What is the Capability Maturity Model?

(CMM)
Capability Maturity Model (CMM) broadly refers to a process improvement approach that is based on a process model.
CMM also refers specifically to the first such model, developed by the Software Engineering Institute (SEI) in the mid-
1980s, as well as the family of process models that followed. A process model is a structured collection of practices that
describe the characteristics of effective processes; the practices included are those proven by experience to be effective.

CMM can be used to assess an organization against a scale of five process maturity levels. Each level ranks the
organization according to its standardization of processes in the subject area being assessed. The subject areas can be as
diverse as software engineering, systems engineering, project management, risk management, system acquisition,
information technology (IT) services and personnel management.

CMM was developed by the SEI at Carnegie Mellon University in Pittsburgh. It has been used extensively for avionics
software and government projects, in North America, Europe, Asia, Australia, South America, and Africa.Currently, some
government departments require software development contract organization to achieve and operate at a level 3 standard.

History
The Capability Maturity Model was initially funded by military research. The United States Air Force funded a study at
the Carnegie-Mellon Software Engineering Institute to create a model (abstract) for the military to use as an objective
evaluation of software subcontractors. The result was the Capability Maturity Model, published as Managing the Software
Process in 1989. The CMM is no longer supported by the SEI and has been superseded by the more
comprehensive Capability Maturity Model Integration (CMMI).

Maturity Model
The Capability Maturity Model (CMM) is a way to develop and refine an organization's processes. The first CMM was for
the purpose of developing and refining software development processes. A maturity model is a structured collection of
elements that describe characteristics of effective processes. A maturity model provides:

 a place to start
 the benefit of a community’s prior experiences
 a common language and a shared vision
 a framework for prioritizing actions
 a way to define what improvement means for your
organization

A maturity model can be used as a benchmark for assessing different organizations for equivalent comparison. It describes
the maturity of the company based upon the project the company is dealing with and the clients.

Context
In the 1970s, technological improvements made computers more widespread, flexible, and inexpensive. Organizations
began to adopt more and more computerized information systems and the field of software development grew
significantly. This led to an increased demand for developers—and managers—which was satisfied with less experienced
professionals.

Unfortunately, the influx of growth caused growing pains; project failure became more commonplace not only because the
field of computer science was still in its infancy, but also because projects became more ambitious in scale and
complexity. In response, individuals such as Edward Yourdon, Larry Constantine, Gerald Weinberg, Tom DeMarco, and
David Parnas published articles and books with research results in an attempt to professionalize the software development
process.

Watts Humphrey's Capability Maturity Model (CMM) was described in the book Managing the Software Process (1989).
The CMM as conceived by Watts Humphrey was based on the earlier work of Phil Crosby. Active development of the
model by the SEI began in 1986.

The CMM was originally intended as a tool to evaluate the ability of government contractors to perform a contracted
software project. Though it comes from the area of software development, it can be, has been, and continues to be widely
applied as a general model of the maturity of processes in IS/IT (and other) organizations.

The model identifies five levels of process maturity for an organisation. Within each of these maturity levels are KPAs
(Key Process Areas) which characterise that level, and for each KPA there are five definitions identified:

1. Goals
2. Commitment
3. Ability
4. Measurement
5. Verification

The KPAs are not necessarily unique to CMM, representing - as they do - the stages that organizations must go through on
the way to becoming mature.

The assessment is supposed to be led by an authorized lead assessor. One way in which companies are supposed to use the
model is first to assess their maturity level and then form a specific plan to get to the next level. Skipping levels is not
allowed.

Current state
Although these models have proved useful to many organizations, the use of multiple models has been problematic.
Further, applying multiple models that are not integrated within and across an organization is costly in terms of training,
appraisals, and improvement activities. The CMM Integration project was formed to sort out the problem of using
multiple CMMs.

CMMI is the designated successor of the three source models. The SEI has released a policy to sunset the Software CMM
and previous versions of the CMMI. The same can be said for the SECM and the IPD-CMM; these models were
superseded by CMMI.

Future direction
With the release of the CMMI Version 1.2 Product Suite, the existing CMMI has been renamed the CMMI for
Development (CMMI-DEV), V1.2. Two other versions are being developed, one for Services, and the other for
Acquisitions.

In some cases, CMM can be combined with other methodologies. It is commonly used in conjunction with the ISO 9001
standard, as well as with the computer programming methodologies of Extreme Programming (XP), and Six Sigma.

Levels of the CMM

There are five levels of the CMM:
Level 1 - Initial
Processes are usually ad hoc and the organization usually does not provide a stable environment. Success in these
organizations depends on the competence and heroics of the people in the organization and not on the use of proven
processes. In spite of this ad- hoc, chaotic environment, maturity level 1 organizations often produce products and
services that work; however, they frequently exceed the budget and schedule of their projects.
Organizations are characterized by a tendency to over commit, abandon processes in the time of crisis, and not be
able to repeat their past successes again.
Software project success depends on having quality people.
Level 2 - Repeatable
Software development successes are repeatable. The processes may not repeat for all the projects in the organization.
The organization may use some basic project management to track cost and schedule.
Process discipline helps ensure that existing practices are retained during times of stress. When these practices are in
place, projects are performed and managed according to their documented plans.
Project status and the delivery of services are visible to management at defined points (for example, at major
milestones and at the completion of major tasks).
Basic project management processes are established to track cost, schedule, and functionality. The minimum process
discipline is in place to repeat earlier successes on projects with similar applications and scope. There is still a
significant risk of exceeding cost and time estimate.
Level 3 - Defined
The organization’s set of standard processes, which is the basis for level 3, is established and improved over time.
These standard processes are used to establish consistency across the organization. Projects establish their defined
processes by the organization’s set of standard processes according to tailoring guidelines.
The organization’s management establishes process objectives based on the organization’s set of standard processes
and ensures that these objectives are appropriately addressed.
A critical distinction between level 2 and level 3 is the scope of standards, process descriptions, and procedures. At
level 2, the standards, process descriptions, and procedures may be quite different in each specific instance of the
process (for example, on a particular project). At level 3, the standards, process descriptions, and procedures for a
project are tailored from the organization’s set of standard processes to suit a particular project or organizational
unit.
Level 4 - Managed
Using precise measurements, management can effectively control the software development effort. In particular,
management can identify ways to adjust and adapt the process to particular projects without measurable losses of
quality or deviations from specifications. At this level organization set a quantitative quality goal for both software
process and software maintenance.
Sub-processes are selected that significantly contribute to overall process performance. These selected subprocesses
are controlled using statistical and other quantitative techniques.
A critical distinction between maturity level 3 and maturity level 4 is the predictability of process performance. At
maturity level 4, the performance of processes is controlled using statistical and other quantitative techniques, and is
quantitatively predictable. At maturity level 3, processes are only qualitatively predictable.
Level 5 - Optimizing
Focusing on continually improving process performance through both incremental and innovative technological
improvements. Quantitative process-improvement objectives for the organization are established, continually revised
to reflect changing business objectives, and used as criteria in managing process improvement. The effects of
deployed process improvements are measured and evaluated against the quantitative process-improvement
 objectives. Both the defined processes and the organization’s set of standard processes are targets of measurable
improvement activities.
Process improvements to address common causes of process variation and measurably improve the organization’s
processes are identified, evaluated, and deployed.
Optimizing processes that are nimble, adaptable and innovative depends on the participation of an empowered
workforce aligned with the business values and objectives of the organization. The organization’s ability to rapidly
respond to changes and opportunities is enhanced by finding ways to accelerate and share learning.
A critical distinction between maturity level 4 and maturity level 5 is the type of process variation addressed. At
maturity level 4, processes are concerned with addressing special causes of process variation and providing
statistical predictability of the results. Though processes may produce predictable results, the results may be
insufficient to achieve the established objectives. At maturity level 5, processes are concerned with addressing
common causes of process variation and changing the process (that is, shifting the mean of the process performance)
to improve process performance (while maintaining statistical probability) to achieve the established quantitative
process-improvement objectives.

The most beneficial elements of CMM Level 2 and 3:

Creation of Software Specifications, stating what is going to be developed, combined with formal sign off, an
executive sponsor and approval mechanism. This is NOT a living document, but additions are placed in a deferred or
out of scope section for later incorporation into the next cycle of software development.
A Technical Specification, stating how precisely the thing specified in the Software Specifications is to be developed
will be used. This is a living document.
Peer Review of Code (Code Review) with metrics that allow developers to walk through an implementation, and to
suggest improvements or changes. Note - This is problematic because the code has already been developed and a
bad design cannot be fixed by "tweaking", the Code Review gives complete code a formal approval mechanism.
Version Control - a very large number of organizations have no formal revision control mechanism or release
mechanism in place.
The idea that there is a "right way" to build software, that it is a scientific process involving engineering design and
that groups of developers are not there to simply work on the problem du jour.