Capability Maturity Model

The Capability Maturity Model (CMM) is a method for evaluating the maturity of software development organisations on a scale of 1 to 5. The CMM was developed by the Software Engineering Institute (SEI) at Carnegie Mellon University. It has been used extensively for avionics software and for government projects since it was created in the mid-1980s. The Software Engineering Institute has subsequently released a revised version known as the Capability Maturity Model Integration (CMMI).

Watts Humphrey described a predecessor to the CMM in his book Managing the Software Process (1989). Humphrey later conceived the CMM based on the earlier work of Phil Crosby. The SEI began active development of the model for the US Dept. of Defence Software Engineering Institute in 1986.

The CMM was originally intended as a tool to evaluate the ability of government contractors to perform a contracted software project. Though it comes from the area of software development, it can be (and has been) applied to the maturity of IS/IT (and other) organisations.

The model identifies five levels of process maturity for an organisation:

1. Initial ? (chaotic, ad hoc, heroic) the starting point for use of a new process.
2. Repeatable ? (project management, process discipline) the process is used repeatedly.
3. Defined ? (institutionalised) the process is defined/confirmed as a standard business process.
4. Managed ? (quantified) process management and measurement takes place.
5. Optimising ? (process improvement) process management includes deliberate process optimisation/improvement.

Within each of these maturity levels are KPAs (Key Process Areas) which characterise that level, and for each KPA there are five definitions identified:

1. Goals
2. Commitment
3. Ability
4. Measurement
5. Verification

The CMM consists of a group of key practices, neither new nor unique to CMM, which are divided into five levels representing the stages that organisations should go through on the way to becoming mature. The SEI has defined a rigorous process assessment method to appraise how well an organisation satisfies the goals associated with each level. The assessment is supposed to be led by an authorised lead assessor.

One way in which companies are supposed to use the model is first to assess their maturity level and then form a specific plan to get to the next level. Skipping levels is not allowed.

The CMM was originally intended as a tool to evaluate the ability of government contractors to perform a contracted software project. It may be suited for that purpose. When it became a general model for software process improvement, there were many critics. Shrinkwrap companies, which have also been called commercial off the shelf firms or software package firms, included Borland, Claris, Apple, Symantec, Microsoft, and Lotus, amongst others. Many such companies rarely if ever managed their requirements documents as formally as the CMM described. This is a requirement to achieve level 2, and so all of these companies would probably fall into level 1 of the model.

There are 5 levels of the CMM. According to the SEI, "Predictability, effectiveness, and control of an organization's software processes are believed to improve as the organization moves up these five levels. While not rigorous, the empirical evidence to date supports this belief."

1. Initial: Software development follows little to no rules. The project may go from one crisis to the next. The success of the project depends on the skills of individual developers. They may need to finish the project in an heroic effort.
2. Repeatable: Software development successes are repeatable. The organization may use some basic project management to track cost and schedule. The precise implementation differs from project to project within the organisation.
3. Defined: Software development across the organisation uses the same rules and events for project management. Crucially, the organization follows this process even under schedule pressures, ideally because management recognizes that it is the fastest way to finish.
4. Managed: Using precise measurements, management can effectively control the software development effort. In particular, management can identify ways to adjust and adapt the process to particular projects without measurable losses of quality or deviations from specifications.
5. Optimizing: Quantitative feedback from previous projects is used to improve the project management, usually using pilot projects, using the skills shown in level 4.

Recent versions of CMMI from SEI indicate a "level 0", characterized as "Incomplete". Many observers leave this level out as redundent or unimportant, but Pressman and others make note of it.

Anthony Finkelstien extrapolated that negative levels, or the Capability Immaturity Model, are necessary to represent environments that are not only indifferent, but actively counterproductive, and this was refined by Tom Schorsch:

• CMM level 0 (negligent)

• CMM level -1 (obstructive)

• CMM level -2 (Contemptuous)

• CMM level -3 (undermining)

1. The CMM was developed to give Defence organisations a yardstick to assess and describe the capability of software contractors' to provide software on time, within budget, and to acceptable standards. It has arguably been successful in this role, even reputedly causing some software salespeople to clamour for their organisations' software engineers/developers to "implement CMM."

1. The CMM is intended to enable an assessment of an organization's maturity for software development. It is an important tool for outsourcing and exporting software development work. Economic development agencies in India, Ireland, and elsewhere have praised the CMM for enabling them to be able to compete for US outsourcing contracts on an even footing. Whilst this may have been very positive for the employment of software engineers in emerging or Thirld World economies - notably in India during the early 2000s - it is regarded as having adversely affected the potential employment opportunities for software engineers in the developed economies - notably the USA and Europe. This outsourcing is a form of labour arbitrage which is similar to the movement of manufacturing of (for example) fashion clothing or Nike shoes to Third World economies with relatively cheap labour rates.

1. It is reputed that IBM, Motorola, Logica, BT and others have discovered the following:

• It takes 18 months on average to move up one SEI level, but it has been done in 8 .

• Defect rates can be lowered from 1 per 1,000 lines of code (said to be typical of Microsoft and its peers) down to 1 per 1,000,000 lines - this is roughly Six Sigma quality;

• There is no specific evidence for shortening "time to market", but there is for increasing the accuracy of estimating completion date from 75% overruns on average at level 1, to plus or minus 2% at level 5.

• Data on productivity increases is more variable, but it is at least a doubling of productivity.

1. The CMM does not describe how to create an effective software development organization. The traits it measures are in practice very hard to develop in an organization, even though they are very easy to recognize.

1. The CMM can seem to be overly bureaucratic, promoting process over substance. For example, for emphasizing predictability over service provided to end users. More commercially successful methodologies have focused not on the capability of the organization to produce software to satisfy some other organization or a collectively-produced specification, but on the capability of organizations to satisfy specific end user "use cases" as per the Rational Rose UML (Universal Modelling Language) approach.

1. The CMM's division into levels could ignore the possibility that a single group may exhibit all of the behaviors and may change from behavior to behavior over time. There is also the rule that a group must move from step to step along the continuum of the CMM, and that it is not "allowed" by the CMM for a group to move from one to five without going through the intermediate steps.