The CMM was first described in Managing the Software Process by Watts Humphrey, and hence was also known as "Humphrey's CMM". Humphrey based it on the earlier work of Phil Crosby. Active development of this model began in 1986 at the US Dept. of Defense Software Engineering Institute located at Carnegie Mellon University in Pittsburgh.
The CMM was originally intended as a tool for objectively assessing the ability of government contractors' processes to perform a contracted software project. Though it comes from the area of software development, it can be (and has been and still is being) applied as a generally applicable model to assist in understanding the process capability maturity of organizations in diverse areas. For example, software engineering, system engineering, project management, software maintenance, risk management, system acquisition, information technology (IT), personnel management. It has been used extensively for avionics software and government projects around the world.
The CMM has been superseded by a variant - the Capability Maturity Model Integration (CMMI). The old CMM was renamed to Software Engineering CMM (SE-CMM) and organizations accreditations based on SE-CMM expired on 31 December 2007.
Maturity models have been internationally standardized as part of ISO 15504.
A maturity model can be described as a structured collection of elements that describe certain aspects of maturity in an organization. A maturity model may provide, for example :
A maturity model can be used as a benchmark for comparison and as an aid to understanding - for example, for comparative assessment of different organizations where there is something in common that can be used as a basis for comparison. In the case of the CMM, for example, the basis for comparison would be the organizations' software development processes.
The CMM involves the following aspects:
There are five levels defined along the continuum of the CMM, and, according to the SEI: "Predictability, effectiveness, and control of an organization's software processes are believed to improve as the organization moves up these five levels. While not rigorous, the empirical evidence to date supports this belief."
The levels are:
(a) Because institutional knowledge tends to be scattered (there being limited structured approach to knowledge management) in such environments, not all of the stakeholders or participants in the processes may know or understand all of the components that make up the processes. As a result, process performance in such organizations is likely to be variable (inconsistent) and depend heavily on the institutional knowledge, or the competence, or the heroic efforts of relatively few people or small groups.
(b) Despite the chaos, such organizations manage to produce products and services. However, in doing so, there is significant risk that they will tend to exceed any estimated budgets or schedules for their projects - it being difficult to estimate what a process will do when you do not fully understand the process (what it is that you do) in the first place and cannot therefore control it or manage it effectively.
(c) Due to the lack of structure and formality, organizations at this level may over-commit, or abandon processes during a crisis, and it is unlikely that they will be able to repeat past successes. There tends to be limited planning, limited executive commitment or buy-in to projects, and limited acceptance of processes.
It is characteristic of processes at this level that some processes are repeatable, possibly with consistent results.
Process discipline is unlikely to be rigorous, but where it exists it may help to ensure that existing processes are maintained during times of stress.
(a) Processes and their outputs could be visible to management at defined points, but results may not always be consistent. For example, for project/program management processes, even though (say) some basic processes are established to track cost, schedule, and functionality, and if a degree of process discipline is in place to repeat earlier successes on projects with similar applications and scope, there could still be a significant risk of exceeding cost and time estimates.
It is characteristic of processes at this level that there are sets of defined and documented standard processes established and subject to some degree of improvement over time. These standard processes are in place (i.e., they are the AS-IS processes) and used to establish consistency of process performance across the organization.
(a) Process management starts to occur using defined documented processes, with mandatory process objectives, and ensures that these objectives are appropriately addressed.
It is characteristic of processes at this level that, using process metrics, management can effectively control the AS-IS process (e.g., for software development ). In particular, management can identify ways to adjust and adapt the process to particular projects without measurable losses of quality or deviations from specifications. Process Capability is established from this level.
(a) Quantitative quality goals tend to be set for process output - e.g., software or software maintenance.
(b) Using quantitative/statistical techniques, process performance is measured and monitored and generally predictable and controllable also.
(a) Quantitative process-improvement objectives for the organization are established, continually revised to reflect changing business objectives, and used as criteria in managing process improvement.''' Thus, process improvements to address common causes of process variation and measurably improve the organization’s processes are identified, evaluated, and deployed.
(b) The effects of deployed process improvements are measured and evaluated against the quantitative process-improvement objectives.
(c) Both the defined processes and the organization’s set of standard processes are targets for measurable improvement activities.
(d) A critical distinction between maturity level 4 and maturity level 5 is the type of process variation addressed.
At maturity level 4, processes are concerned with addressing statistical special causes of process variation and providing statistical predictability of the results, and though processes may produce predictable results, the results may be insufficient to achieve the established objectives.
At maturity level 5, processes are concerned with addressing statistical common causes of process variation and changing the process (for example, shifting the mean of the process performance) to improve process performance. This would be done at the same time as maintaining the likelihood of achieving the established quantitative process-improvement objectives.
Some versions of CMMI from SEI indicate a "level 0", characterized as "Incomplete". Some pundits leave this level out as redundant or unimportant, but Pressman and others make note of it. See page 18 of the August 2002 edition of CMMI from SEI.
Anthony Finkelstein extrapolated that negative levels are necessary to represent environments that are not only indifferent, but actively counterproductive, and this was refined by Tom Schorsch as the Capability Immaturity Model.
The software process framework documented is intended to guide those wishing to assess an organization/projects consistency with the CMM. For each maturity level there are five checklist types:
|Policy||Describes the policy contents and KPA goals recommended by the CMM.|
|Standard||Describes the recommended content of select work products described in the CMM.|
|Process|| Describes the process information content recommended by the CMM. The process checklists are further refined into checklists for: |
|Procedure||Describes the recommended content of documented procedures described in the CMM.|
|Level Overview|| Provides an overview of an entire maturity level. The level overview checklists are further refined into checklists for: |
As a result, the growth was accompanied by growing pains: project failure was common, and the field of computer science was still in its infancy, and the ambitions for project scale and complexity exceeded the market capability to deliver. Individuals such as Edward Yourdon, Larry Constantine, Gerald Weinberg, Tom DeMarco, and David Parnas began to publish articles and books with research results in an attempt to professionalise the software development process.
Watts Humphrey's Capability Maturity Model (CMM) was described in Managing the Software Process. The CMM as conceived by Watts Humphrey was based on the work a decade earlier of Phil Crosby who published the Quality Management Maturity Grid in his book Quality is Free in 1979. Active development of the model by the US Department of Defense Software Engineering Institute (SEI) began in 1986.
The CMM was originally intended as a tool to evaluate the ability of government contractors to perform a contracted software project. Though it comes from the area of software development, it can be, has been, and continues to be widely applied as a general model of the maturity of processes (e.g., IT Service Management processes) in IS/IT (and other) organizations.
The model identifies five levels of process maturity for an organization:
Within each of these maturity levels are Key Process Areas (KPAs) which characterise that level, and for each KPA there are five definitions identified:
The KPAs are not necessarily unique to CMM, representing — as they do — the stages that organizations must go through on the way to becoming mature.
Process assessment is best led by an appropriately skilled/competent lead assessor. The organisation's process maturity level is assessed, and then a specific plan is developed to get to the next level. Skipping levels is not allowed.
N.B.: The CMM was originally intended as a tool to evaluate the ability of government contractors to perform a contracted software project. It may be suited for that purpose. When it became a general model for software process improvement, there were many critics.
Shrinkwrap companies are also called commercial-off-the-shelf (COTS) firms or software package firms. They include Claris, Apple, Symantec, Microsoft, and Lotus, amongst others. Many such companies rarely if ever managed their requirements documents as formally as the CMM described in order to achieve level 2, and so all of these companies would probably fall into level 1 of the model.
Although the CMM model proved useful to many organizations, the use of multiple models has been problematic. Applying multiple models that are not integrated within and across an organization could be costly in terms of training, appraisals, and improvement activities. The CMM Integration (CMMI) project was formed to sort out the problem of using multiple CMMs.
With the release of the CMMI Version 1.2 Product Suite, the possibility of multiple CMMI models was created.(Refer to CMMI for further information.)
The software industry is diverse and volatile. All methodologies for creating software have supporters and critics, and the CMM is no exception.
SenSage Unveils Security Intelligence Capability Maturity Model to Benchmark and Improve Enterprise Security Management.
Mar 16, 2010; SenSage, Inc. announced the SenSage Security Intelligence Capability Maturity Model, a methodology for assessing and improving...
CMM/CMMI Level 3 or higher? No guarantee for success.(capability maturity model, capability maturity model integration)
Nov 01, 2006; For many years, I've heard war stories about how a given supplier delivered software late, went over budget, and the quality of...