What Is CMM, And Why Should You Care?

By Hillel Glazer



Seeking the stability and, thanks to the increased spending on Homeland Defense, the opportunity of government work, many software companies are facing a rude surprise called the "CMM."



What is CMM?

CMM stands for "Capability Maturity Model." Rather than a software development model, it's a software management model. The difference is that a development model is a way for programmers to code, test, deploy and build on their software. A management model is a way for software projects to plan, organize and identify what needs to get done to run the project, a way to gain insight into and control over the development, so you can predict and adjust project activities towards success.



Why did it come about?

In the 1980s a Standish Group study found that over 30% of all large software projects failed to be delivered and, of the remaining, nearly 80% failed to come in on time and budget. These figures account for the evidence that smaller companies' success rates were nearly twice as high as the success rates of larger companies. The research also indicated that most of the money in software development was spent on fixing buggy software, rather than on the initial development. In effect, only about 16% of all software projects surveyed were delivered on time, on budget and with the expected functionality, with most of it being developed by smaller companies.

To beat these odds, and to lower the overall cost of buying software, the Department of Defense funded the Software Engineering Institute (SEI) at Carnegie Mellon University to find ways to help defense contractors build software more economically.

The SEI defined "successful project" in terms of a project's ability to meet cost, schedule and quality objectives. "Quality" was defined as how many post-delivery corrections, fixes and upgrades were required before the product finally did what the customers expected. "Failed projects" were those that were cancelled or significantly overran cost, schedule or quality expectations. Instead of focusing on the mistakes, overruns and what not to do, the SEI focused on what the successful projects had in common. The result became the Capability Maturity Model, or CMM.

Today, the CMM is the de facto standard for software management throughout the government and is internationally recognized as a very powerful business tool and competitive differentiator.



What does it look like?

The SEI found that successful projects had specific key processes in common. Eighteen total key processes were organized into five maturity "levels." Level 1 is where most companies operate using undisciplined "ad hoc" processes, often relying on heroics to complete projects and rarely doing the same thing the same way twice.

Level 2 is called the "repeatable" level. "Level 2" companies are mature enough to re-use their processes to plan, estimate and execute projects. Six basic software development key processes are in level 2: Requirements Management, Project Planning, Project Tracking and Oversight, Subcontract Management, Quality Assurance and Configuration Management.

Companies providing custom software to the government are required to be assessed to level 2, and increasingly to level 3-

called the "defined" level-which has seven key process areas (KPAs). This article won't go into details of each level, but for completeness, the remaining five KPAs are in level 4, "managed," and level 5, "optimizing."



Why should you care?

The first reason is above, the other reason is: competition. Your competition may already be applying the CMM. What if your competition not only institutes the industry's best practices, but reaps the benefits of doing it? Even though the CMM was developed based on "large and complex" software projects, its business value has been recognized by companies of every size and in every industry. Companies are using their CMM appraisals in their marketing strategies.

Another reason to consider implementing CMM: Software subcontractors to companies creating software for the government must either themselves be following CMM, or be covered by their client. In fact, all the parts of the software product delivered to the government must be following CMM. This means that either your client is covering for you and your lack of CMM, or they're going to ask you to follow it too.



What can you do?

Visit the Software Engineering Institute's web site (www.sei.cmu.edu) and obtain a copy of Mark Paulk's "The Capability Maturity Model: Guidelines for Improving the Software Process." Introductory CMM classes are offered by the SEI, and through one of many CMM consultants. CMM training is very important because nowhere in the model is there an explanation of how to implement it. Understanding how to make it work takes significant acclimation. This is where an experienced CMM assessor will be very helpful. The SEI's web site has a list of lead assessors and companies licensed to teach and perform CMM assessments.



What else?

Beyond merely getting government work, this model is a success-based model. Many companies, however, are turned off by what seems to be a major bureaucracy required to implement CMM. This results from the "large and complex" software project approach taken by many of the companies and consultants who implement and follow the CMM, not as a result of the CMM itself. Find a consultant that will help you implement what will work best for your company, whether it's CMM or not.

Rest assured, when you want to pursue developing software for the government, there are ways to implement the CMM, specifically, and disciplined processes, in general, that don't create a bureaucracy. Best practices should not blunt your competitive edge. Don't let anyone tell you that your business positioning or objectives must be sacrificed on the altar of process.



Hillel Glazer is the principal of Entinex, Inc., a technology development and business

technology optimization consulting firm. He can be reached at 301-384-4203, or hillel@entinex.com.