Douglas Zipay

Douglas Zipay

Cybersecurity Project Manager turned IT Systems Auditor and now pivoting into CMMC Certified Assessments. Helping the US Government and defense contractors move from “compliant on paper” to genuinely secure.


Robust cybersecurity isn’t a checkbox – it’s the foundation of national security and business resilience. I’ve built my expertise from three vantage points, and each one sharpens the other two.

As a Technical and Cybersecurity Project Manager, I learned how systems actually get built, deployed, and kept running under real operational pressure. As an IT Systems Auditor, I learned how to test whether controls hold up under scrutiny, not just whether they exist on paper. And now CMMC Certified Assessor (CCA), I now apply both lenses at once — evaluating cybersecurity posture with the technical fluency of someone who’s managed the systems, and the rigor of someone whose job is to find what doesn’t hold up.

DOUG WAS BUILT NOT BORN

“Doug was Built not Born” is more than a tagline — it’s the philosophy that governs my professional life. My expertise wasn’t inherited; it was constructed deliberately, through discipline, field experience, and a relentless drive for evolution.

The Foundation: Naval Service
My journey began in the U.S. Navy as an Electronics Technician, retiring as Chief Petty Officer. That service instilled the accountability and operational discipline required for mission-critical, no-fail work.

The Next Chapter: On the Gear
When I left the Navy, I stayed close to the mission as a defense contractor — starting back on the gear, supporting advanced SATCOM and IT systems for U.S. Special Forces communicators around the world. That hands-on chapter is where I re-earned my credibility from the ground up, before working my way back into management.

The Expansion: Technical & Cybersecurity Project Management
I advanced from hands-on engineering into Technical and Cybersecurity Project Management, supporting federal and defense environments. This is where I learned to run complex technical initiatives end-to-end — scope, risk, stakeholders, delivery — while keeping security requirements load-bearing rather than bolted on at the end.

The Pivot: IT Systems Audit & CMMC Assessment
Today, as an IT Systems Auditor and CMMC Certified Assessor (CCA/CCP), I’ve shifted from building systems to testing whether they hold up. I evaluate against NIST SP 800-171 and the CMMC assessment framework with the practical understanding of someone who’s actually managed the environments being assessed.

The Strategic Balance: Business & Finance
An MBA in Financial Management underpins how I view cybersecurity — not as a technical hurdle, but as a driver of business viability and risk-adjusted decision-making.

What’s Next
I’m pivoting into CMMC assessment and/or consulting work supporting the Defense Industrial Base — bringing the same combination of technical depth, assessment rigor, and delivery experience directly to organizations navigating certification.

Doug Was Built Not Born


WHAT I DO

CMMC Assessment – Certified CCA/CCP, applying NIST SP 800-171 / 800-171A assessment objectives with Depth & Coverage rigor

IT Systems Auditing – Federal/DoD environments, guidance and direction

Technical & Cybersecurity Project Management – PMP and PSM credentialed delivery of complex technical initiatives

Credentials – CISSP · CISM · CISA · CEH · PMP · PSM · ITIL · CMMC CCA/CCP

The "Doug Was Built, Not Born" Blog

Here I share past and present experiences where I’ve grown professionally and personally – and some opinions along the way. There’s no particular order to my postings as I add subject matter often.

The Leap I’m Making

There are moments in a career where you can feel the window opening. The question is whether you have the nerve to climb through it. I'm climbing through it. I've accepted a position as a Cybersecurity Maturity Model Certification (CMMC) Assessor, and I want to be honest about what that means — because it's not a clean, simple decision. It's a leap of faith, and leaps of faith are uncomfortable by design. What I'm Leaving Behind Let me be clear about something first: I am not leaving a bad situation. Not even close. The company I'm currently with has been a great place to work. The contractors I've worked alongside are sharp, professional, and genuinely good people. The government employees we support have been outstanding. The work has...

read more

The AI Sandbox: How I Used Claude and Gemini to Master CMMC and NIST Controls

In the contracting world, stability is a luxury. When a contract enters a recompete phase, you don’t wait around to see which way the wind blows; you get ready for whatever comes next. For me, that meant aggressively closing the gaps in my compliance toolkit—specifically around the Cybersecurity Maturity Model Certification (CMMC) and some of the more nuanced controls in NIST SP 800-53. My strategy wasn't just reading frameworks; it was interactive combat testing. Over the last few months, I’ve been running an ongoing, dual-platform simulation, flip-flopping between Claude and Gemini to act as my virtual assessment team. By leveraging both AI platforms, I’ve been able to generate complex, real-world auditing scenarios and rigorously...

read more

My Third Duty Station Taught Me That Auditing Isn’t About Hiding Problems. It’s About Owning Them.

After Cutler, I didn't get to choose my next assignment. The detailer had a critical fill in Guam and I was the body that fit the billet. The person replacing me in Cutler was — literally — the person I was replacing in Guam. That's how the Navy works sometimes. My new home was Naval Computer and Telecommunications Area Master Station Western Pacific — NCTAMS WESTPAC — in Dededo, Guam. The jump from a small, specialized VLF transmitter station in rural Maine to a multi-floor master station supporting the Third, Fifth, and Seventh Fleets was significant. This wasn't a detachment. This was the communications hub for an entire ocean area. The critical billet I was filling: VERDIN/ISABPS — same as Cutler, but now at a command that operated at...

read more

Eight Certifications, Zero Bootcamps: What They Taught Me (and What They Didn’t)

I currently hold eight active certifications: CISA, CISM, CISSP, CEH, PMP, PSM, CCA, CCP, and ITIL. I've also let four lapse over the years - CCNA, CFCM, Security+, and Network+. Not because I failed to maintain them, but because they'd done their job and my career had moved past where they were needed. Letting a cert expire on purpose is its own kind of decision, and I don't regret a single one of them. It does cost money and time keeping certs. Here's the part I want to be upfront about: I didn't bootcamp my way through any of these. No weekend crash courses, no test dump memorization, no shortcut path. I bought the books, built the study plans, and put in the hours myself — nights, weekends, whatever time I could carve out around a...

read more

My Second Duty Station Was the World’s Most Powerful Radio Transmitter. I Worked Inside It.

Imagine, I was the SME and Lead Supervisor here - when I was only in my mid 20's! I was stationed at Naval Computer and Telecommunications Station Cutler, Maine — a remote posting in Washington County on the Down East coast, not far from the Canadian border. Most people drive past it and see nothing but forest and fog. What they can't see is what lives below those towers. The station runs a 2 megawatt VLF (Very Low Frequency) transmitter - 20 times the output of a major commercial radio station making it one of the most powerful radio transmitters in the world. Its mission: maintain a continuous communications link between the Navy's command authority and submarines operating in the North Atlantic, Arctic Ocean, and Mediterranean Sea, in...

read more

Current Certifications