• About the model.
• About the appraisal (level ratings).
• About CMMI, Agile, LifeCycles and other Process Concepts.
• About the SEI.
• About training.
• About specific parts of the model(s).

• WHAT is CMMI?
• Is CMMI for us?
• How many processes are there in CMMI?
• How are the processes organized?
• What is each process made up of?
• What's the difference between Staged and Continuous?
• What's the difference between Maturity Level and Capability Level?
• What are the Generic Goals?
      a.k.a. What are the differenes among the Capability Levels?
      a.k.a. What do they mean when they say process institutionalization?
• What's High Maturity About?
    a.k.a. What's the fuss about High Maturity Lead Appraisers?
    a.k.a. What's the fuss about the informative materials in the High Maturity process areas?

• What's a Constellation?
• How many different ways are there to implement CMMI?
• Do we have to do everything in the book?  Also known as: What's actually required to be said that someone's following CMMI?
• Why does it cost so much?
• Why does it take so long?
• Why would anyone want to do CMMI if they didn't have to do it to get business?
• Isn't CMMI just about software development?
• What's the difference between CMMI v1.1 and v1.2?
• What's the key limitation for approachng CMMI?
• What's the key effort required in CMMI implementation?

• How do we get "certified"?
• How long does it take?
• How much does it cost?
• What's involved (in getting a rating)?
• How does the appraisal work?
• What's a SCAMPI?
• Who can do the appraisal?
• Can we have our own people on the appraisal?
• What sort of evidence is required by the appraisal?
• How much of our company can we get appraised?
• How many projects need to be appraised?
• Can we have more than one appraisal and inch our way towards a rating?
• If we go for a "level" now, do we have to go through it again to get to the next "level"?
• How long does the "certification" last?
• What is the difference between SCAMPI Class A, B and C appraisals?
• How do we pick a consultant or lead appraiser?
• Where can we see a list of organizations that have been appraised?
• What's the official record of the appraisal results?
• Can we go directly to (Maturity or Capability) Level 5?

• What if our development life cycle doesn't match-up with CMMI's?
• Doesn't the CMMI only work if you're following the "Waterfall" model?
• How does CMMI compare with ISO/TL 9000 and ITIL?
• Aren't CMMI and Agile methods at opposite ends of the spectrum?
• How are CMMI and SOX (SarBox / Sarbanes-Oxley) Related?

• Isn't this just a cash cow for the SEI?
• What makes SEI the authority on what are "best practices" in software?
• Do the Lead Appraisers work for the SEI?
• What's a "Transition Partner"?
• What's the "Partner Network"?
• How do we report concerns about ethics, conflicts of interest, and/or compliance?
• Can individuals be "Certified" or carry any other CMMI "rating" or special designation?

• Is there required training to "do" CMMI?
• Who can provide CMMI-related training?
• What sort of CMMI-related training is there?
• How can we learn about the appraisal process?

• What is the exact difference between GP 2.8 and GP 2.9?

• Develops products and complex services, and/or
• Acquires products and services from others, and/or
• Provides/delivers services.

• customer acquisition, satisfaction, or retention, and/or
• project success, profitability, predictability, or timeliness,
• and/or employee acquisition, satisfaction, or retention

Causal Analysis & Resolution, [ML 5]
The purpose of Causal Analysis and Resolution (CAR) is to identify causes of defects and other problems and take action to prevent them from occurring in the future.

Configuration Management, [ML 2]
The purpose of Configuration Management (CM) is to establish and maintain the integrity of work products using configuration identification, configuration control, configuration status accounting, and configuration audits.

Decision Analysis & Resolution, [ML 3]
The purpose of Decision Analysis and Resolution (DAR) is to analyze possible decisions using a formal evaluation process that evaluates identified alternatives against established criteria.

Integrated Project Management (+ IPPD -- DEV only), [ML 3]
The purpose of Integrated Project Management (IPM) is to establish and manage the project and the involvement of the relevant stakeholders according to an integrated and defined process that is tailored from the organization’s set of standard processes.

IPPD "Addition" (DEV only)
For IPPD, Integrated Project Management +IPPD also covers the establishment of a shared vision for the project and the establishment of integrated teams that will carry out objectives of the project.

Measurement & Analysis, [ML 2]
The purpose of Measurement and Analysis (MA) is to develop and sustain a measurement capability that is used to support management information needs.

Organizational Innovation and Deployment, [ML 5]
The purpose of Organizational Innovation and Deployment (OID) is to select and deploy incremental and innovative improvements that measurably improve the organization’s processes and technologies.  The improvements support the organization’s quality and process performance objectives as derived from the organization’s business objectives.

Organizational Process Definition (+ IPPD -- DEV only), [ML 3]
The purpose of Organizational Process Definition (OPD) is to establish and maintain a usable set of organizational process assets and work environment standards.

IPPD "Addition" (DEV only)
For IPPD, Organizational Process Definition +IPPD also covers the establishment of organizational rules and guidelines that enable conducting work using integrated teams.

Organizational Process Focus, [ML 3]
The purpose of Organizational Process Focus (OPF) is to plan, implement, and deploy organizational process improvements based on a thorough understanding of the current strengths and weaknesses of the organization’s processes and process assets.

Organizational Process Performance, [ML 4]
The purpose of Organizational Process Performance (OPP) is to establish and maintain a quantitative understanding of the performance of the organization’s set of standard processes in support of quality and process-performance objectives, and to provide the process performance data, baselines, and models to quantitatively manage the organization's projects.

Organizational Training, [ML 3]
The purpose of Organizational Training (OT) is to develop the skills and knowledge of people so they can perform their roles effectively and efficiently.

Project Monitoring and Control, [ML 2]
The purpose of Project Monitoring and Control (PMC) is to provide an understanding of the project’s progress so that appropriate corrective actions can be taken when the project’s performance deviates significantly from the plan.

Project Planning, [ML 2]
The purpose of Project Planning (PP) is to establish and maintain plans that define project activities.

Process and Product Quality Assurance, [ML 2]
The purpose of Process and Product Quality Assurance (PPQA) is to provide staff and management with objective insight into processes and associated work products.

Quantitative Project Management, [ML 4]
The purpose of Quantitative Project Management (QPM) is to quantitatively manage the project’s defined process to achieve the project’s established quality and process-performance objectives.

Requirements Management, [ML 2]
The purpose of Requirements Management (REQM) is to manage the requirements of the project’s products and product components and to identify inconsistencies between those requirements and the project’s plans and work products.

Risk Management, [ML 3]
The purpose of Risk Management (RSKM) is to identify potential problems before they occur so that risk-handling activities can be planned and invoked as needed across the life of the product or project to mitigate adverse impacts on achieving objectives.

Supplier Agreement Management, [ML 2]
The purpose of Supplier Agreement Management (SAM) is to manage the acquisition of products from suppliers.

Product Integration, [ML 3]
The purpose of Product Integration (PI) is to assemble the product from the product components, ensure that the product, as integrated, functions properly, and deliver the product.

Requirements Development, [ML 3]
The purpose of Requirements Development (RD) is to produce and analyze customer, product, and product component requirements.

Technical Solution, [ML 3]
The purpose of Technical Solution (TS) is to design, develop, and implement solutions to requirements. Solutions, designs, and implementations encompass products, product components, and product-related lifecycle processes either singly or in combination as appropriate.

Validation, [ML 3]
The purpose of Validation (VAL) is to demonstrate that a product or product component fulfills its intended use when placed in its intended environment.

Verification, [ML 3]
The purpose of Verification (VER) is to ensure that selected work products meet their specified requirements.

Agreement Management, [ML 2]
The purpose of Agreement Management (AM) is to ensure that the supplier and the acquirer perform according to the terms of the supplier agreement.

Acquisition Requirements Development, [ML 2]
The purpose of Acquisition Requirements Development (ARD) is to develop and analyze customer and contractual requirements.

Acquisition Technical Management, [ML 3]
The purpose of Acquisition Technical Management (ATM) is to evaluate the supplier’s technical solution and to manage selected interfaces of that solution.

Acquisition Validation, [ML 3]
The purpose of Acquisition Validation (AVAL) is to demonstrate that an acquired product or service fulfills its intended use when placed in its intended environment.

Acquisition Verification, [ML 3]
The purpose of Acquisition Verification (AVER) is to ensure that selected work products meet their specified requirements.

Solicitation and Supplier Agreement Development, [ML 2]
The purpose of Solicitation and Supplier Agreement Development (SSAD) is to prepare a solicitation package, select one or more suppliers to deliver the product or service, and establish and maintain the supplier agreement.

Capacity and Availability Management, [ML 3]
The purpose of Capacity and Availability Management (CAM) is to ensure effective service system performance and ensure that resources are provided and used effectively to support service requirements.

Incident Resolution and Prevention, [ML 3]
The purpose of Incident Resolution and Prevention (IRP) is to ensure timely and effective resolution of service incidents and prevention of service incidents as appropriate.

Service Continuity, [ML 3]
The purpose of Service Continuity (SCON) is to establish and maintain plans to ensure continuity of services during and following any significant disruption of normal operations.

Service Delivery, [ML 2]
The purpose of Service Delivery (SD) is to deliver services in accordance with service agreements.

Service System Development^*, [ML 3]
The purpose of Service System Development (SSD) is to analyze, design, develop, integrate, verify, and validate service systems, including service system components, to satisfy existing or anticipated service agreements.

^*SSD is an "Addition"  As such, it is at the organization's discretion whether to implement SSD, and, whether to include SSD in a SCAMPI appraisal.

Service System Transition, [ML 3]
The purpose of Service System Transition (SST) is to deploy new or significantly changed service system components while managing their effect on ongoing service delivery.

Strategic Service Management, [ML 3]
The purpose of Strategic Service Management (STSM) is to establish and maintain standard services in concert with strategic needs and plans.

• Staged, and
• Continuous

• Requirements Management (REQM)
• Project Planning (PP)
• Project Monitoring and Control (PMC)
• Supplier Agreement Management (SAM)
• Measurement and Analysis (MA)
• Process and Product Quality Assurance (PPQA), and
• Configuration Management (CM)

• Requirements Development (RD)
• Technical Solution (TS)
• Product Integration (PI)
• Verification (VER)
• Validation (VAL)
• Organizational Process Focus (OPF)
• Organizational Process Definition (OPD)
• Organizational Training (OT)
• Integrated Project Management (IPM)
• Risk Management (RSKM), and
• Decision Analysis and Resolution (DAR)

• Organizational Process Performance (OPP) and
• Quantitative Project Management (QPM)

• Organizational Innovation and Deployment (OID) and
• Causal Analysis and Resolution (CAR)

• Capability Level 1: The organization achieves the specific goals of the respective process area(s).
• Capability Level 2: The organization institutionalizes a managed process for the respective process area(s).
• Capability Level 3: The organization institutionalizes a defined process for the respective process area(s).
• Capability Level 4: The organization institutionalizes a quantitatively managed process for the respective process area(s).
• Capability Level 5: The organization institutionalizes an optimizing process for the respective process area(s).

Generic Goal 1 [GG1]: The process supports and enables achievement of the specific goals of the process area by transforming identifiable input work products to produce identifiable output work products.

Generic Practice 1.1 [GP 1.1]: Perform the specific practices of the process to develop work products and provide services to achieve the specific goals of the process area.

Generic Goal 2 [GG2]: The process is institutionalized as a managed process.

Generic Practice 2.1 [GP 2.1]: Establish and maintain an organizational policy for planning and performing the process.

Generic Practice 2.2 [GP 2.2]: Establish and maintain the plan for performing the process.

Generic Practice 2.3 [GP 2.3]: Provide adequate resources for performing the process, developing the work products, and providing the services of the process.

Generic Practice 2.4 [GP 2.4]: Assign responsibility and authority for performing the process, developing the work products, and providing the services of the process.

Generic Practice 2.5 [GP 2.5]: Train the people performing or supporting the process as needed.

Generic Practice 2.6 [GP 2.6]: Place designated work products of the process under appropriate levels of configuration management.

Generic Practice 2.7 [GP 2.7]: Identify and involve the relevant stakeholders as planned.

Generic Practice 2.8 [GP 2.8]: Monitor and control the process against the plan for performing the process and take appropriate corrective action.

Generic Practice 2.9 [GP 2.9]: Objectively evaluate adherence of the process against its process description, standards, and procedures, and address noncompliance.

Generic Practice 2.10 [GP 2.10]: Review the activities, status, and results of the process with higher level management and resolve issues.

Generic Goal 3 [GG3]: The process is institutionalized as a defined process.

Generic Practice 3.1 [GP 3.1]: Establish and maintain the description of a defined process.

Generic Practice 3.2 [GP 3.2]: Collect work products, measures, measurement results, and improvement information derived from planning and performing the process to support the future use and improvement of the organization’s processes and process assets.

Generic Goal 4 [GG4]: The process is institutionalized as a quantitatively managed process.

Generic Practice 4.1 [GP 4.1]: Establish and maintain quantitative objectives for the process, which address quality and process performance, based on customer needs and business objectives.

Generic Practice 4.2 [GP 4.2]: Stabilize the performance of one or more subprocesses to determine the ability of the process to achieve the established quantitative quality and processperformance objectives.

Generic Goal 5 [GG5]: The process is institutionalized as an optimizing process.

Generic Practice 5.1 [GP 5.1]: Ensure continuous improvement of the process in fulfilling the relevant business objectives of the organization.

Generic Practice 5.2 [GP 5.2]: Identify and correct the root causes of defects and other problems in the process.

• the only required and expected components of the model are the goals and practice statements, respectively, and
• mis-understanding and/or mis-interpretation of the model high maturity practices.

• RD
• TS
• PI
• VER
• VAL, and
• SAM

1. Lack of understanding of the model, and
2. Being an expert process auditor, and not a process improvement expert.

• required,
• expected, and
• informative

• Where you are *now* with respect to your implementation of process improvement using CMMI? (i.e., Gap Analysis Results)
• How process-oriented is your company?  Do you understand process improvement?  Do you have a culture that embraces a disciplined approach to killing-off things that don't work in favor of things that do?  Do you have process improvement professionals on staff?  Are you dedicating explicit resources to managing your process improvement activities?
• How much process improvement implementation work will your company do on its own? vs.
• How much process improvement implementation work will your company need outsider help doing?
• How much progress do you think you'll be able to make?  Meaning, how fast can you absorb change?  Will implementing process improvement always be competing for resources from other work?  Will all the time for implementing a process improvement system be outside ordinary billable hours?  And,
• How quickly do you want to make progress?

• Treat process improvement with the same rigor as a technical project.
• Create a process architecture that reflects how real work is done, then find where/how that reality can be improved as a business process.
• Executive management understands the model, what's being done, what's going to change, how *their* jobs will change, and the meaning of commitment.
• Create and sustain a culture of process improvement.
• Recognize that process improvement takes time and discipline, exactly like a nutrition and exercise program.  And,
• Process Improvement can't be done *to* a project, it's done *by* the project by the very nature of their work, not by any explicit "CMMI activities"

Back to Model FAQs

Why does it take so long?

A: That's a loaded and ambiguous question! What qualifies as "so long"?  We'll just tell you what goes into the time frames here and you can determine whether it's reasonable for you or how you can go about minimizing time or maximizing progress.  Please see the previous question.

Back to Model FAQs

Why would anyone want to do CMMI if they didn't have to do it to get business?

A: Because they must be perceiving that the way they do technology development or services now isn't giving them everything they want or need to be confident in their ability to produce the results they want/expect (profit, happy clients, low overhead, etc.) and to do it in a consistent way.  If that's not you, move on.  Otherwise, give CMMI a shot and check back here for more elaboration on this topic soon.

Back to Model FAQs

Isn't CMMI just about software development?

A: Nope.  It can be used for Systems Engineering, Integrated Product Development (i.e., large, complex projects), and Supplier Sourcing.  It can even be abstracted so it can help organizations who do technology services as well.  More on that coming up.

Back to Model FAQs

What's the difference between CMMI v1.1 and v1.2?

A: Detailed "deltas" are available from the SEI's web site.  The summary of major changes to the model (only) are as follows:

Back to Model FAQs

What's the key limitation for approachng CMMI?

A: This question comes to us from one of our readers.  We love our readers!

There really are no size or scope limitations to CMMI as far as an organization is concerned.  CMMI can be put to good use in any sized organization doing any kind of solution development.  The real driver (or limitation) is whether there's any need for process improvement.  It's a limitation based in business.  As we've said here, CMMI is used as a basis from which to create process improvement solutions that fit your particular organization in all its particular particularness.  If an organization doesn't have a process improvement need, there's no need for a process improvement solution, we suppose.

The one limiting attribute of the model is that the organization pick the correct one for the type of work they do.  There are currently three "Constellations" of the CMMI model.  One each for Development, Acquisition, and Services (due in spring 2009).  Neither the model nor the appraisal process are specific as to what type of "development" it applies towards.  That means proposal development is just as "process improvable" as software, hardware, or wetware development.  All that is necessary for that constellation is the development of solutions according to some abstract concept of a life cycle of your choosing.  Because the model is not specific as to whether those solutions are technology products, proposal products, service solutions, or children's lunches, it requires that whoever is implementing it understand exactly what is going to happen when they do implement it.  Although written with technology products in mind, it is not impossible to abstract the model for use in any activity where the input is a need and the output is a solution.

On the practical, implementation side, however, there are many limitations.  In the previous paragraph we hinted that the broad applicability of the model necessitates a certain level of expertise for an organization to know what decisions must be made, and how to make them most appropriately.  If we were pressed to pick only one, we'd have to say that misplaced expectations is the #1 common cause, or limiter in approaching CMMI.  Especially the misplaced expectations of senior level organizational management

Misplaced expectations explains a lot about why CMMI efforts fail to meet their goals, or, if they succeed, they do so only at the expense of disillusionment, cynicism, lost moral, and employee turn-over, on top of the high monetary cost of the so-called "achievement" of a level rating.

Misplaced expectations lead to bad decisions in every aspect of life, and this is no different for CMMI.  If we look at CMMI implementation like any other project, it becomes very easy to spot what misplaced expectations lead to: insufficient resources, improper allocation of responsibilities, unrealistic time and cost estimates, insufficient training, inappropriate measures of success, lack of leadership insight or oversight, lack of leadership accountability for owning the effort and instilling the necessary discipline to make the project succeed, and a dearth of enthusiasm or buy-in from project participants.

Do you get the picture?

Simply setting ones expectations appropriately with respect to CMMI must be the next step once it is determined that there is something going on within an organization that is a "Development" process (and/or later in 2007, a Service process and/or an Acquisition process).

So, in the end, the only solution to mitigating misplaced expectations is to get smart about what the model is, what the model requires, what are the collateral implications of implementation, and how the appraisal works.

After all. implementing CMMI must be a strategic decision.  Every respect an organization pays to other serious strategic decisions must be afforded to the decision to pursue CMMI.

We hate that this is the answer, because we wish it were more cut and dry.  But the fact that it's not cut and dry is the same issue that leads people to ask about implementation cost and time long before any such answers ought to be mentioned.  There are so many factors that the only way to really get around these challenges (limitations) is to get educated in process improvement, CMMI, and in the appraisal process and requirements.

This FAQ can help a lot.  When we set out to create it, we thought it would be helpful.  Feedback has indicated that it's been more than helpful, it's a bonefide resource.  But the FAQ can't address specific questions from specific companies.  After all, those types of questions wouldn't be the "F" in "FAQ", would they?

The authors here believe that these answers ought to be provided to a potential CMMI traveller before they set out on the path.  Unfortunately, like an inexperienced canyon hiker who doesn't wear the right shoes or take enough water, we've found that not enough CMMI travellers avail themselves of this information.  However, much worse than that, an appallingly high number of CMMI consultants do not volunteer this information as part of their own due diligence to evaluate a potential client and to help the prospect (or new client) arrive at decisions most suitable to their circumstances and context,  *That* is a true blemish on the industry.

Back to Model FAQs

What's the key effort required in CMMI implementation?

A: This question also comes to us from one of our readers.  We love our readers!

Be sure to read the above question and answer as it is closely related to this one.

A key effort, in our opinion, in CMMI implementation is the identification of the organization's actual development life cycle.  In other words, what is their reality?  Any organization successfully operating and, to some extent, profitably growing must be doing something that *works* for *them* and delivers on customer expectations.  Figuring out what that is, for each organization, is key to implementing CMMI.  There's really no magic to it.

Another key effort is organizing a process architecture.that simultaneously reflects the reality just discovered and describes where and how process improvement takes place within that reality.  If process improvement isn't taking place, now you know where you need to insert process improvement activities, and, you have some insight into how to best design the process improvement solution for the organization.  It is highly recommended that the process of designing the process solution receive guidance from someone who knows how to do this as well as someone who understands the CMMI and how it is appraised.  Such a person could be a hired gun, or a smart hire, depending on the needs and resources of the organization.

The important consideration to note is that it requires the combined knowledge of each organization's reality-based context as well as knowledge of the CMMI model and of the appraisal to come together to implement CMMI well.

And therein lies an assumption we've made in answering this question.  That the organization wants to implement CMMI "smartly", and, in a way that results in lasting value that persists beyond the appraisal.  There are other ways to just make it through an appraisal, but since we at CMMIFAQ don't advocate those approaches we're not gonna write about them.  If you keep reading, you'll probably figure out what those approaches are. Bottom line: design your process improvement efforts into your revenue-generating activities and you will not only benefit from the improvements, you will also find yourself with a robust process improvement system which requires no evidence production when it comes time to perform appraisals.  It becomes a simple matter of just doing the development work and allowing the work products of that development to speak process improvement for themselves.

Back to Model FAQs

Appraisals/Ratings FAQs

How do we get "certified"?

A: OK, let's get something straight here and foreverafter:  You do not get "certified" in CMMI.  At least not yet.  In the US, the concept of a "certification" carries a specific legal expectation and companies who are *rated* (and that *IS* the right term) to a level of the CMMI are not being "certified" to anything.

So the correct question is, 'how do you get "rated"?'.  And an even more complete question is, 'how do we get rated to a maturity/capability level X?'

We'll get to the difference between Maturity Levels and Capability Levels and what the level numbers mean shortly.

The short answer for how to get rated still leaves a lot of information on the table.  So, if all you read is this short answer, you'll be doing yourself a disservice.  The really short answer on getting a level rating is that you get appraised by an appraisal team led by an SEI-authorized Lead Appraiser who determine whether you are performing the practices of the CMMI.

This answer is so loaded with hidden terms it's frightening.  So just so you know that you've been warned that this answer is too short, we'll point out each of the terms in our previous answer that has hidden meaning in it:

Keep reading this FAQ.  What else did you have to do today anyway?

Back to Appraisals/Ratings FAQs

How long does it take?

A: Here's another one of those dead give-away questions that a company is more interested in the rating than the improvement.

OK, that's a little unfair.  Let's just say that as often as we hear this question, our judgmental attitude holds for ALMOST everyone who asks it.  Allright, so maybe you are the exception.  The truth is, it's a fair question.  For every company.

A rare few companies don't care how long it takes.  Lucky them.  Applying a generous dose of benefit of the doubt, we can assume that the question is asked not for "how soon can we get this out of the way?" as much as from "are there any rules that dictate a minimum time before performing an appraisal?" How we can tell whether the company is interested in the improvements vs. the rating is simply a linear function of how long into the conversation we are before it gets asked. All-too-often, the source of the question is less ignorance of the process and more ignorance of the point behind going through the process.

Process improvement purists wish more people were more interested in the journey than in the destination.  We are process improvement pragmatists.  We know you're not looking at CMMI because you had nothing better to do with your time and money.  That's for Bill Gates and his very worthy charitable endeavors.  The company he's famous for founding is still in business for the money.  FAST.  So, how long it takes is a real question regardless of how you spend your money.

Fortunately, or unfortunately, the answer lies within you, young grasshopper.  Really.  We can't give you a much better answer than that.  What we can do, however, is give you a list of the attributes that you can use to estimate how long it will take you, and give you a few example cases and some very general time-ranges.

Let's start again with our favorite analogy.  Say you're carrying around about 40lbs

(18.18kg) of excess body fat.  How long will it take you to lose the fat?  A year?  Two?  6 months?  Can one person do in 6 months what another person needs 2 years?  We all know the answer to these questions.  "IT DEPENDS!"

EXACTLY! How quickly a company can become rated to a pre-determined point in the CMMI's rating scale depends entirely on them and their circumstances.  It depends on:

So then there's almost everyone else. Everyone else needs time to first determine where they are in their implementation of CMMI practices.  This is like saying, first we need to

find out how much excess fat we're carrying around.  A trip to the right physician would answer this.  For CMMI, it's called a "Gap Analysis" and can take a week or two.  Then, depending on those factors bulleted earlier, the gap found by the analysis would need to be filled.  This is the part where a company would need to figure out what it's optimum sustainable diet and exercise routine should be, and, how long to stick with it to see the desired results.

In CMMI v1.1, there are 25 Process Areas, and in v1.2 there are 22.  There are two ways to look at them.  The duration of the gap closure activities would also be a function of how many (and which ones) of the Process Areas the organization wanted appraised.  Each of the Process Areas could be analogous to some aspect of a healthy lifestyle such as food choices, food quantity, shopping, cooking, meal planning, exercises, frequency, repetitions, technique, equipment, blood work, rest, stress management, work environment, time management, and so on.  Obviously, the more of the lifestyle someone wanted to adopt, the longer it would likely take.

Once a gap is filled (i.e., the weight is lost and/or new muscle mass is added), an organization should give itself at least 3 months (on the short-project end) to 12 months (on the larger project end) to actually use their processes.  This would provide them with enough data to actually conduct an appraisal.  However, the actual metric isn't the calendar, it's the cycle-time of their development processes.  Often called their development life-cycle.  Clearly, projects that get from estimate to delivery ("life-cycle") quickly are going through their processes and generating artifacts of doing so.  This is the value to key off of moreso than the clock.

On the fat-loss analogy, this would be like finding that point where diet and exercise are enough to keep the weight off and one is able to demonstrate to themselves (or others, as needed) that they can, in fact, live and sustain a healthy lifestyle -- in the face of temptation and other uncertainties.

Once people internalize how process improvement works, how long it takes to earn a rating is a question such people stop asking.  Like fat loss and getting into shape, process improvement is a discipline backed by many best practices.  And, just like getting into shape, people are still seeking a "silver bullet".

We, on the other hand, stick to a healthy diet and exercise program.  When we're off track we know it.  We gain fat and feel like crap.  When we're on it, we see the results.

Make sense?

Back to Appraisals/Ratings FAQs

How much does it cost?

A: If you've read the answer to the previous question and are still asking this question then you must really only be wondering about fees, attributes of cost or other general costs.  Otherwise, go and read the answer to "How long does it take?" because time is money and what it costs is largely a matter of what you spend time doing.

As for fees, attributes of cost and other general costs, here's break-down of things that can or will cost you money towards being rated to a capability or maturity level of the CMMI:

There is NO requirement for the purchase or use of any tool.  Anyone saying that in order to "comply" with CMMI (or the appraisal) that you must purchase a tool, they're full of *crap!*

Some consultants do use tools as part of their work and as part of you hiring them you are also buying a license to use the tool.  That's OK.  Since you will end up using the tool after they're gone, it's reasonable that you should pay for using something that is either the consultant's intellectual property, or something they bought and are bringing to the table.  And, it's up to you if you want to hire that company.  It's not reasonable for you to hire a consultant who tells you they use a tool and then tell them not to use it so you don't have to pay for their tools.  Many consultants work their pricing structure into the productivity and efficiencies they gain by using a tool and asking them to stand by their rates when you've asked them to leave their tools in the shed is not playing nice.  On the other hand, anyone telling you that if you don't buy their tool then you are not going to meet the CMMI's "requirements" or "pass" the appraisal is FLAT OUT LYING LYING LYING!!! and should be reported to the SEI! And, you can do that by taking a number of actions listed here.

Back to Appraisals/Ratings FAQs

What's involved (in getting a rating)?

A: Um... that's a little broad, don'chya think?  But, we get that question frequently enough so we might as well answer it.  At least at a very high altitude.

There are three broad steps towards achieving a level rating:

1. Know where you are now.
This is usually called a "gap analysis" The right person to do this is someone who really understands the CMMI and how to appraise for the CMMI.  Too often we get into companies who thought they were simply "smart enough " to do it themselves -- in some cases doing nothing more than downloading the model and reading it.  Even taking the SEI's Introduction to CMMI course is seldom enough to determine, without any other direct experience, how closely your company is performing the expected practices of CMMI, or how your particular implementation of the practices will fare in an appraisal.  Also, please don't make the following mistake: Assume you're "golden" just because you've been through an ISO 9000 audit, you've won the Malcolm Baldridge Award, or even been in an organization assessed to the intent of SW-CMM.  We've actually found that prior experience with other process-oriented bodies of work can work against a company's true understanding of what CMMI is about, how to implement it effectively, and how to appraise their practices.

Once you know what and where your gaps are in implementation you're ready for the next broad step.

2. Fill your gaps.
This is usually called, in CMMI circles, "Process Improvement" Although this step implies that your processes aren't up to the task as they stand now, what it really implies is that you will likely be making some changes to your current processes as you implement CMMI's practices and the method you should follow is one of process improvement and not simply a re-skinning of your paper trail.  The entire purpose behind CMMI is that of process improvement and companies that simply slap a layer of CMMI processes over top of what they're currently doing is not process improvement, it's death by process.

It's come to our attention that CMMI has a reputation as being "death by process" as it is.  We firmly believe that it's the latter approach towards CMMI implementation, as described in the previous paragraph, that causes this, not CMMI.  To be blunt (you're used to it by now, yes?), slapping CMMI over top of your existing process, those processes that you feel have been working all along, is a STUPID way to implement CMMI.

On the other hand, if you do find value in practices CMMI promotes, then what you want to be doing is implementing them in a way that continues to provide you with the value-proposition of the things you like about your current processes and replacing or adding with CMMI those things that could use some strengthening.  The smoothest way to this approach is by following CMMI as a guide to process improvement.  Again, please be advised that doing this on your own without a CMMI expert employee or consultant is not advisable for the same reasons having an expert is best for performing the gap analysis.

One last comment on this step (and it's a bit of an unsung truism about the CMMI): companies who are honestly thrilled with their current process and really have a handle on the outcome of their efforts are probably doing a lot of what the CMMI would have you doing.  Such companies may call their activities by different names, they might reach the goals in a less traditional way, but ultimately, they are getting the job done and are still in business, so they must be doing things right.  (Or at least doing the right things.) If this is you, then your effort towards implementing CMMI is going to be quite painless and enjoyable.

3. Get appraised.
Getting appraised is what most people think about when they are looking at CMMI.  The appraisal is what gives an organization their "Level".  Once the appropriate expert can make a sound call on your organization's implementation of the CMMI practices, you can start planning for an appraisal.  Details of the appraisal are answered elsewhere in this FAQ.

Back to Appraisals/Ratings FAQs

How does the appraisal work?

A: The appraisal process is guided by something called the Method Definition Document (MDD).  If you are not familiar with the appraisal process already (which you aren't 'cause you're asking the question), you don't want to try to read this unless you're doing some whacky exercise in self-hypnosis.  The MDD is based on a requirements spec called the Appraisal Requirements for CMMI (ARC).  And, reading of that document is strictly forbidden without a prescription or special medical dispensation.  The documents are available for download from SEI's Web site and are actually well-written and really useful if you're a Lead Appraiser or studying to be one, but otherwise it's gonna sound like gibberish.  Don't say we didn't warn you.

Just so you understand that the complete answer to this question is ordinarily delivered in 2 days' worth of training.  We're obviously limited in what we can explain here.

We're going to pick up the appraisal with the portion of the appraisal that most people think about: the on-site period.  It's that period of time when there's an appraisal team at your company and they're looking at your evidence and conducting interviews (or performing some other accepted form of verbal affirmation).  It's at the end of this period that a company gets the results of the appraisal and, when all goes well, a rating.

So... that's pretty much what happens at the appraisal: A team, lead by a Lead Appraiser looks at evidence and makes a judgment on that evidence regarding the extent to which the it demonstrates that CMMI's practices are being implemented.  There are 3 types of evidence: Direct Artifacts, Indirect Artifacts and Affirmations.  At least one Direct Artifact plus either an Indirect Artifact or an Affirmation is required for each practice in the scope of the appraisal.  There are rules governing the minimum number of Affirmations too.  For each practice in the scope of the appraisal the evidence is looked at collectively for that practice and a determination is made regarding the extent to which the practice is being implemented.  This is called "practice characterization" The characterization scale is: Fully Implemented, Largely Implemented, Partially Implemented, and Not Implemented.  There's also "Not Rated" and "Not Yet" which get a bit too complicated for this medium to address.

The evidence comes from actual projects' work products.  In actuality, instead of specifying that evidence come from "projects" the term is instantiations.  The number of projects (er, instantiations) is a function of the organization to which the rating will apply.  You need a sample of instantiations representative of the organization.  And, no, you can't pick them, the Lead Appraiser works with you to pick them; and, no, you can't look at only the "best" aspects of a project and puzzle together all the good-looking evidence from a bunch of different projects.  Three is a typical number of instantiations for even large organizations.

The characterizations are then looked at in aggregate according to rules in the MDD across all instantiations.  Basically, after aggregating the characterizations across all instantiations, no single practice can be characterized as less than Largely Implemented or it will spell disaster.  Even then, if certain practices are found even "Largely Implemented", and the appraisal team believes there's a pattern in what they're seeing that causes these practices to only be found as "Largely Implemented", the team may still choose to say that whatever's causing these practices to not be Fully Implemented is worrisome enough to preclude the organization from achieving the goals of the Process Area, and if any goal in a Process Area isn't achieved, then it can't be said that the whole Process Area is being satisfied, can it?  And, that, our friends, is how the appraisal works: it's a search for whether the organization is satisfying the goals of those Process Areas in scope of the appraisal.

Back to Appraisals/Ratings FAQs

What's a SCAMPI?

A: Ah-ha! Finally! A quick and easy question!

Back to Appraisals/Ratings FAQs

Who can do the appraisal?

A: Another quick and easy question, thanks!

An Authorized Lead Appraiser.  Authorized by who?  The SEI.
Lead Appraisers (as of this writing) have to qualify by surviving the following activities in this order (sort-a):

New, as of late 2006, Lead Appraisers must become certified by SEI to lead SCAMPIs on maturity or capability levels 4 and 5.  Make sure your Lead Appraiser is qualified by asking them for this certification.

IMPORTANT!  ALSO new, as of v1.2 of the MDD:
The organization being appraised needs to have a contractual relationship with the Partner Organization sponsoring the Lead Appraiser performing the appraisal in order for the appraisal to be valid.

In other words, Lead Appraisers who aren't directly working for a Partner (or, who aren't themselves representative of a Partner), can't contract to perform a SCAMPI without the contractual involvement of a Partner.  That's not to say that money needs to be involved, and, it also doesn't mean that the appraiser needs to negotiate their dealings through Partners, however, it does mean that the Partner at least know about the appraisal and the relationship being established with the organization being appraised.  This was done in an effort to improve the Partner knowledge of activities happening in their name.  And hopefully, also improve the quality of those activities.

Back to Appraisals/Ratings FAQs

Can we have our own people on the appraisal?

A: Yes! Yes, in fact, it's encouraged.

The appraisal team must be at least 4 people strong (including the Lead Appraiser), and with your company's employees on the appraisal team you increase the odds of buy-in to the appraisal process as well as follow-up and follow-through on any recommended actions from the appraisal.  There are a number of qualifications potential team members must meet, the most logistically challenging of them being that candidate team members must have had a licensed delivery of the Introduction to CMMI before going into the appraisal activities (which begin a month or more before the actual on-site period).  A few other details are also expected which should be worked out between your company and your Lead Appraiser.

Back to Appraisals/Ratings FAQs

What sort of evidence is required by the appraisal?

A: There are 3 types of evidence: Direct Artifacts (D), Indirect Artifacts (I) and Affirmations (A). For each practice in the scope of an appraisal, the requirement for evidence (in a SCAMPI Class A appraisal -- which we'll get to later) is as follows:

1 * D + 1 * (I or A)

Back to Appraisals/Ratings FAQs

How much of our company can we get appraised?

A: The part of your company that gets the actual rating is called the "Organizational Unit".  This can be the entire company or only parts of it as determined by the types of projects that the company wants the appraisal to apply towards.  For the appraisal to apply to an entire company, projects that represent all the sorts of work that the company does would need to be evaluated in the appraisal.  A project that consumes the entire company, and is the only project that company has would result in the appraisal on that one project and that company could say that it's entire company has achieved the level rating awarded.  The actual composition of the organizational unit is something that needs to be defined up-front during appraisal planning.  The Lead Appraiser must analyze the selection of projects to ensure that the projects do, in fact, represent the organizational unit of the appraisal.  The more variety in the kinds of projects in the organizational unit, the more projects will be needed.  Also, the broader the application of the appraisal results, the broader the scope of projects.  Meaning, if the company has a number of sites, projects representing each site must be included.  Multi-site projects are OK, but using one location's project to represent another will not work.  There are a number of facets that are analyzed including the type of work, the size of the project, where the work is being done, the disciplines involved, the phases of development life cycle that the project covers, the number of people on the projects...etc.  All of which are compared to the same facets of the organizational unit at-large.  The point to all this is that the sample of projects must be representative of the organizational unit and cannot leave gaps in coverage.  The number of projects in needed in each facet is the subject of the next question.

Back to Appraisals/Ratings FAQs

How many projects need to be appraised?

A: Enough such that the projects chosen can represent the organization to which the appraisal results and process improvement recommendations will apply.  Within this includes "Focus Projects" (FP) and "Non-Focus Projects" (NFP)  What are or are not FPs or NFPs has to do with how much of your development life cycle the projects cover as well as whether the projects came before or after the processes that are being evaluated.

Specifically, the question of Focus Projects and Non-Focus Projects is almost entirely moot when using the Continuous Representation for the model implementation and appraisal AND there are no project management process areas being appraised.

Our good friend, SEI Visiting Scientist, a Lead Appraiser's Lead Appraiser, and super-nice-guy Judah Mogilensky, of Process Enhancement Partners, provided this explanation:

...Okay, FPs and NFPs: This is really a formalization of something that has often gone on, and it is prompted by the need to have "at least 3 instances of each practice in each project-related PA in the model scope of the appraisal." There are two typical situations where one would resort to NFPs:

1. Not Yet situations, e.g., a project is still in major development, and has not yet had the opportunity to enact some of the Product Integration process area practices, at the top system level, that are normally only carried out toward the end of the project.  To fill in the NY holes, we pick a completed NFP and examine Product Integration for it.

2. Legacy situations, e.g., a project was started a long time ago, specifically before the current planning and estimating practices [of the Project Planning process area] were put into place.  So the planning and estimation artifacts do not reflect the current process.  To fill in these holes, we pick a relatively new, early stage NFP and examine Project Planning for it.

It there a risk of cherry-picking?  Well, of course, but not more than there always was.  What still guards against this is the new requirement in the Appraisal Disclosure Statement to be much more explicit about how well the selected sample [see previous question] covers critical parameters, e.g, not just what percentage of the development population is covered by the selected projects (which used to be the main thing we looked at), but what percentage of the business lines or project types are covered, what percentage of the customer types are covered, what percentage of the geographic locations are covered, maybe even what percentage of the organization’s revenue is covered.  There were some attempts at defining required project sampling, but it was always possible to generate a counter-example to every proposal, so the appraisal team settled for full disclosure of the sample basis in the ADS.

The current guidance is a little weak for organizations that have fewer than 3 projects, but those have always been exceptional cases.  The expectation, I think, is that we would see a lot of "100%" coverage parameters.  And you can’t really ask for more that 100%.

Finally, keep in mind that there is no requirement to have NFPs at all, if they are not needed.  Also, FPs need only be examined for all PAs in scope, so, if you have a small appraisal scope of just a few PAs, that’s all the FPs have to cover.

Back to Appraisals/Ratings FAQs

Can we have more than one appraisal and inch our way towards a rating?

A: No, At least not yet.  Well, at least not in the way you're thinking.
You can have as many appraisals as you want, however, at this time, if you want a Maturity Level rating (or even a Capability Level rating -- more on that later), you will only achieve that if the appraisal looks at all the evidence for all the Process Areas in the scope of the appraisal in a single appraisal.  There is talk afoot of allowing something like a "cumulative" appraisals where you can do some subset of an appraisal scope then come back and do a little more, and so on until you've completed the scope and then putting it all together for a rating, but that's not how it works today.  If you do perform several appraisals where none (except, perhaps, the last) are for a complete Maturity Level, it would only serve to provide you a sense of how you're doing, you couldn't use the results of those appraisals to pare down what needs to be done at the appraisal you're conducting for "all the marbles".

Back to Appraisals/Ratings FAQs

If we go for a "level" now, do we have to go through it again to get to the next "level"?

A: Yes.  Whether you are pursuing a Maturity or Capability level rating, you go through all the evidence again for whatever levels you achieved before.  One reason is that at this time there are no mechanisms in place to allow for "cumulative" appraisals, which is what would be necessary to make this approach work.  However, even more fundamentally, the appraisal team and Lead Appraiser can't be expected to assume that there would be evidence from the lower levels to support the higher levels' activities.  Even more basic than that is the fact that the levels support one another and it would be very unlikely that appraising to a higher level could be accomplished without evidence from the earlier levels.

The only exception to this is if an appraisal is spread out over a period of time, and is, in fact, one long appraisal.  The time-limit for completing a single appraisal is 90 days.

Back to Appraisals/Ratings FAQs

How long does the "certification" last?

A: Setting aside the fact that it's *NOT* a "certification" (See #1), the current answer is that Appraisal Results will be recognized by the SEI for three (3) years from date of the appraisal, or until August 2007, whichever is later.

Back to Appraisals/Ratings FAQs

What is the difference between SCAMPI Class A, B and C appraisals?

A: The differences boil down to the level of rigor, and, as reflection of the level of rigor, to what the outcomes can be.

A SCAMPI class A is the appraisal most people think of when they think about CMMI appraisals.  It is the only class of SCAMPI that can result in a level rating.  And, as one might imagine, it requires the most rigor: an authorized lead appraiser, a minimum number (4) of people on the appraisal team collectively having explicit qualifications, very specific types of evidence, and certain minimum number (and type) of projects to characterize the process improvement of the organizational unit.

SCAMPI classes B & C have much wider ranges in terms of team composition and evidence, as well as how they're used and the level of rigor one wants to apply.  Although a SCAMPI B can't provide an offical (or otherwise) level rating, one can conduct a SCAMPI B with all the rigor and "fanfare" of a SCAMPI A.  Many organizations use SCAMPI B as a means of preparing for a SCAMPI A and/or as a means of conduting process reviews or audits.  SCAMPI B requires less of the kinds of evidence, only 2 minimum team members, and since no level rating is given, the sample of projects required to be appraised is less specific. 

The SCAMPI C is very much the "formal" way to do an otherwise informal process review.  It can be performed with only one person as the appraisal team-and-appraiser, it can use either direct, indirect, or interview artifacts, in no specific quantity or combination, and is frequently best used for perfoming what many call a "gap analysis".  Of course, it can be used for more that that.  Though, due to the low expectation of evidence, SCAMPI C is often used to target specific needs and/or when an organization is generally expecting that there will be many more findings than conclusive improvement to be found.

Back to Appraisals/Ratings FAQs

How do we pick a consultant or lead appraiser?

A: Anyone claiming to be a lead appraiser must be authorized by the SEI to do so.  The SEI refers, collectively, to all people authorized to work on their behalf as an "authorized individual". Thus, all actual lead appraisers are "authorized individuals".  You can search/sort a list of such people here, and, specifically limit your search to lead appraisers.  To narrow your search to a geographic area, you're better off searching for an SEI partner.  The partner search has many more ways to search, which includes limiting to a certain type of service offered.  And then, once you find a partner, you can see the authorized individuals associated with that partner.

However, one need not be a lead appraiser to consult on CMMI.  In fact, there are many people very well experienced in implementing CMMI and with appraisal experience who are not credentialed to do appraisals or official training.  Many more experienced people than there are authorized individuals.  Frequently, because they don't carry authorizations, they're not able to charge as much as those who are authorized.  The trick is: finding them.  Many work for partners, so once you find a partner, you might ask about the authorizations of their consultants as a guage of what you can expect to pay.  Many people experienced in CMMI work for large organizations who need their services full-time, on site, and moonlight as consultants.  Others are just independent consultants and get much of their work by word-of-mouth.

Though, the question isn't "how do we find a consultant or lead appraiser" but, "how do we pick from all the ones out there?!?!?".

As you can guess, there's not a simple answer, but we can say two things:

CMMI is a model not a standard, as we've said many times before.  It's not something that, when applied, will look the same each time.  Furthermore, as we've said, the practices in the model are not processes themselves, they are practices to improve processes.  It takes skill to effectively interpret the model and implement it in a given situation, and, it takes contextual relate-ability to appraise whether the model has been implemented or interpreted properly/effectively.

There are (in our opinion) far too many lead appraisers (and consultants) who don't know how to/don't want to/don't appreciate (or are too lazy to) do what it takes to help clients design contextually appropriate process solutions, and/or to allow for contextually-driven interpretations of model practices when performing an appraisal.  Symptoms of such an appraiser or consultant are in what they consider valid evidence of the practices, or valid descriptions of the processes, or how they describe their approach towards working with an organization to build up their practices. 

An appraiser or consultant may not be suitable to a given buyer if they only expect to create, see, or will accept "typical work products" as evidence, or if they expect to see, create, or will accept process descriptions with each CMMI practice spelled out, or if they expect organizations starting out to generate artifacts that address model practices but don't add value to the product development process.  None of these characteristics are required (or prevented) by CMMI or the SCAMPI appraisal method.  Therefore, buyers must be able to select the CMMI service provider whose attitude, knowledge, and experience suits their needs.  After all, the model and appraisal process can allow for a wide variety of strategies, tactics, and contexts, but not every consultant or appraiser will (or can) allow for it.

What this means, in practical terms, is that buyers of CMMI services must be able to interview potential consultants and lead appraisers for their attitude towards, and knowledge and experience in practice implementation, evidence of practice implementation, and artifacts of the implementation.  Furthermore, buyers must interview providers for the ability of the provider to pick up on, adapt, and appreciate the context in which the model has been or will be implemented.

The easiest example(s) to provide relate to whether the consultant or lead appraiser can communicate with the buyer in terms the buyer understands such as: being a small outfit, or using Agile development methods, or being embedded with the client and using the client's practices as well as their own.  Another relevant inquiry is if the buyer can give or ask for some examples of practices as actually carried-out in or envisioned for their organization, and guage the response from the potential CMMI service provider as to what they think of those practices.

The challenge in conducting such an interview is that the buyer must have enough of an understanding of the model and the appraisal process to be able to determine whether what they're hearing is the provider's opinion/approach or whether what they're hearing is dictated by the model or the appraisal process.  Sounds like an impossible task.  Fear not, some CMMI service providers will give you this sort of unbiased advice or even a quick education for free.  This FAQ and its contributors are aimed at providing this sort of advice because we feel it's to the detriment of the entire CMMI enterprise not to do so.  Sadly, rough estimates of the number of such providers puts the figure at about 5-10% of the entire authorized population.  As a character in a pretty good movie once said, "choose wisely".

Good luck!

Back to Appraisals/Ratings FAQs

Where can we see a list of organizations that have been appraised?

A: Finally!  A question with a simple, straight-forward and easy answer!

Simply visit the SEI's Published Appraisal Results System, (PARS) and put in your query.  It's fairly uncomplicated. 
There are, however, a few points to keep in mind:

Back to Appraisals/Ratings FAQs

What's the official record of the appraisal results?

A: The Appraisal Disclosure Statement (ADS) is the sole and entirety of the official results of the appraisal, regardless of what does or does not appear in the SEI's Published Appraisal Results System, (PARS).  Nothing in any appraisal presentation, and unlikely anything to be found framed and on the wall at a company, or printed on a large banner and hung from a footbridge are offical or complete indication of what exactly was appraised and the meaning and context of the results of an appraisal.  (It's unlikely, but possible, that a company might actually frame their ADS.  It's several pages long; but in the spirit of avoiding any absolutes we can't prove, above, we used the phrase "...and unlikely anything to be found...".)  In any case, the ADS is generated by the Lead Appraiser after all the other data has been collected and submitted to the appraisal system.  It's signed by the appraiser and the sponsor, and contains all the details of the appraisal, its circumstances, the explicit organizational unit to which the results apply, and the results themselves.  If someone were serious about determining whether an organization has been appraised, when, to what end, and to what scope, they should request to see the non-confidential parts (if any are even confidential) of the ADS.

Back to Appraisals/Ratings FAQs

Can we go directly to (Maturity or Capability) Level 5?

A: Technically, it *is* possible in the most explicit use of the term "possible" to be rated directly at maturity (or capability) level 5.  All this means (in the case of maturity level 5, for example) is that the organization was appraised performing the Specific Goals of all 22 process areas up to and including Generic Goal 3 of each process area.  The fact that they were not level-rated before this results in the organization having appeared as achieving ML5 "directly".

However, in reality, it's not likely that any organization would proceed to implement all 22 process areas without ever having performed any appraisals between the start of their process improvement program and their appraisal for ML5.  What is more likely is that at certain points the organization will conduct appraisals to gauge their progress.  Whether or not these intermediate appraisals were used to generate a level rating would be up to them.  There's no requirement that appraisals generate ratings, so an organization appraising at ML5 and receiving a rating may appear to have gone directly to ML5, when in fact they had several appraisals before then -- none of which generated a rating.

Of course, there's another reality to consider: the SEI reviews all high maturity appraisals very carefully.  If an organization has never had a CMMI (SCAMPI) appraisal prior to their appraisal for ML5, it will be viewed with even more scrutiny, and both the Lead Appraiser and the organization appraised can expect to get a call from the SEI's SCAMPI QA team.  Not to mention that not having any appraisals prior to the one aiming for ML5 is extremely risky.

Back to Appraisals/Ratings FAQs

CMMI, Agile, LifeCycles and other Process Concepts FAQs

What if our development life cycle doesn't match-up with CMMI's?

A: CMMI isn't a development life cycle.  It's a model for improving very particular areas of managing what goes on during development, regardless of the life cycle.  This is a central tenet of Entinex' approach to CMMI and we'll explain further soon.  Meanwhile check out our article where this subject comes up.

Back to Agile and Standards FAQs

Doesn't the CMMI only work if you're following the "Waterfall" model?

A: NO! CMMI is not about development life cycles.  While a fair criticism of CMMI is that many of the contributors come from a "Waterfall"- centric or a "Big Plan Up Front", "top-down" way of developing wares, they were at least careful not to box anyone into following a specific development method.  Nonetheless, it takes very deep understanding of the CMMI to implement it, regardless of which life cycle you follow.  We've got more to say on this, so check back in a bit.  Meanwhile, you can browse over to our AgileCMMI blog.

Back to Agile and Standards FAQs

How does CMMI compare with ISO/TL 9000 and ITIL? (or other standards?)

A: While there is considerable overlap between these models, frameworks, and "best" practices, they are different from each other and used for different purposes.  People who ask this question come from one (or both) of two camps:

(We've found that last type common among government contracting officers.)

Let's address a question of "standards" first.

The process areas and the practices within them are not intended on being or replacing any technical "standard" for doing anything.  Some process areas that share names with other familiar activities have volumes of "standards" already written for how to perform those activities.  Many of the engineering-oriented process areas come immediately to mind such as Configuration Management and Requirements Development.  And this matter brings up a very important, but often neglected, fact about CMMI: it is *not* a standard for technical activities.  And, for whatever CMMI *is* supposed to be used for, it does *not* a prescribe how to do anything in it.

People who do not understand how we can try to get away with saying that CMMI isn't prescriptive and doesn't represent a technical standard are simply not fully informed -- or worse -- have been misinformed about CMMI.  We'd really love an opportunity to set the record straight.

CMMI is about improving management processes associated with developing and delivering technical products and services.  CMMI is not about the technical processes needed to actually do the developing and delivering.  The CMMI "process areas" are what the authors believe to be important elements that contribute to a systematic ability to affect process improvement in and among (the management of) those technical process and practices that actually develop and deliver the products and services.

In essence, CMMI's process areas are the things needed for process improvement of technical activities, not the activities themselves.
What CMMI is saying is:
In order to improve your processes, you need to manage your requirements, risks and configurations; you need to plan, monitor and control your projects; you need to measure and analyze the output of your efforts; you need to actually pay attention to the performance of your project to how well they follow processes and to whether your processes are working out for you.
CMMI then says: if you really want to get good at these things you'd have be making a focused effort on your processes, you'd have standardized process assets, an organization-wide training program and a formality to your technical activities that might otherwise be left to fend for themselves.
For the true process zeal: you'd be able to quantify the performance of your projects and processes and you'd be able improve them by focusing on what numbers tell you to focus on, not just what people gripe about the most.  CMMI also says that if you're going to do a process, you should have a policy for doing it, a plan for it, resources, assignments, process-level training, stakeholder involvement, and other activities to make them stick.

If process improvement is what you want, it only makes sense, doesn't it?
(The types of activities mentioned here are from the process areas and generic practices, in case they weren't familiar to you.)

You see, CMMI has a number of process areas that are needed for technical activities, but their presence in CMMI is because these process are also needed for process engineering just as much as they are needed for technical engineering.

SO, if we disassemble a process area into its purpose and goals in light of the above understanding we will see that the purpose and goals are not oriented at technical activities, they're oriented towards process improvement activities.  We can hope that in this context, the matter of whether CMMI is a technical standard can be laid to rest, and, we hope that we bring a deeper appreciation for how CMMI works.

With that, we can simply explain that ISO/TL 9000 and ITIL have a different focus than CMMI, and just like CMMI has process engineering processes that sound similar to technical engineering processes, these other bodies of knowledge also have their similar-sounding activities that are needed and relevant for the purpose they each represent.  Since this isn't a FAQ about ISO/TL 9000 or ITIL, we hope it's enough of an answer for now to explain that wherever CMMI has a practice that seems like it's also in another body, CMMI does not innately conflict with the others.... there are ways of implementing CMMI that can make them all work well... however, an organization can go about implementing any practice under the sun that could conflict with some other practice, CMMI or otherwise, but it would not be because of anything in CMMI.

Back to Agile and Standards FAQs

Aren't CMMI and Agile methods at opposite ends of the spectrum?

A: Not at all.  We've got A LOT of content on this subject!  Instead of being very redundant by putting something here, please check out the blog on that topic, and the SEI's Technical Note, CMMI or Agile: Why Not Embrace Both!.

How are CMMI and SOX (SarBox / Sarbanes-Oxley) Related?

A: They're not.  Well... at least not in the way that many people think they might be.
See, many people think that because the Sarbanes-Oxley Act of 2002 (which we'll just call SarBox) frequently involves business process and IT infrastructure and related systems, that it involves CMMI.  But, in actually, the connection to CMMI is rather weak and always is a function of the organization's intentional effort to connect the two.

SarBox is about public company corporate governance.  It is a US law that aims to eliminate the excuse by corporate leaders of public companies that they "didn't know" some bit of information about their company that could result in mistakes (or outright lies) about accounting, work-in-process, inventory, earnings reports, valuations, sales/revenue forecasts, and so on.

Its origin is in the several accounting scandals revealed in the late 1990's and early 2000's.

The intersection of SarBox and CMMI is only in that companies working towards SarBox compliance are very often relying on systems and software to help them achieve their compliance.  When a company says to an auditor, "our software (or systems) are capturing the data, and we rely on that data to be SarBox-compliant," then they might get into questions about the system's requirements, design, configuration, etc.

A company in such a position might look towards CMMI for ways of improving the management of their development practices if, in fact, they are relying on those practices to maintain their SarBox compliance.

The simple answer is this: SarBox and CMMI are not related and don't have similar practices, EXCEPT that some companies *make* them related because of the context in which they're using technology to be SarBox-compliant, and, their reliance on technology development disciplines and/or institutionalization of process improvement disciplines to make sure they have a handle on how they run the company.

That said, another quick connection between SarBox and CMMI is that a company already familiar with CMMI might want to use the GPs and perhaps a few PAs to deploy whatever they need to deploy to "establish and maintain" SarBox compliance.  (Sorry, couldn't resist!)

There's another angle to mention:

Many executives seem to have the nasty trait of putting anything that looks, smells, sounds, tastes or feels like "compliance" requirements into the same "bucket".

When they make this mistake, they then jump to a conclusion that goes something like this:

"This is compliance, that is compliance, and that over there is compliance too.  They must all be related, and therefore redundant.  Which is best?  Which is easiest?  Which is cheapest?  Which should I do first?"

This, of course, is utter nonsense, but it happens.  The fact that implementation of these process-related concepts must be driven by the context of the business is just ignored.  It is a symptom of an organization looking for the marketing benefit of some auditable achievement and not the benefit of the concepts behind the effort.

Though, in fairness, companies that must comply with SarBox don't have a choice, unless they can afford to go private by buying back all their stock.

Back to Agile and Standards FAQs

SEI FAQs

Isn't this just a cash cow for the SEI?

A: Um, well, yeah... but as far as the SEI goes, they're just, in effect, a DOD contractor in all this.  You see, the DOD put out an RFP for some university-based research/think-tank to come up with a "solution" to the problem of abysmal performance of software projects.  The SEI was what the winning proposal would "get". And so, Carnegie Mellon University beat out the University of Maryland in the competition to host the SEI.  The DOD liked CMU's proposed CMM (for software) approach for improving the quality, cost, and schedule fidelity of software development more than they liked U of M's Goal-Quality-Metric approach.  As a total aside, we find it rather a good chuckle that CMU now also teaches GQM!

But, we digress.  SEI is mandated to work on and continuously improve the field and body of knowledge for software management and engineering.  That's how we now have CMMI v1.2 and a bevy of other process, engineering and management tools, models, courses, etc., where we started out with just CMM for software.  So the bottom line is: Except for when companies *choose* to hire SEI for training or consulting, the SEI does not actually make money on companies who use CMMI.  The majority of materials are free because they were developed with taxpayer money, and those things that aren't free are cost-recovery for administration of everyone using SEI services and licensed products.  Let's be clear about something: organizations do not need SEI to improve their processes, and if companies want to avoid what they perceive as high costs, they can invest a relatively small amount to grow their own internal CMMI and SCAMPI wherewithal.

Back to SEI FAQs

What makes SEI the authority on what are "best practices" in software?

A: Lest you think SEI is entirely made-up of ivory-tower academic pinheads, you'd be surprised to learn that SEI is still a university research institute, and as such is as worried as any business or school would be about their credibility, keeping their knowledge-base up-to-date with the latest research, techniques, technology and tools.  Besides that, the vast majority of people who work on the CMMI come from industry, not academia.  The list of contributors and reviewers is as impressive as it is long.  While even we concede that the list is a bit heavy with companies who are Federal contractors and companies who can be described as large, deep-pocketed organizations with plenty of ability to absorb overhead, if we want to be fair, we should note that such companies are not alone, and, that they were among the few companies who showed any interest when things got kicked off.  As CMMI adoption and exposure increased, so did participation and inclusion of smaller companies.

It's not so much, then, that SEI is the authority, it's the collection of expert software practitioners from across the business spectrum who are the authority.  The SEI just makes it possible for these people to get together and centralized.

The question of whether or not there are actual *best* practices is out of scope for this FAQ.  Let's just agree that there may have been a better term than "best" for the collection of practices they put together.

Back to SEI FAQs

Do the Lead Appraisers work for the SEI?

A: Not all of them.  In fact, just a few do.  The rest are licensed to appraise through Partners (formerly known as Transition Partners), and some of them are also "visiting scientists" -- a loose way of saying "very part time".  SEI does however administer and train people to be authorized to take leadership roles and responsibilities for leading appraisals and delivering Introduction to CMMI instruction.

In particular, SEI controls very closely how and when it allows people to become SCAMPI Lead Appraisers.  Even still, while the cadre of people with the authority to observe candidate Lead Appraisers on behalf of the SEI is small, only a few of them are actually SEI employees.  The rest are visiting scientists.

Back to SEI FAQs

What's a "Transition Partner"?
What's the "Partner Network"?

A: Transition Partner is the name previously used for companies/organizations in the SEI's Partner Network.  In 2006, the name given to this program (and to these organizations) was changed from Transition Partner to Partner Network.  These are organizations (companies, individuals) who holds a license from the SEI to use SEI materials and perform "official" activities which are registered with the SEI such as formal, reported SCAMPIs and training.  The original term "Transition Partner" comes from the concept of companies who are out in the field as SEI's partners helping other organizations transition to using CMMI.

All individuals wanting to be authorized to do things by the SEI in any way must be sponsored through a Partner and pay a licensing fee for each credential they want to hold.

Back to SEI FAQs

How do we report concerns about ethics, conflicts of interest, and/or compliance?

A: Waste, Fraud, Abuse, and Noncompliance with Policies Harms Everyone.  If you have concerns about the truth behind an organization's rating, or about the ethics, compliance or conflict-of-interest of a consultant or appraiser, we strongly encourage you to report these concerns to the SEI.  You may also want to review the SEI's Partner policies, here, as well to ensure your concern is properly supported.  All authorized and licensed individuals and organizations must operate through a Partner, so all investigations will include an inquiry to the Partner.

The SEI's Conflict of Interest form is here,
The web form to report concerns over Ethics and Compliance is here,
The US Hotline Phone Number (24/7/365) is: 1-877-217-6316, and
The direct reporting email address for Ethics and Compliance concerns is: ethics-compliance-reporting@sei.cmu.edu.

We sincerely hope you never have to use any of them, but if you do, we're very sorry.  And, we hope you are undeterred from your process improvement aspirations.

Back to SEI FAQs

Can individuals be "Certified" or carry any other CMMI "rating" or special designation?

A: Individuals can become:

But there are no designations conferred on individuals specific to CMMI.  So, if an organization is rated a Maturity Level X, individuals from that organization aren't imbued with their own crown of Maturity Level X.  Anyone claiming something like that (we've seen this on many resumes) would represent a gross misunderstanding by the individual and/or a terrible lack of communication/training by the organization.

Also, taking Introduction to CMMI, or even the next class, Intermediate Concepts of CMMI, does not designate a person as a "certified" or "authorized" CMMI consultant. (We've seen that too.)

Currently, there are no SEI-authorized "Certified CMMI Consultant" designations whatsoever.

Back to SEI FAQs

Training FAQs

Is there required training to "do" CMMI?

A: That depends on what you want to accomplish.

Back to Training FAQs

Who can provide CMMI-related training?

A: The SEI itself, and people authorized by SEI *and* working through a Partner can deliver any training they are authorized to deliver -- if the expectation is that there will be some official registration of the that training event.  If there is no such expectation of a Certification of Completion, or if there is no intention of using the training as a pre-requisite to future activities, the training is not controlled.  Be sure to be clear with whoever you are receiving the training from about their authority to deliver the expected outcome.
At this time, the SEI is the only source for CMMI-related model training other than Introduction to CMMI.

Back to Training FAQs

What sort of CMMI-related training is there?

A: The following are the basic CMMI courses.  The SEI also adds specialized courses all the time.  Follow this link for the SEI's list of courses:

Back to Training FAQs

How can we learn about the appraisal process?

A: For that we have some bad news.
There are only three ways to learn about the appraisal process, and one of them is not recommended, and another requires a lot of commitment:

Back to Training FAQs

Specific Model Content FAQs

What is the exact difference between GP 2.8 and GP 2.9?

A:It can be confusing.  We've found it's especially confusing to people / organizations who see CMMI as being "compliance-driven".

Mostly, because they don't see the difference between "monitoring and controlling" the process and "objectively evaluating" the process.  And, part of it is due to the fact that these two phrases are incomplete.  To understand these two generic practices requires that we read the complete practice statement, not justthe title of the practice (which is good advice for any practice!) as we spell it out here.

GP 2.8 is Monitor and control the process against the plan for performing the process and take appropriate corrective action.  [Emphasis added.]  In other words, GP 2.8 is tied to GP 2.2, Establish and maintain the plan for performing the process.  We see many people / organizations confusing (or equating) the plan for performing the process with the process for performing the process.  The plan addresses the resources, timing, tasks, and so forth, for seeing that the process *will* get done at the project level, not necessarily *how* it will get done.  The plan is merely knowing how the process will be assured of getting done, not necessarily and not only about getting done right.  Sure, it's common to find the process embedded in or referenced by the plan, but that doesn't eliminate the distinction between the plan(s) and the process(es).

A process can be done by the right person, at the right time, using the right resources, and take as long as expected, and still not be done according to the way the process was supposed to be done.  (That's what GP 2.9 is for.)  How can a process be executed according to the plan and still not be done according to the process descriptions?  Simple: the plan might refer to the process description but whoever performed the process didn't use the process description, or, the project might have created its own procedure but misinterpreted the process and therefore the procedure doesn't really get the process done.  Make sense?

Effectively, you can monitor and control the process just as you would (and when you would) be monitoring and controlling activities of the project.  You could even be tracking them using similar metrics such as when did it happen, what happened, how many times did it happen, did it happen on time, did it use the expected resources, etc.  And, that's the real distinction between GP 2.8 and GP 2.9.  GP 2.9 is Objectively evaluate adherence of the process against its process description, standards, and procedures, and address noncompliance.  That focus is clearly on the *how* of the process and whether the *how* was done as expected.  An organization may execute a process according to its plan, but do so in a way entirely not according to the process (even in a good way), and conversely, the process could be performed exactly according to the process expectation, but done entirely late, or taking too long, or not by the right people.  Hence, the distinct activities of checking that the process was done *both* according to plan, *and* as expected to be done.

Thanks to Gino Tudor for asking this question!

Back to Specific Model FAQs

CMM, CMMI, and SCAMPI are ® registered in the U.S. Patent and
Trademark Office by Carnegie Mellon University.
All other content © Entinex, Inc. (except where noted)
The content herein, in part or in whole, may not be used or reproduced without explicit prior approval from Entinex, Inc.
(Just ask, we'll probably let you use it.)
Please read our disclaimer.