Capability Maturity Model (CMM)

What is Capability Maturity Model (CMM)?

The Capability Maturity Model (CMM) is a methodology used to develop and refine an organization's software development process. The model describes a five-level evolutionary path of increasingly organized and systematically more mature processes.

CMM was developed and is promoted by the Software Engineering Institute (SEI), a research and development center sponsored by the U.S. Department of Defense (DOD) and now part of Carnegie Mellon University. SEI was founded in 1984 to address software engineering issues and, in a broad sense, to advance software engineering methodologies. More specifically, SEI was established to optimize the process of developing, acquiring and maintaining heavily software-reliant systems for the DOD. SEI advocates industry-wide adoption of the CMM Integration (CMMI), which is an evolution of CMM. The CMM model is still widely used as well.

CMM is similar to ISO 9001, one of the ISO 9000 series of standards specified by the International Organization for Standardization. The ISO 9000 standards specify an effective quality system for manufacturing and service industries; ISO 9001 deals specifically with software development and maintenance.

The main difference between CMM and ISO 9001 lies in their respective purposes: ISO 9001 specifies a minimal acceptable quality level for software processes, while CMM establishes a framework for continuous process improvement. It is more explicit than the ISO standard in defining the means to be employed to that end.

CMM's five levels of maturity for software processes

There are five levels to the CMM development process. They are the following:

  1. Initial. At the initial level, processes are disorganized, ad hoc and even chaotic. Success likely depends on individual efforts and is not considered to be repeatable. This is because processes are not sufficiently defined and documented to enable them to be replicated.
  2. Repeatable. At the repeatable level, requisite processes are established, defined and documented. As a result, basic project management techniques are established, and successes in key process areas are able to be repeated.
  3. Defined. At the defined level, an organization develops its own standard software development process. These defined processes enable greater attention to documentation, standardization and integration.
  4. Managed. At the managed level, an organization monitors and controls its own processes through data collection and analysis.
  5. Optimizing. At the optimizing level, processes are constantly improved through monitoring feedback from processes and introducing innovative processes and functionality.
diagram of Capability Maturity Model (CMM) levels
The Capability Maturity Model takes software development processes from disorganized and chaotic to predictable and constantly improving.

CMM vs. CMMI: What's the difference?

CMMI is a newer, updated model of CMM. SEI developed CMMI to integrate and standardize CMM, which has different models for each function it covers. These models were not always in sync; integrating them made the process more efficient and flexible.

CMMI includes additional guidance on how to improve key processes. It also incorporates ideas from Agile development, such as continuous improvement.

SEI released the first version of CMMI in 2002. In 2013, Carnegie Mellon formed the CMMI Institute to oversee CMMI services and future model development. ISACA, a professional organization for IT governance, assurance and cybersecurity professionals, acquired CMMI Institute in 2016. The most recent version -- CMMI V2.0 -- came out in 2018. It focuses on establishing business objectives and tracking those objectives at every level of business maturity.

CMMI adds Agile principles to CMM to help improve development processes, software configuration management and software quality management. It does this, in part, by incorporating continuous feedback and continuous improvement into the software development process. Under CMMI, organizations are expected to continually optimize processes, record feedback and use that feedback to further improve processes in a cycle of improvement.

One criticism of CMM is that it is too process-oriented and not goal-oriented enough. Organizations have found it difficult to tailor CMM to specific goals and needs. One of CMMI's improvements is to focus on strategic goals. CMMI is designed to make it easier for businesses to apply the methodology to specific uses than with CMM.

Like CMM, CMMI consists of five process maturity levels. However, they are different from the levels in CMM.

The process performance levels of CMMI are the following:

  1. Initial. Processes are unpredictable and reactive. They increase risk and decrease efficiency.
  2. Managed. Processes are planned and managed, but they still have issues.
  3. Defined. Processes become more proactive than reactive.
  4. Quantitatively managed. Quantitative data is used to craft predictable processes that fulfill stakeholder needs based on more accurate measurement of adherence to business goals.
  5. Optimizing. The organization has a set of consistent processes that are constantly being improved and optimized.
diagram of Capability Maturity Model Integration (CMMI) levels
The Capability Maturity Model Integration combines various software development maturity models into one process.

Learn how Agile principles applied to company culture can also help improve software product quality.

This was last updated in April 2022

Continue Reading About Capability Maturity Model (CMM)

Dig Deeper on Agile, DevOps and software development methodologies

Cloud Computing
App Architecture