Information about Capability Maturity Model

The Capability Maturity Model (CMM), also known as the Software CMM (SW-CMM), was first described by Watts Humphrey in his book Managing the Software Process ^[1]. The CMM is a process model based on software best-practices effective in large-scale, multi-person projects.

The CMM has been retired and not been updated in over 10 years. CMM has been superseded by CMMI (Capability Maturity Model Integration).

The CMM has been used to assess the maturity levels of organization areas as diverse as software engineering, system engineering, project management, risk management, system acquisition, information technology (IT) or personnel management, against a scale of five key processes, namely: Initial, Repeatable, Defined, Managed and Optimized.^[2]

CMM was developed by the Software Engineering Institute (SEI) at Carnegie Mellon University in Pittsburgh. It has been used extensively for avionics software and government projects around the world.

Currently, some government departments require software development contract organizations to achieve and operate at a level-3 standard.

Maturity model

The Capability Maturity Model (CMM) is a way to develop and refine an organization's processes. The first CMM was for the purpose of developing and refining software development processes. A maturity model is a structured collection of elements that describe characteristics of effective processes. A maturity model provides:

• a place to start
• the benefit of a community’s prior experiences
• a common language and a shared vision
• a framework for prioritizing actions
• a way to define what improvement means for your organization.

A maturity model can be used as a benchmark for assessing different organizations for equivalent comparison. The model describes the maturity of the company based upon the project the company is handling and the related clients.

Structure of CMM

The CMM involves the following aspects:

• Maturity Levels: It is a layered framework providing a progression to the discipline needed to engage in continuous improvement (It is important to state here that an organization develops the ability to assess the impact of a new practice, technology, or tool on their activity. Hence it is not a matter of adopting these, rather it is a matter of determining how innovative efforts influence existing practices. This really empowers projects, teams, and organizations by giving them the foundation to support reasoned choice.)
• Key Process Areas: A Key Process Area (KPA) identifies a cluster of related activities that, when performed collectively, achieve a set of goals considered important.
• Goals: The goals of a key process area summarize the states that must exist for that key process area to have been implemented in an effective and lasting way. The extent to which the goals have been accomplished is an indicator of how much capability the organization has established at that maturity level. The goals signify the scope, boundaries, and intent of each key process area.
• Common Features: Common features include practices that implement and institutionalize a key process area. These five types of common features include: Commitment to Perform, Ability to Perform, Activities Performed, Measurement and Analysis, and Verifying Implementation.
• Key Practices: The key practices describe the elements of infrastructure and practice that contribute most effectively to the implementation and institutionalization of the key process areas.

Levels of the CMM

(See chapter 2 of (March 2002 edition of CMMI from SEI), page 11.)

There are five levels of the CMM. According to the SEI,

"Predictability, effectiveness, and control of an organization's software processes are believed to improve as the organization moves up these five levels. While not rigorous, the empirical evidence to date supports this belief."

Level 1 - Initial

At maturity level 1, processes are usually ad hoc, and the organization usually does not provide a stable environment. Success in these organizations depends on the competence and heroics of the people in the organization, and not on the use of proven processes. In spite of this ad hoc, chaotic environment, maturity level 1 organizations often produce products and services that work; however, they frequently exceed the budget and schedule of their projects.

Maturity level 1 organizations are characterized by a tendency to over commit, abandon processes in the time of crisis, and not be able to repeat their past successes again.

Level 1 software project success depends on having high quality people.

Level 2 - Repeatable [Managed]

At maturity level 2, software development successes are repeatable. The processes may not repeat for all the projects in the organization. The organization may use some basic project management to track cost and schedule.

Process discipline helps ensure that existing practices are retained during times of stress. When these practices are in place, projects are performed and managed according to their documented plans.

Project status and the delivery of services are visible to management at defined points (for example, at major milestones and at the completion of major tasks).

Basic project management processes are established to track cost, schedule, and functionality. The minimum process discipline is in place to repeat earlier successes on projects with similar applications and scope. There is still a significant risk of exceeding cost and time estimates.

Level 3 - Defined

The organization’s set of standard processes, which are the basis for level 3, are established and improved over time. These standard processes are used to establish consistency across the organization. Projects establish their defined processes by applying the organization’s set of standard processes, tailored, if necessary, within similarly standardized guidelines.

The organization’s management establishes process objectives for the organization’s set of standard processes, and ensures that these objectives are appropriately addressed.

A critical distinction between level 2 and level 3 is the scope of standards, process descriptions, and procedures. At level 2, the standards, process descriptions, and procedures may be quite different in each specific instance of the process (for example, on each particular project). At level 3, the standards, process descriptions, and procedures for a project are tailored from the organization’s set of standard processes to suit a particular project or organizational unit.

Effective project management is implemented with the help of good project management software.

Level 4 - Quantitatively Managed

Using precise measurements, management can effectively control the software development effort. In particular, management can identify ways to adjust and adapt the process to particular projects without measurable losses of quality or deviations from specifications. Organizations at this level set quantitative quality goals for both software process and software maintenance. Subprocesses are selected that significantly contribute to overall process performance. These selected subprocesses are controlled using statistical and other quantitative techniques. A critical distinction between maturity level 3 and maturity level 4 is the predictability of process performance. At maturity level 4, the performance of processes is controlled using statistical and other quantitative techniques, and is quantitatively predictable. At maturity level 3, processes are only qualitatively predictable.

Level 5 - Optimizing

Maturity level 5 focuses on continually improving process performance through both incremental and innovative technological improvements. Quantitative process-improvement objectives for the organization are established, continually revised to reflect changing business objectives, and used as criteria in managing process improvement. The effects of deployed process improvements are measured and evaluated against the quantitative process-improvement objectives. Both the defined processes and the organization’s set of standard processes are targets of measurable improvement activities.

Process improvements to address common causes of process variation and measurably improve the organization’s processes are identified, evaluated, and deployed.

Optimizing processes that are nimble, adaptable and innovative depends on the participation of an empowered workforce aligned with the business values and objectives of the organization. The organization’s ability to rapidly respond to changes and opportunities is enhanced by finding ways to accelerate and share learning.

A critical distinction between maturity level 4 and maturity level 5 is the type of process variation addressed. At maturity level 4, processes are concerned with addressing special causes of process variation and providing statistical predictability of the results. Though processes may produce predictable results, the results may be insufficient to achieve the established objectives. '''At maturity level 5, processes are concerned with addressing common causes of process variation and changing the process (that is, shifting the mean of the process performance) to improve process performance (while maintaining statistical probability) to achieve the established quantitative process-improvement objectives.

Extensions

Recent versions of CMMI from SEI indicate a "level 0", characterized as "Incomplete". Many observers leave this level out as redundant or unimportant, but Pressman and others make note of it. See page 18 of the August 2002 edition of CMMI from SEI.^[3]

Anthony Finkelstein^[4] extrapolated that negative levels are necessary to represent environments that are not only indifferent, but actively counterproductive, and this was refined by Tom Schorsch^[5] as the Capability Immaturity Model.

Key process areas

For more details on this topic, see Process area (CMMI).

The CMMI contains several key process areas indicating the aspects of product development that are to be covered by company processes.

Software process framework for SEI's Capability Maturity Model

The software process framework documented is intended to guide those wishing to assess an organization/projects consistency with the CMM. For each maturity level there are five checklist types:

TypeSD	Description
Policy	Describes the policy contents and KPA goals recommended by the CMM.
Standard	Describes the recommended content of select work products described in the CMM.
Process	Describes the process information content recommended by the CMM. The process checklists are further refined into checklists for: roles entry criteria inputs activities outputs exit criteria reviews and audits work products managed and controlled measurements documented procedures training tools
Procedure	Describes the recommended content of documented procedures described in the CMM.
Level Overview	Provides an overview of an entire maturity level. The level overview checklists are further refined into checklists for: KPA purposes (Key Process Areas) KPA goals policies standards process descriptions procedures training tools reviews and audits work products managed and controlled measurements

History

The Capability Maturity Model was initially funded by military research. The United States Air Force funded a study at the Carnegie-Mellon Software Engineering Institute to create an abstract model for the military to use as an objective evaluation of software subcontractors. The result was the Capability Maturity Model, published as Managing the Software Process in 1989. The CMM is no longer supported by the SEI and has been superseded by the more comprehensive Capability Maturity Model Integration (CMMI), of which version 1.2 has now been released.

Context

In the 1970s, technological improvements made computers more widespread, flexible, and inexpensive. Organizations began to adopt more and more computerized information systems and the field of software development grew significantly. This led to an increased demand for developers—and managers—which was satisfied with less experienced professionals.

Unfortunately, the influx of growth caused growing pains; project failure became more commonplace not only because the field of computer science was still in its infancy, but also because projects became more ambitious in scale and complexity. In response, individuals such as Edward Yourdon, Larry Constantine, Gerald Weinberg, Tom DeMarco, and David Parnas published articles and books with research results in an attempt to professionalize the software development process.

Watts Humphrey's Capability Maturity Model (CMM) was described in the book Managing the Software Process (1989). The CMM as conceived by Watts Humphrey was based on the work a decade earlier of Phil Crosby who published the Quality Management Maturity Grid in his book Quality is Free in 1979.^[6] Active development of the model by the SEI (US Dept. of Defense Software Engineering Institute) began in 1986.

The CMM was originally intended as a tool to evaluate the ability of government contractors to perform a contracted software project. Though it comes from the area of software development, it can be, has been, and continues to be widely applied as a general model of the maturity of processes (e.g., IT Service Management processes) in IS/IT (and other) organizations.

Note that the first application of a staged maturity model to IT was not by CMM/SEI, but rather Richard L. Nolan in 1973.^[7]

The model identifies five levels of process maturity for an organisation:

1. Initial (chaotic, ad hoc, heroic) the starting point for use of a new process.
2. Repeatable (project management, process discipline) the process is used repeatedly.
3. Defined (institutionalized) the process is defined/confirmed as a standard business process.
4. Managed (quantified) process management and measurement takes place.
5. Optimising (process improvement) process management includes deliberate process optimization/improvement.

Within each of these maturity levels are KPAs (Key Process Areas) which characterise that level, and for each KPA there are five definitions identified:

1. Goals
2. Commitment
3. Ability
4. Measurement
5. Verification

The KPAs are not necessarily unique to CMM, representing — as they do — the stages that organizations must go through on the way to becoming mature.

The assessment is supposed to be led by an authorised lead assessor. One way in which companies are supposed to use the model is first to assess their maturity level and then form a specific plan to get to the next level. Skipping levels is not allowed.

N.B.: The CMM was originally intended as a tool to evaluate the ability of government contractors to perform a contracted software project. It may be suited for that purpose. When it became a general model for software process improvement, there were many critics.

"Shrinkwrap" companies are also called "COTS" or commercial-off-the-shelf firms or software package firms. They include Claris, Apple, Symantec, Microsoft, and Lotus, amongst others. Many such companies rarely if ever managed their requirements documents as formally as the CMM described in order to achieve level 2, and so all of these companies would probably fall into level 1 of the model.

Origins

The United States Air Force funded a study at the SEI to create a model for the military to use as an objective evaluation of software subcontractors. In 1989, the Capability Maturity Model was published as Managing the Software Process. The basis for the model is the Quality Management Maturity Grid introduced by Philip Crosby in his 1979 book 'Quality is Free'.

Timeline

• 1987: SEI-87-TR-24 (SW-CMM questionnaire), released.
• 1989: Managing the Software Process, published.
• 1990: SW-CMM v0.2, released (first external issue see Paulk handout).
• 1991: SW-CMM v1.0, released.
• 1993: SW-CMM v1.1, released.
• 1997: SW-CMM revisions halted in support for CMMI.
• 2000: CMMI v1.02, released.
• 2002: CMMI v1.1, released.
• 2006: CMMI v1.2, released.

Current state

Although these models have proved useful to many organizations, the use of multiple models has been problematic. Further, applying multiple models that are not integrated within and across an organization is costly in terms of training, appraisals, and improvement activities. The CMM Integration project was formed to sort out the problem of using multiple CMMs. The CMMI Product Team's mission was to combine three source models:

1. The Capability Maturity Model for Software (SW-CMM) v2.0 draft C
2. The Systems Engineering Capability Model (SECM)
3. The Integrated Product Development Capability Maturity Model (IPD-CMM) v0.98
4. Supplier sourcing

CMMI is the designated successor of the three source models. The SEI has released a policy to sunset the Software CMM and previous versions of the CMMI.^[8] The same can be said for the SECM and the IPD-CMM; these models were superseded by CMMI.

Future direction

With the release of the CMMI Version 1.2 Product Suite, the existing CMMI has been renamed the CMMI for Development (CMMI-DEV), V1.2.[1] A version of the CMMI for Services is being developed by a Northrop Grumman-led team under the auspices of the SEI, with participation from Boeing, Lockheed Martin, Raytheon, SAIC, SRA, and Systems and Software Consortium (SSCI).[2] A CMMI for Acquisition (CMMI-ACQ) is also under development at the SEI.[3]

Suggestions for improving CMMI are welcomed by the SEI. For information on how to provide feedback, see the CMMI Web site.

In some cases, CMM can be combined with other methodologies. It is commonly used in conjunction with the ISO 9001 standard. JPMorgan Chase & Co. tried combining CMM with the computer programming methodologies of Extreme Programming (XP), and Six Sigma. They found that the three systems reinforced each other well, leading to better development, and did not mutually contradict, see Extreme Programming (XP), Six Sigma and CMMI.

Controversial aspects

The software industry is diverse and volatile. All methodologies for creating software have supporters and critics, and the CMM is no exception.

Praise

• The CMM was developed to give Defense organizations a yardstick to assess and describe the capability of software contractors to provide software on time, within budget, and to acceptable standards. It has arguably been successful in this role, even reputedly causing some software sales people to clamour for their organizations' software engineers/developers to "implement CMM."
• The CMM is intended to enable an assessment of an organization's maturity for software development. It is an important tool for outsourcing and exporting software development work. Economic development agencies in India, Ireland, Egypt, Syria, and elsewhere have praised the CMM for enabling them to be able to compete for US outsourcing contracts on an even footing.
• The CMM provides a good framework for organizational improvement. It allows companies to prioritize their process improvement initiatives.

Criticism

• CMM has failed to take over the world. It's hard to tell exactly how wide spread it is as the SEI only publishes the names and achieved levels of compliance of companies that have requested this information to be listedhttp://www.sei.cmu.edu/cmmi/faq/ares-faq.html#RATE03. The most current Maturity Profile for CMMI is available online.
• CMM is well suited for bureaucratic organizations such as government agencies, large corporations and regulated monopolies. If the organizations deploying CMM are large enough, they may employ a team of CMM auditors reporting their results directly to the executive level. (A practice encouraged by SEI.) The use of auditors and executive reports may influence the entire IT organization to focus on perfectly completed forms rather than application development, client needs or the marketplace. If the project is driven by a due date, CMMs intensive reliance on process and forms may become a hindrance to meeting the due date in cases where time to market with some kind of product is more important than achieving high quality and functionality of the product.
• Suggestions of scientifically managing the software process with metrics only occur beyond the Fourth level. There is little validation of the processes cost savings to business other than a vague reference to empirical evidence. It is expected that a large body of evidence would show that adding all the business overhead demanded by CMM somehow reduces IT headcount, business cost, and time to market without sacrificing client needs.
• No external body actually certifies a software development center as being CMM compliant. It is supposed to be an honest self-assessment (http://www.sei.cmu.edu/cmmi/faq/ares-faq.html#APR04 and http://www.sei.cmu.edu/cmmi/faq/ares-faq.html#APR05). Some organizations misrepresent the scope of their CMM compliance to suggest that it applies to their entire organization rather than a specific project or business unit.
• The CMM does not describe how to create an effective software development organization. The CMM contains behaviors or best practices that successful projects have demonstrated. Being CMM compliant is not a guarantee that a project will be successful, however being compliant can increase a project's chances of being successful.
• The CMM can seem to be overly bureaucratic, promoting process over substance. For example, for emphasizing predictability over service provided to end users. More commercially successful methodologies (for example, the Rational Unified Process) have focused not on the capability of the organization to produce software to satisfy some other organization or a collectively-produced specification, but on the capability of organizations to satisfy specific end user "use cases" as per the Object Management Group's UML (Unified Modeling Language) approachhttp://www.sei.cmu.edu/publications/documents/93.reports/93.tr.024.html.
• From the systemic perspective, the CMM(I) represents a (n+1) classical engineering approach which does not take under consideration numerous human cognitive, organizational and cultural factors, essential for the success of every projects, see also socio-cognitive engineering viewpoint. On the other hand, a process design is strongly connected with the process carrier systems and their requested functions and goals, these clear computational relations are especially important for the validation of the results of the CMM(I) applications. It seems, the CMM(I) requires yet a solid theoretical ontological and epistemological background in order to be a trust wary standard, for an example only, the arbitrary initial choice of the levels and Key Process Areas are not sufficiently motivated.

The most beneficial elements of CMM Level 2 and 3

• Creation of Software Specifications, stating what is going to be developed, combined with formal sign off, an executive sponsor and approval mechanism. This is NOT a living document, but additions are placed in a deferred or out of scope section for later incorporation into the next cycle of software development.
• A Technical Specification, stating how precisely the thing specified in the Software Specifications is to be developed will be used. This is a living document.
• Peer Review of Code (Code Review) with metrics that allow developers to walk through an implementation, and to suggest improvements or changes. (Note - This is problematic because the code has already been developed, and a bad design potentially cannot be fixed by "tweaking".) The Code Review gives complete code a formal approval mechanism.
• Version Control - a very large number of organizations have no formal revision control mechanism or release mechanism in place.
• The idea that there is a "right way" to build software, that it is a scientific process involving engineering design and that groups of developers are not there to simply work on the problem du jour.

Companies appraised against the CMMI

Many IT companies across the world are making forays up the CMMI level ladder.

For a complete list view the published SCAMPI results.

See also

• Personal Software Process (PSP) and Team Software Process (TSP), two other process models also developed by the Software Engineering Institute to address individual and team software development respectively
• Information Technology Infrastructure Library (ITIL), a framework of best practice approaches intended to facilitate the delivery of high quality information technology (IT) services.
• Software maintenance where maturity models have been created for software maintenance.
• Capability Maturity Model Integration
• People Capability Maturity Model
• ISO 15504, SPICE
• Open ePolicy Group which developed an innovative maturity model to gauge the openness of ICT ecosystems as part of its em>Roadmap for Open ICT Ecosystems

One must be very skeptical about a company claiming that they have obtained a certain level (the higher level, the more skeptical to be) of CMM at an "enterprise level." Usually this is used as a marketing technique that may indeed apply to some project done by the company at some time, but most unlikely achieved by the enterprise.

References

Books

* Chrissis, Mary Beth; Konrad, Mike, Shrum, Sandy (2003). CMMI : Guidelines for Process Integration and Product Improvement. Addison-Wesley Professional. ISBN 0-321-15496-7. 

*Kulpa, Margaret K.; Kent A. Johnson (2003). Interpreting the CMMI : A Process Improvement Approach. Auerbach Publications. ISBN 0-8493-1654-5. 

* Humphrey, Watts (1989). Managing the Software Process. Addison-Wesley Professional. ISBN 0-201-18095-2. 

Websites

* History of Process Models

* Process Improvement: The Capability Maturity Model

* ITNOW - September 2005: Capability model mature - or is it?

* The PITCOM meeting of 22 March 2004 addressed one of the major trends affecting the UK technology sector

Footnotes

External links

• CMMI Official Web Site
• Capability Maturity Model® Integration (CMMI®) Overview [PDF]
• A critical look at implementing CMM Level 2
• CMMI Internet User Group
• Overview of CMMi-DEV Version 1.2 (2006)
• The Philip Crosby Connection
• A tabulated and annotated version of CMMi for Software Development is presented here