those programs have to address things like cyber security, foreign travel security, insider threat awareness, and export controls trading.
Justin Osborne: Wow.
Dr. Emily Bradford: So NSPM-33 was the very first step. Then in 2022, President Biden signed the CHIPS and Science Act, and that authorized significant investments in science and engineering but also came with a whole host of research security requirements. So some of those requirements included prohibitions on participation in maligned foreign government talent recruitment programs. That’s a lot. That’s a mouthful to say. It required research security training, it requires institutions to report on certain foreign financial transactions and gifts. It prohibits institutions from having Confucius Institutes, and it does a lot of things like that.
So it also mandated that federal agencies provide more transparent guidance on risk screening, and it required the NSF to set up an office that helps bridge the gap between the federal government and these academic institutions in terms of research security. So the NSF is really spearheading quite a lot of this initiative. So the upshot of all of that for institutions is that we’re now required to have a lot closer scrutiny on what our investigators, our faculty are doing with their federal R&D dollars and with their institutional resources, including their time, even for fundamental research where there wasn’t scrutiny before. So that’s what this is all about.
Justin Osborne: Okay, thank you. That’s a fantastic overview. So let me ask you this. So thinking about everything that you just said, from the requirement to have a program, if you accept over a certain amount of money, to improving or increasing the risk assessment that you do, a lot of that language sounds somewhat soft, right? Like, hey, make a program. Is there specific guidance or direction, or are you at the institution just left with, now I have to make a research security program. How do I do that?
Dr. Emily Bradford: So at this point, there’s actually more guidance available on how to implement the expected requirements than there is guidance on the requirements themselves. And that’s simply because everything is still changing. This is set in stone yet. So due to the CHIPS and Science Act, the National Science Foundation has taken the lead in organizing and disseminating information from the government to the institutions, and they’re developing really extensive online resources, which is great. The NSF also disseminates reports from a group called JASON, which is an independent science advisory group. It’s very thorough, but digestible analyses of the policies. And there are a couple of related organizations. So the Council on Governmental Relations is COGR, the Association of American Universities is the AAU, and the Federal Demonstration Partnership, FDP, are all working on their own to provide universities with constant updates and with guidance about how to implement all of these policies, which is great because it’s a lot of information and it’s changing really fast.
So if you haven’t had enough alphabet soup yet from that, I would add that you can monitor information coming from the NSTC OSTP, which is the National Science and Technology Council and the Office of Science and Technology Policy. And they’re the group that is responsible for coordinating a lot of the mandates under NSPM-33. So they provide papers and documents to help us understand what we need to do. I’ll add one more thing out there. Another resource not to be overlooked is your own colleagues and regional institutions. So there are several regional research security groups that allow members to benchmark new policies and procedures and also allow small institutions to take advantage of the resources and know-how that larger institutions may bring to the table. For example, if you’re a small college and suddenly you find yourself with an NSF or DOE grant that has some type of these requirements in it, you can phone a friend at a larger university where they’ve already had to deal with some of this. So it’s still very collegial, where we’re all working together to help each other.
Justin Osborne: That’s fantastic. That’s fantastic. So those regional groups, how do you know those exist? Where do you go to find those?
Dr. Emily Bradford: Some of those are word-of-mouth. Really, the idea is to network as much as you can. So at the University of Kentucky, I would call the University of Louisville and say, Who do you know? And Louisville would call the University of Cincinnati and say, Who do you know? In that way, we start to make a network of people who know what to do.
Justin Osborne: That’s great. That’s great. Okay, so to go back, just because that’s more acronyms than I’ve heard in that short of time, in a long time. So if I understand the NSPM-33 is not complete, you’re saying, right? They’re still updating, they’re still making changes, and that’s sort of a moving target, if you will. Every other group that you listed, especially the NSTC and the OSTP, they’re sort of existing to help filter any new updates from the NSPM so that organizations and institutions like yours can understand what you need to do on the ground.
Dr. Emily Bradford: For the most part. The NSPM-33 is, it’s a finite document. It is no longer a living document, but it [inaudible 00:12:00] the agencies to make changes. And so the CHIPS and Science Act did the same thing. They were very prescriptive about what agencies need to do and what institutions need to do. And so as the government and the federal sponsors figure out how to implement the changes that were recommended by those documents, that’s what’s changing, the timelines for that are changing, and the actual mechanisms by which we need to comply are changing.
Justin Osborne: Okay, okay. So is there right now an existing date of when implementation needs to be for some of these mandates? Are there dates on the books or is it just sort of open-ended right now?
Dr. Emily Bradford: So there are some dates on the books, and some are open-ended. Some of the policy requirements have already come into effect. For example, under NSPM-33, the federal agencies were directed to harmonize some of the information that we have to disclose as part of a grants process, like biosketch information, current and pending support, things like that. So some agencies have already implemented using a common form for that. There are some policy deadlines that are coming up again this summer in July and in August that relate to how we report on gifts and grants from foreign countries and also how we handle aligned foreign talent recruitment program involvement. So those things have come through. The bulk of the other requirements are still coming, and those are open-ended dates.
Justin Osborne: Okay. So that was a great summary of a lot of high-level information again, right? I’m thinking now, let’s get a little bit more in the weeds. Can you walk us through what areas of research does this impact, do all these updates and whatnot impact?
Dr. Emily Bradford: Yeah, that’s a really good question. So the impact of these requirements are going to depend on the size of an institution and the types of research that are being conducted there. So institutions with greater federal funding will necessarily be impacted more heavily, as will those that conduct higher-risk areas like AI, energy, surveillance. So one challenge that we all face is how to integrate information across the various institutional areas or stakeholders. For example, your IRB, your COI, those need to be integrated. So I mentioned that NSPM-33 came with a mandate to disclose conflicts of commitment. As part of that, the NSTC has developed a common set of forms that researchers must complete as part of their grants process. The biosketches, current and pending. These are essentially a resume or a list of all of an investigator’s research-related activities. So in order to ensure that those documents get correctly filled out and submitted to the sponsors, an institution may need to, first of all, train their researchers.
So we’re impacting researchers directly by all of this. The institution may need to engage their sponsored programs office to get a list of current and pending grants, their COI office to get a list of research-related consulting activities, their international center to determine if there are externally supported personnel working on the project. So you get the idea. It takes a village really to even complete fairly simple forms for federal sponsors. And the accuracy of these forms are where investigations and lawsuits originate when there’s information that is not accurate or where there are discrepancies. So in order to create a research security program, which is the second part of this, institutions may need to engage their compliance offices, their legal counsel, sponsored projects, IT, their international center, their travel offices, and often they need to bring in their local FBI or law enforcement agents as well.
Because we’re not law enforcement, we don’t know how to assess risk and evaluate our faculty. That’s not what we’re in the business of doing. So critically also, one of the biggest concerns about foreign government interference is IP theft, we refer to it as unwanted tech transfer. And so an institution’s intellectual properties office will also play a huge role in any research security program. So this type of compliance really demands a lot of integration among a wide range of university offices.
Justin Osborne: Yeah. Wow, that’s a very large boulder to try to push up a hill, especially at an institution or academic setting, that’s a lot. So let me ask you this, I mean, you went through a lot of the difficulties there, but just thinking in terms of folks listening to this that are at an institution themselves where they’re trying to either build a new program or maybe they don’t even know some of these new regulations that are out there or requirements, what would you say is the biggest hurdle for them trying to update their research security program?
Dr. Emily Bradford: That’s a good question. So you know how COVID forced most of us to get on board with virtual meetings?
Justin Osborne: Yes.
Dr. Emily Bradford: We were all struggling with Zoom and Teams before COVID, and then there was a really painful learning curve. And now it’s second nature for most of us. I hope that’s the way that research security is now. So the research security requirements are doing the same thing to institutions in terms of forcing us to integrate data across offices. It’s a little bit painful, but it will be easier later on. This is important because if any office in an institution knows something, all of the offices know it, right? The institution itself is responsible for that information. Okay, so let’s say a faculty member with federal research funding discloses to the COI office that they have a second research lab in a foreign country of concern. Now that may not be a conflict of interest, and your conflict of interest office could choose to ignore it, but I told you earlier that investigators need to disclose all research-related activities as part of their grants process now.
So did your institution’s pre-award team know about the second lab? Did it get disclosed to the federal sponsor? Has it been vetted by an export control office? Does it involve the exchange of human subjects data that your IRB needs to know about? Are there patents being filed in the other country that your office of tech commercialization should be aware of? Is the investigator charging travel there to a U.S. grant? So really, research security demands that institution have open lines of communication and can integrate data. And it sounds easy, but it is so hard. All of our offices tend to work in isolation, and that can’t be the case. So I honestly think that’s the biggest hurdle to getting a research security program up and running.
Justin Osborne: No, that’s a good point. Yeah, communication is always the sort of low-hanging fruit it seems, but it’s harder than it sounds to get everybody to talk and share information, especially.
Dr. Emily Bradford: It is.
Justin Osborne: Okay, so thinking about this program that you’re talking about and the fact that systems have to be in place and you have to build bridges and all this, this takes resources, right? We are all familiar, especially in the institutional world, of the concept of do more with less resources. So in the compliance world, you often have to justify programmatic growth through fear tactics, to be honest, it’s the compliance risk stuff that you throw out. So how important is it for leadership outside of this compliance and security world to understand the importance of these new requirements?
Dr. Emily Bradford: Yeah, it’s really critical that they understand them. And I think that fear tactics is often how we handled compliance in the past. For example, it used to be that when you’re having a training presentation on conflicts of interest, for example, you would either start or end by flashing up headlines of faculty who have been publicly discredited, or institutions that have had to pay money back to sponsors. All things meant to drive fear. And that’s one way to get buy into your agenda, but it’s not the only way, and I think it’s probably not the best way.
And this really becomes an issue with research security, where we have to balance the principles of unfettered and collaborative research with protecting our national interests, including our research, from foreign government interference. And we can’t do that by promoting fear, or xenophobia, or isolationism, because those are inherently antithetical to the way that academic research works. So what institutions should be doing, in my opinion, is working collaboratively with our federal partners to help honestly assess our risk. So not to say that it’s less than it is, but not to hyperbolize it either. Just get an honest assessment, assess the risk to the institution and to each individual project that’s being done. A research project on music theory doesn’t have the same risk as a research project on drone development. They’re very different things.
And then we need to figure out how we can support and advance our mission with appropriate safeguards in place. So we need to shift the dialogue away from a fear-based reaction where I say, I’m going to impose all these limitations on your work and travel and collaborations to a supportive stance where I say, Okay, you need to collaborate with researchers in a foreign country. Let’s figure out how we can make that happen safely. And I think it’s easier for our institutional leadership to be on board with funding these new compliance areas when we frame it as a way to strengthen and protect our research and support our faculty rather than trying to avoid risk and being in service to fear.
Justin Osborne: Yeah, no, I like that. I like that a lot. I think you’re also speaking to culture, and some cultures that this is not just academia or institutions, but in business, use fear. And that is sort of the negative approach to this. But I like the other side of that coin as well, the positive side. So that’s good and good advice. So speaking of the culture, I think that is one of the things that I love about the institutional research culture is the willingness to share information, help each other. You mentioned that a couple of times about groups and building networks, but what other suggestions or recommendations do you have for organizations to move forward with these updated security requirements? And you’ve already mentioned the sort of regional groups out there, but any other resources or networks that you’re aware of?
Dr. Emily Bradford: So there’s a lot of information being put forth both by the government and our federal sponsors, and again, by these professional societies that’s really invaluable. They’re pretty clear about what we need to do. The challenge is just to figure out how to actually implement that at your own institution. There is a non-technical challenge to implementing a research security program that I would offer a recommendation about. So first of all, I told you that my background is as a research scientist, and I really bristle at the idea of the federal government or my university administrators asking questions about my international travel. What conference did I attend? Who did I bring into the lab? Who am I collaborating with? What is my outside consulting? That doesn’t sit well with me.
And that’s because fundamental research has always been fairly open and collaborative, and science simply works better when you give other scientists access to the best scholars in the world and you’re exchanging data openly. And think about the influx of foreign scientists to the U.S. during World War II, that made all the difference in the world. Literally, think about the amount of data that was exchanged globally and rapidly to tackle COVID. That’s science at its best, right?
Justin Osborne: Yeah.
Dr. Emily Bradford: So institutions need to work really hard, I think, to make sure that their research security programs, at their core, are designed to advance research rather than constrain it. They need to ensure that any extra administrative burden is justified by a risk analysis and isn’t just administrative creep, and they need to warmly welcome and support investigators from all over the world. So there’s currently 1.4 million international scholars in the U.S., and we need to make sure that those people and their contributions are valued and not feared. So I think the core of the research security program needs to be to enable researchers to do their jobs, and that includes talking about their data and traveling and hosting foreign scholars without undue burden. So that’s my main recommendation as people try to build in safeguards to the system, remember what you want your institutional culture to be and use that as a scaffold to build your processes.
Justin Osborne: That’s great. That’s great. I like the balance. I like that you, as the research security expert in this, are coming at this from a very balanced viewpoint of there’s real risk at stake here, but also not to be put at the expense of doing good research.
Dr. Emily Bradford: Agree completely. Because that’s what we’re trying to do, research. We can’t strangle it with regulation and limitation. There has to be that balance.
Justin Osborne: Emily, thank you so much. This has been wonderful, super informative. I appreciate you going through all this information, and I think this is going to help a lot of folks out there looking at the research security world.
Dr. Emily Bradford: Hopefully.
Justin Osborne: Well, thanks for joining.
Dr. Emily Bradford: Thank you.
Justin Osborne: Hello again, welcome back to our segment, same team. This is where I ask my guests to reflect on their own careers and connect us all back to our shared mission in the industry. So I still have Emily with me here. And Emily, it’s easy to get bogged down in the weeds of our jobs and specific roles in the research industry, but I do think that most of us stay in this research field because we do genuinely believe in doing our part to help move healthcare forward for our friends and family. Can you tell us an experience or a story from your career that helps connect you with this idea that we’re all in this industry to help?
Dr. Emily Bradford: Sure. So the idea of being on the same team is an interesting one, and it really works on a lot of levels. So researchers themselves don’t work in isolation, right? They’re on teams with their trainees, their employees, their visiting scholars, their collaborators, and even their competitors. And you need all of those components to push research forward. Additionally, those investigators need to be on the same team as their institutions and all of the people and infrastructure that enable that research. So research administrators, compliance officers, program managers, and institutional leadership need to be on the team with their investigators and have a cohesive mission and the same priorities. Lastly, none of this happens without federal support. And the federal sponsors, institutions, and investigators also all need to be team players with aligned goals and values. There’s a lot of teams, but we all have to be playing the same ball game.
So an example that comes to mind is a professor who has a lot of family, friends, and scientific collaborators in a foreign country of concern. She came to us and said, “In the current climate, I think it’s too risky to my research program for me to continue to travel to this country, or have foreign collaborators or students, or even to accept grants from U.S. federal agencies with a history of perhaps overzealous screening processes.” And that’s a little bit heartbreaking. She wanted to stop her research because it’s too risky. So what we did in this very hypothetical example is help the researcher understand our international travel policy so that the institution could mitigate some of that risk. We offered to help screen collaborators and visiting scholars using guidance from the federal government, and we talked about project-specific risks and made sure to be very open and transparent with her federal research sponsors. So when we engage all of those teams, that’s when we can support research moving forward rather than getting caught up in anxiety about the risk. And that’s a win-win-win for all of those teams.
Justin Osborne: That’s fantastic. I really like that example. I mean, I think that that is a perfect sort of summation of this same team concept, like you said, right? It’s that you do research the right way, and it’s good. We’re all in this thing together, and we’re all trying to move things forward. And as new requirements, new regulations come out, it’s everybody’s job to sort of get on the same page with how do we move this thing forward in the best way possible? So I like that.
Dr. Emily Bradford: Absolutely. Absolutely.
Justin Osborne: Well, again, thank you so much, Emily. Thanks for sharing, and it was great talking to you.
Dr. Emily Bradford: All right, thank you for having me.
Justin Osborne: Be sure to follow, like, and subscribe to On Research with CITI Program. If you enjoyed this episode, you may be interested in other podcasts in the CITI Program universe, including On Campus and On Tech Ethics. You can listen to all our podcasts on Apple Podcasts, Spotify, and other streaming services. You should also review our content offerings regularly, as we continually add new courses, subscriptions, and webinars. Thanks for listening.
How to Listen and Subscribe to the Podcast
You can find On Research with CITI Program available from several of the most popular podcast services. Subscribe on your favorite platform to receive updates when episodes are newly released. You can also subscribe to this podcast, by pasting “https://feeds.buzzsprout.com/2112707.rss” into your your podcast apps.
Recent Episodes
- Season 2 – Episode 3: Understanding Exception from Informed Consent
- Season 2 – Episode 2: Research Site Operations
- Season 2 – Episode 1: Research Compliance
- Season 1 – Episode 13: PRIM&R 2023: Insights and Takeaways
Meet the Guest
Emily Bradford, PhD – University of Kentucky
Dr. Bradford is currently the Assistant Director of Research Compliance at the University of Kentucky.
Meet the Host
Justin Osborne, Host, On Research Podcast – HRP Consulting Group
Justin is the host of CITI Program’s On Research Podcast. He has over 16 years of experience in the human subject research field. Justin began his career working for a local IRB and then a commercial IRB. After spending time on the industry side doing business development, he transitioned to research operations as the Director of Clinical Research at an Academic Medical Center and later a community hospital.