A Closer Look at CMM – Software Capability Maturity Model

Finjan TeamBlog, Cybersecurity

Finjan A Closer Look at CMM   Software Capability Maturity Model

With software being the potentially lucrative but often cut-throat business that it is, it makes sense for organizations to establish robust and repeatable techniques and processes for developing applications that consistently maintain a high standard of usability, reliability, and integrity. One method of ensuring this is by using the Capability Maturity Model or CMM.

The Origins of the Capability Maturity Model

With its ongoing need to acquire, develop, and maintain a number of systems which rely heavily on software, the U.S. Department of Defense (DoD) gave its backing to the Carnegie Mellon University based Software Engineering Institute or SEI, which was established in 1984 to address issues related to software engineering. The SEI’s mandate was to develop a means of optimizing software acquisition, development, and maintenance processes.

The result was the Capability Maturity Model (CMM), which is at the same time a methodology for evolving and refining the software development process, and a yardstick by which an organization’s level of advancement in the software development ecosystem may be measured. It has relevance beyond military applications and is recommended by SEI for the software industry as a whole.

Beyond Quality Assurance

CMM has similarities to the ISO 9001 standard set out by the International Organization for Standardization (ISO) for defining quality controls in the software development and maintenance aspects of manufacturing and services industries. But while ISO 9001 merely describes a minimal level of quality acceptable for software processes, CMM lays out an architecture for the continual improvement of these processes – and gives greater guidance on the strategies that should be adopted to achieve this result.

5 Levels of Evolution

The Capability Maturity Model establishes a framework of five development stages, an evolutionary continuum of process maturity levels on a path to increasingly well-organized and more systematically advanced software development processes.

An organization’s ranking may be determined by measuring its progress against the scale of these five levels, based on certain Key Process Areas or KPA. The requirement for advancement at each level is dependent on how effectively an enterprise follows commonly accepted and repeatable processes, in getting work done. And ascending to a higher level equates to improving on the software development process.

A number of variants on the CMM have existed over the years, and in 2002 several were combined into an integrated model dubbed the CMMI (with the “I” for “Integrated”). Attempts have even been made by the SEI to expand the model’s scope beyond the software development sector. But the core emphasis of the Capability Maturity Model remains on software, and the five-part framework set out as follows:

1. The Initial Level

Software development processes at the initial level are disorganized, as companies lack a standard process for creating applications, and a project management system to allow developers to accurately timetable the development cycle or predict impending costs.

It’s an unstable state, in which the resources and personnel may not be available to recreate any successes that may be recorded, and a clear enough picture of an organization’s capabilities and limitations may not exist, to prevent unrealistic claims or over-blown commitments that can’t be met.

The words “ad hoc” and “chaotic” are often attributed to organizations at this stage (which actually includes the bulk of smaller and medium-sized enterprises in the software industry), and any standout performances by individuals may result in the poaching of these talents by better-organized enterprises at a higher level.

2. The Repeatable Level

At the repeatable or managed level, basic techniques for project management will have been put in place, allowing certain procedures to become standardized, and for successful processes to be reproduced. Documented plans will exist by which projects may be implemented and managed, as can their related processes, products, and services.

3. The Defined Level

At this next level, a greater emphasis on documentation, standardization, and integration allows an enterprise to develop its own standard software development process. Within an organization, developers can readily move from one project to another, and a degree of consistency in products originating from different project groups may be observed by the buying public.

The organization’s set of standard procedures allows process descriptions, standards, and techniques to be customized to suit the requirements of particular projects or development units. All processes are described in greater detail and with more rigor than at level 2 and may be managed more proactively given the greater understanding of the relationships between processes, and the requirements set out for them in the organizational blueprint.

4. The Managed Level

The managed or quantitatively managed level (to distinguish it from level 2, in some variants) is the stage at which data gathering and analytics empower an organization to proactively monitor and control its own development processes. So in addition to the standardized processes already in place, the enterprise installs systems for assuring the quality of those processes in all of its projects.

Statistical analysis and other quantitative techniques are deployed to ensure that standards defined for application quality and process performance are met and that they serve the needs of end users, customers, those within the organization, and those charged with putting the processes into effect.

5. The Optimizing Level

At the final maturity stage or optimizing level, feedback from ongoing processes is continuously monitored to fuel improvements to development, and new processes to improve production or operations are introduced as they are identified.

Quantitative analysis now extends to setting objectives for the organization’s processes to be improved, and these are continually revised as market conditions change. With a greater degree of organizational maturity comes the freedom to share knowledge, and to explore new avenues for innovation and the more agile development of new products. The response to changes and opportunities is also accelerated throughout the enterprise.

Capability Maturity Model – A Road-Map for Success

Ultimately, the Capability Maturity Model may be seen as the road map for a journey charting the evolution of an enterprise. Its framework and recommendations (putting project management processes in place, standardizing procedures, monitoring, and analysis, etc.) should be taken as a guide for any organization looking to firm up and add value to its operations through well-founded and reusable processes.

Share this Post

Finjan A Closer Look at CMM   Software Capability Maturity Model
Article Name
A Closer Look at CMM - Software Capability Maturity Model
The Capability Maturity Model, a methodology for refining the software development process, measures an organization's advancement in software development.
Publisher Name
Publisher Logo