CMMI Basics

1. What is the CMM©?
The Capability Maturity Model© is a set of key practices that should be implemented by any entity developing or maintaining software. It can be conceived as the product of the collective experience of many of the most successful software projects, which has been documented in the form of a model. Its purpose is to provide recommendations to the software community about what should be done in order to accomplish successful projects and to continuously improve its processes. Published by the SEI, it has been largely used by the software community to assess the maturity of the software processes used by companies and agencies, to develop improvement plans, or as a reference book to implement more mature practices. The CMM© has become a "de facto" standard in the software industry.

2. Is the CMM© recognized at the international level?
The Capability Maturity Model© version 1.0 was released by the SEI in 1990. The version 1.1, more stable, was published in 1993 and had an immediate success within the international community. Vastly used by several segments of the industry and public organizations, it has inspired numerous applications and adaptations of the model. CMM is a tool largely diffused, following a disciplined evolution involving the international software community. It is not a panacea or the final solution to the problems, but the CMM© model represents, without any doubt, one of the best references available on recommended practices for software development or maintenance.

3. Why are many companies considering the CMM as a tool for technology improvement?
The SEI assessment approach is one of the most comprehensive that has been developed. Most organizations believe that a formal SEI assessment will lend credence to any recommendations that are proposed as a consequence of the assessment.

4. Are there weaknesses associated with the SEI approach?
Unfortunately, there are. It's expensive-plan on budgeting between $50K and $100K for the assessment alone. In most cases, it requires the use of an outside assessor. It uses a preconceived linear model for the software process. Far more importantly, it provides little guidance on what to do after the assessment is complete-and that's what most companies need to know.

5. At what level in the CMM would an ISO 9001 – compliant organization be?
An ISO 90001-compliant organization would not necessarily satisfy all the key process areas in level 2 of the CMM, but it would satisfy most of the level 2 and many of the level 3 goals. Further, because ISO 9001 doesn’t address all the CMM practices, a level 1 organization could receive ISO 9001 registration.

6. Can a level 2 (or 3) organization be considered compliant with ISO 9001?
A level 2 (or 3) organization would probably be considered compliant with ISO 9001 but even a level 3 organization would need to ensure that it adequately addressed the delivery and installation process, described in clause 4.15 of ISO 9001, and it should consider the use of included software products, as described in clause 6.8 of ISO 9000-3. With this caveat, obtaining certification should be relatively stratightforward for a level 2 or higher organization.

7. Should any software quality management and process improvement efforts be based on ISO 9001 or on the CMM?
As to whether software process improvement should be based on the CMM or ISO 9001, the short answer is that an organization may want to consider both, given the significant degree of overlap. A market may require ISO 9001 certification; addressing the concerns of the CMM would help organizations prepare for an ISO 9001 audit.
Conversely, level 1 organizations would certainly profit from addressing the concerns of ISO 9001. Although either document can be used alone to structure a process-improvement program, the more detailed guidance and software specificity provided by the CMM suggests that it is the better choice.
In any case, organizations should focus on improvement to build a competitive advantage, not on achieving a score – whether that is a maturity level or a certificate. The SEI advocates addressing continuous process improvement as encompassed by the CMM, but even then there is a need to address the larger business context in the spirit of Total Quality Management.

8. Should an organization choose the CMM® or ISO9001?
· Many organizations find each, in its own way, useful.
· The SEI CMM® provides unequaled guidance for software organizations hoping to develop more mature and predictable business practices.
· ISO 9001 provides a certification for process quality.
· CMM® based improvement does not have associated with it the notion of certification.
· Instead, SEI CMM® based process improvement measures "continuous process improvement" progress against a staged model (Levels 1-5).
· Within ISO9001, it is possible to certify a software process at any Level of SEI maturity.

9. Can the CMM© be used for other types of initiatives, other than conducting assessments with a method like CBA IPI?
Yes, of course! The CMM© certainly can be used as a reference for everybody looking for good ideas for improving the way the software is done or for providing examples to replace existing ones. It provides guidance to choose among different improvement paths, ideas that can be used to base the intuitions, etc. There are several assessment methods more or less formal, others than the CBA IPI, which currently are using the CMM© as a reference.

10. Does the CMM© only apply to the software domain? Does it only address both, the development and maintenance of software?
Actually, the complete name of CMM© is SW-CMM © (for "Software CMM"). In consequence, it is obviously applicable to the software domain, in what it concerns to the development, as well as to the maintenance aspects.
The specific methods (or methodologies) and technology (software or equipment) being used by a company or agency do not impose specific constraints on the utilization of the SW-CMM©, since its practices are formulated in such a generic mode, that can be easily adapted to meet the needs of particular environments. Nevertheless, even if they have been initially oriented and worded for the software domain, some of them can be extrapolated beyond their original application and applied to other domains (not necessarily in the software domain). Independently of this potential, always keep in mind that the SEI has originally oriented the practices described in the SW-CMM© model to cover the software development and maintenance aspects.

11. What is the difference between the CMM and the CMMI?
The Capability Maturity Model (CMM) exists for approximately 10 years. Just before the publication of CMM v2.0, the SEI redirected its effort toward the integration of system and software practices, since they are often linked in the context of industrial real projects. This led toward a combined and integrated model called CMMI. Fortunately, this model reused entirely draft version 2.0 which constituted one of the major inputs to CMMI.

12. What is the concrete impact of CMMI for organizations who already use the CMM or who consider the CMM use today?
The CMMI version 1.0 was published commercially on August 11, 2000. The SEI has already confirmed that they will maintain full support of the CMM version 1.1 until CMMI version 1.1 (not 1.0) is published. This is anticipated end of 2001 or early 2002. Also, it is already confirmed that the transition will be supported by the SEI. The bottomline: if the CMM 1.1 is currently satisfying the needs of a company investing into software process improvement, there is no need to stop or slower this initiative because CMMI is in the air. On the other hand, for an organization that starts in software process improvement, it might be appropriate to consider the new CMMI. Again, the bottomline is "Don’t wait!"

13. Are there any constraints to use the CMM© in environments using specific methods or tools for development or maintenance?
No. CMM© practices are formulated in a generic way. It is independent of any method (or methodology) and of any technology environment (software or hardware).

14. Is the CMM© a prerequisite to put in place a software process improvement initiative?
Certainly is not. The CMM© is not a complete remedy; it is an incomplete model and can be further improved. Nevertheless, it represents a standard whose robustness and usefulness have been verified by hundreds of companies around the world. Choosing a model with these characteristics as a reference to guide the organization’s investments in software process improvement, it is certainly a good decision to minimize the risks and to maximize the benefits

15. What is the relationship of the CMM© and ISO/IEC 15504 (previously known as SPICE)?
A working group of ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) was established to produce a standard for a model of software development and maintenance practices and an assessment method. This group had the goal to produce standards to obtain international acceptance for these two components. This was the project SPICE ("Software Process Improvement and Capability dEtermination"). The project was transferred after to a regular working group of ISO-IEC to continue the work.
This noble and ambitious objective evolved to produce not A model and A method, but a SET of requirements to be satisfied by models and methods in order to be in conformance to the ISO-IEC standard. This change of course from the initial objective (one single model and one single method), probably unavoidable, has the advantage of making easier to reach international consensus; also it stimulates the development of solutions better adapted to specific needs, while sharing a set of common rules. The SEI was an important participant of the SPICE project, most likely to influence the requirements of the standard to ensure that its model (CMM) and its method (CBA IPI), would easily conform to the future ISO standard.

16. Are there recognized courses on the CMM? Why is the "official" status of the SEI's "Intro to CMM" course important?
Nothing prevents people to offer courses on the CMM© because this model is in the public domain. The SEI has developed a 3-days course offered directly or through a network of authorized partners (e.g. Alcyonix). Obviously the SEI officially recognizes the value of its own course, provided by the SEI itself or by its authorized partners. The candidates for official accreditation as lead assessors are requested to have completed THIS COURSE. In the other hand, for the assessment team members, the SEI only requests that the lead assessors verify the good knowledge of CMM© of each team member. The lead assessor can decide to request that team members take the official course, or alternatively, to accept other courses meeting the equivalence requirements defined by the SEI.

17. How does an organization get SEI certified?
Unfortunately there is no official SEI certification. Unlike ISO, the SEI does not support the formal certification of organizations. Organizations can, however, receive formal evaluations of their organizational software maturity through CMMsm-based appraisals (CBA-IPI) or for specific project efforts via Software Capability Evaluationssm (SCEsms).

18. What are the recommendations for organizations preparing for an appraisal?
It is strongly recommended that organizations wishing to embrace the CMM, as an improvement guide, first understand the model. Typically this involves some sort of formal CMM® education.
A full-fledged SEI licensed Intro to CMM® course can be arranged for.
In concert with CMM® education, it is recommended that organizations be aware of the human and organizational factors associated with the introduction of complex change. CMM consultants are well equipped to help the organizations develop software process improvement implementation plans, or alternatively work with them on existing organizational improvement efforts.
And finally, using an appropriately scaled "Initial" assessment technique is recommended when:
· the organization begins its SPI effort and/or
· prior to conducting a full fledged CBA-IPI
This recommendation is emphasized, in large part, because a formal CBA-IPI is a lengthy and expensive assessment method, albeit thorough; one that should not be taken lightly.)
The assessment method chosen by an organization must be the least intrusive, most thorough, and cost-effective means for identifying an organization's major Software Process Improvement accomplishments and/or obstacles.

19. What is a CBA IPI?
The CBA IPI is a recent appraisal method developed by the SEI to replace the original "Software Process Assessments" (SPAs). It can be tailored to "audit" organizations for compliance to a specific maturity level of the CMM, or to "assess" organizations to determine key issues that must be addressed for process improvement. Process Inc has appraisers who have been authorized by the SEI to lead CBA IPI's.
The CBA IPI can be tailored significantly: the most important areas to consider tailoring are the purpose of the appraisal (improvement versus CMM compliance), the number of CMM levels to investigate in detail, and the amount of emphasis to place on the CMM (as opposed to non-CMM issues which always arise in an assessment). This tailoring greatly affects both the cost and the conclusions of the appraisal.

20. Is the CBA-IPI assessment a test?
Unfortunately, many organizations view CBA-IPI as tests. When viewed in this light the organization risks loosing significant assessment benefits including:
· Identifying areas that need improvement.
· Building organization support for internal improvement efforts.
· The ability to determine the organization's maturity level.
CBA-IPIs are designed, as the acronym would indicate, to provide assessments for internal process improvement (ergo the acronym IPI). Evaluations, in the SEI world, are designed to be used as maturity benchmarks for specific project efforts or software procurements.
CBA-IPIs are roughly analogous to visits to a tax or financial advisor.

21. When should an organization conduct a formal software process assessment (CBA IPI)?
An organization should consider formal software process assessments when:
· It believes that it has made significant process improvement and is seeking a detailed evaluation of the actual progress.
· Its clients/ customers require demonstrated proof of software process maturity and/or improvement.
· It seeks to identify areas requiring improvement.

22. How much time, effort and money are involved in conducting a CBA-IPI?
This is one of those questions for which it is very difficult to provide a simple answer. The simplest answer is "a lot."
CBA-IPI costs generally breakdown into the following major categories:
Interview time: this may involve anywhere from 30-60 staff members for an average of 1.5 hours each.
Meeting and presentation time: will involve the same 30-60 individuals mentioned above plus an additional number of observers up to and including the entire staff membership.
Assessment team time: involves, on an average, six of the organization’s senior individual contributors or project managers for a two week on-site assessment period (100%+ effort); three days of assessment team training (100% effort); plus an additional three days (100% effort) for CMM® training.
Lead assessor costs: to hire a SEI-authorized lead assessor team of two. In special situations it may be required to hire two lead assessors (e.g. the organization already has several in-house, or the organization is extremely small).
A rule of thumb total scope estimate for a CBA-IPI of an organization of 100-150 software professionals is 1500-2000 total hours (depending on maturity, number of projects, etc.).

23. What is the lead-time required for an assessment?
The average lead time for a "full up" CBA-IPI is three to six months. Generally the following tasks must be completed prior to the actual assessment.
· Into to CMM training for the assessment team (3 days).
· Identification of assessment team members, candidate projects, etc.
· Documentation library cross-referencing including: project, process, and CMM® related documents.
· Assessment team training (3 days).
· Resolution of any funding and staffing issues.
· Schedule coordination.

24. When is a good time to schedule an assessment?
Because of the intrusive nature of a CBA-IPI, the following guidelines are generally useful in planning the assessment.
· Allow ample lead-time to arrange schedules for participation. This includes allowing adequate time to coordinate between the organization and its Lead Assessor's, as well as that required to ensure appropriate staff availability.
· Do not schedule assessments during significant product release efforts.
· Do not schedule assessments when staff, management, or the organization's sponsor are not, or may not be, available.
· Be sure the organization requires a full assessment. Oftentimes an informal checkup provides a more expedient and more cost effective progress benchmark.

25. What happens after an assessment?
Normally once an assessment is completed, the organization will do the following:
· Complete a formal Findings and Recommendations document.
· Identify specific areas for improvement during the next timeframe (normally 12-24 months)
· Complete an Action Plan for process improvement.
· Identify pilot improvement activities.
· Measure improvement pilot progress and assess applicability and appropriateness for widespread use.
· Roll improvements out across the organization.
· Schedule informal process improvement check-ups
· Schedule another formal software process assessment (e.g. CBA –IPI)
NOTE: The SEI recommends 3 to 6 months for an action plan. This is typically not simply a list of actions and dates, but includes names, impact on current schedules, organizational changes, and costs. It is not implied that all action stops in the meantime. However, an action plan should represent true commitment to making the improvements.