About
About William Zujkowski — security architecture, identity, and compliance.
About William Zujkowski
I'm a Senior Security Engineer at Cloud.gov (yes, part of GSA TTS—the folks who help make government tech not terrible). I spend my days designing security controls for a FedRAMP Moderate cloud platform. But I also spend way too many nights in my homelab breaking things to understand how they work.
Right now, I'm a GS-15 Individual Contributor at Cloud.gov, which means I get to focus on actual engineering work instead of endless meetings. My days involve designing security controls for a multi-tenant cloud platform—network segmentation, identity federation, compliance automation, and security tooling governance across CI/CD pipelines. Basically making sure teams can deploy safely without security controls getting in their way.
The Journey
My path to federal cloud security started in 2005 with an independent IT consulting practice. And by "consulting practice," I mean I fixed broken computers and networks for anyone who'd hire me—small businesses, local offices, whoever needed help and could pay my hourly rate. I vividly remember spending 12 hours at a client's office around 2007 because I fat-fingered a DNS entry and took down their entire email system. Bought pizza for the whole team. Learned to always, always double-check before hitting Enter.
Over five years (2005-2010), that evolved from "my computer won't start" house calls into enterprise IT support, then a lucky break into security engineering at the National Institutes of Health (NIH) in 2010. I spent over a decade there, working at both the NIH Office of the CIO and the National Human Genome Research Institute, where I discovered I really loved security—especially when it enabled scientists to do their research faster, not slower.
At NIH, I led vulnerability management for the entire enterprise—about 100,000+ assets spread across 27 Institutes and Centers. The hardest part wasn't the tech. It was convincing 27 different IT teams to move at the same speed. I spent years learning that security controls only work if people actually use them, which means you have to make the secure path the easy path.
I served as Security Engineering Lead at NHGRI (2018-2021), securing research infrastructure for about 2,200 endpoints—including million-dollar genomic sequencers that scientists would absolutely revolt over if you tried to patch them during a sequencing run. That taught me more about stakeholder management than any textbook ever could.
After that, I spent time as a Lead HPC Site Reliability Engineer (2023), supporting high-performance computing clusters for biomedical research. Bridging infrastructure, automation, and research workloads taught me that uptime matters just as much as security when people are running week-long molecular dynamics simulations.
Eventually, all of that experience brought me to Cloud.gov, where I now help secure a FedRAMP Moderate cloud platform. It turns out 20 years of breaking things and learning how to fix them is pretty good preparation for designing secure cloud infrastructure.
What I Do Now
Cloud Security Architecture
Design and operate network controls for a multi-tenant cloud platform—web application firewalls, microsegmentation policies, and infrastructure-as-code automation. Spent months learning IaC just to avoid clicking through cloud consoles for firewall rules. Best decision ever.
Identity & Federation
Implement and maintain smart card authentication, SSO integrations, and federated identity systems for federal customers. Identity is one of those things nobody notices when it works and everyone notices when it breaks—usually at 3am.
Security Tooling Governance
Oversee CI/CD security scanning, infrastructure scanning, and vulnerability management across the platform. My job is to make sure teams can ship code without accidentally deploying critical vulnerabilities.
Compliance & Standards
Key SME for NIST 800-53 Revision 4 → Revision 5 migration (which was basically rewriting every control narrative to map old requirements to new families). I contribute to our FedRAMP annual assessments and write RFC commentary because someone has to read the fine print.
Selected Prior Impact
🔥 NIH Log4j Response (2021)
I was designated NIH OCIO's Log4j subject matter expert basically overnight when Log4Shell dropped. Spent 72 hours straight coordinating vulnerability scans across 100,000+ assets, living on coffee and adrenaline. Built relationships with every Institute and Center IT team that still help me today. Also learned that you can survive on gas station sandwiches longer than you'd think.
🏛️ CISA BOD 22-01 Adoption (2021-2022)
Led NIH's adoption of CISA Binding Operational Directive 22-01 (reducing the known exploited vulnerabilities remediation timeline), coordinating response across all 27 NIH Institutes and Centers. The hardest part wasn't the tech—it was convincing 27 different IT teams to move at the same speed. Learned more about stakeholder management and compromise in those 6 months than in the previous decade. Also learned to always schedule meetings after lunch when people are less cranky.
🧬 NHGRI Research Infrastructure Security (2018-2021)
Secured research infrastructure supporting about 2,200 endpoints—including million-dollar genomic sequencers and electron microscopes that scientists would absolutely revolt over if you tried to patch them mid-experiment. Learned that researchers don't care about security until you explain how it protects their grant-funded experiments and data. Also learned to never, ever interrupt a week-long genome sequencing run. The hard way.
⚡ HPC Enablement (2023)
Implemented automation and resilience for high-performance computing clusters supporting molecular dynamics and computational biology research. Learned that uptime matters just as much as security when researchers are running week-long simulations that cost thousands of dollars in compute time. Also learned that "the cluster is down" emails at 2am are surprisingly motivating.
How I Think About Security
I believe security should enable work, not block it. The best controls? Users never notice them because they just work. Nobody cares about your perfect firewall rules if they can't deploy their app.
Here's what I've learned over 20 years in IT and 15 years in security:
Technical Excellence Is Not Enough
You can design the most elegant network segmentation in the world, but if developers can't deploy their code, they'll find a workaround. Your job is to make the secure path the easy path. I learned this the hard way trying to enforce patching schedules on scientists running week-long experiments.
Compliance Frameworks Are Forcing Functions
NIST 800-53 and FedRAMP aren't checkbox exercises. They're forcing functions that make you think about threat models, blast radius, and recovery time objectives. I've spent enough time implementing controls to know: compliance done right makes you more secure. Compliance done wrong makes you miserable.
Automation Isn't About Replacing People
It's about freeing them to do interesting work instead of clicking buttons. I spent months learning Terraform so our team could manage firewall rules as code instead of logging into consoles. Best investment I've made. Now we spend time on architecture problems, not typos.
AI Security Is About Governance, Not Just Tech
I'm exploring how we build and secure AI systems that augment human decision-making rather than replace it. The hard problems aren't the models—they're the humans, policies, and processes around them. Just like every other security problem I've worked on.
If security slows teams down, they'll work around it. If compliance feels like busywork, it won't get done right. If automation is brittle, nobody will trust it. I've been doing this long enough to know: good security is invisible until you need it.
Connect
I love connecting with folks who geek out about cloud security, identity federation, compliance automation, or AI infrastructure security. Whether you're building something cool, stuck on a problem, or just want to talk shop about homelab setups, feel free to reach out.
Cloud Security
Architecture & FedRAMP
Identity & Federation
At Scale
Compliance
NIST 800-53 Automation
AI Security
Infrastructure & Governance
When I'm Not Working
You'll find me in my homelab, which has grown from a single Raspberry Pi in 2015 to a Dell PowerEdge R940 running Proxmox, a fleet of Raspberry Pi 4s handling K3s clusters, and way too many Docker containers. I run my own Wazuh SIEM, self-hosted Bitwarden, and whatever else I'm experimenting with that week.
I'm also deep into AI/LLM experimentation—not just using ChatGPT, but actually running local models, building agents, and figuring out how to secure these systems in production environments. It's fascinating and terrifying in equal measure.
Fair warning: I've accidentally fried a $400 GPU overclocking it to squeeze out more performance for a local LLM. RIP. Also managed to take down my entire home network for 6 hours trying to implement VLAN segmentation "just to see how it works." My partner was not amused when Netflix stopped working during their favorite show.
I'm currently learning Rust by building a vulnerability aggregation tool that I'll probably never finish. But that's the point—curiosity is the best cybersecurity skill there is, and breaking things in my homelab means I don't break them in production.
Favorite debugging method: rubber duck debugging with my actual pet duck. His name is Quackers. He's a surprisingly good listener.