CMMI V3.0 has long kept everyone (consultants and LAs alike) on tenterhooks. In this article, we have attempted to interpret it to save you time. If we start by looking back at 2018, CMMI V2.0 marked a significant change, shifting from traditional process improvement to continuous outcome-based enhancement, leading to notable improvements in quality, productivity, profitability, and efficiency for organizations following CMMI guidelines.
After ruling the roost all these years, In 2023, CMMI V2.0 took a backseat when ISACA unveiled CMMI V3.0, devised by feedback from CMMI partners, end-users, and customers. It positions itself as adept at keeping pace with rapid technological advancements, information expansion, and dynamic global events.
CMMI V3.0 introduces three new domains—Data, People, and Virtual—alongside existing V2.0 domains like Development, Services, Suppliers, Safety, and Security. This updated model appears more promising and flexible, offering numerous potential advantages for tech and product development companies.
How new CMMI can help organizations in meeting various business and stakeholders’ requirements:
In summary, by incorporating the new virtual, safety, and security domains, companies can enhance compliance efforts and service delivery optimization. It ensures improvement in various management aspects, including threat handling, hazard analysis, security protocols, and cyber security measures.
It also facilitates inclusion of safety and security-related standards and frameworks referenced or covered in CMMI 3.0, such as NIST Special Publications, IEC Standards, GDPR, ITIL, and ISO Certifications. Additionally, companies can plan to add the People domain, enhancing HR practices for people-centric management.
CMMI provides a structured roadmap for organizations to progress from informal to consistent processes. CMMI Version 3.0 offers advantages for operational optimization, introducing process enhancements. Its updated architecture streamlines the update process, reducing time and resource requirements.
Version 3 introduces significant improvements over the previous 2.0 version. Key changes include:
Key Features:
Compared to the previous version, CMMI V3.0 expands its focus beyond Development, Services, or Supplier Agreement Management. It now includes best practices in security, safety, data management, people management, and workforce management, creating a unified and highly adaptable model of best practices.
The new CMMI V3.0 Model comprises four (4) Category Areas, twelve (12) CMMI V2 Capability Areas, and thirty-one (31) Practice Areas.
CMMI V3.0 Category Areas
There are four (4) CMMI Category Areas, which are clusters of interconnected areas specifying practices aimed at enhancing performance within the defined activities of an organization or project.
In each Category Area, there are clearly defined Capability Areas. These represent coherent sets of related practices commonly encountered by organizations during product and service development and delivery.
CMMI Capability Areas
In CMMI Maturity Level 1 (ML1), organizations align with the intentions of Practice Area(s), although the practices are not fully executed. Typically, the approach is reactive when dealing with issues.
At CMMI Level 2, organizations actively implement practices to fulfill the intentions of Practice Area(s), proactively addressing issues and achieving program objectives. It’s important to note that CMMI Level 2 does not require the use of organizational assets.
At CMMI Maturity Level 3, organizations integrate organizational standard practices, assets, and tailoring to systematically address issues, achieve organizational and program objectives, and emphasize overall quality. It’s worth noting that at Maturity Level 3, the following Practice Areas are assessed (Configuration Management does not have any additional practices at Maturity Level 3).
For advancement to CMMI ML4, organizations must have controlled processes, measured using statistical and quantitative techniques and prediction tools to achieve quality, performance, and objectives. The following Practice Areas are assessed at Maturity Level 4, in addition to those listed above:
Finally, to achieve CMMI ML5, organizations need to optimize process improvement through the use of statistical and quantitative techniques. The following Practice Areas are assessed at Maturity Level 5, in addition to those listed above:
Primarily in CMMI Version 3.0 there are thirty-one (31) applicable Practice Areas. Key changes between V2.2 and V3.0 are the additions of new Practice Areas (Data Management (DM), Data Quality (DQ), Workforce Empowerment (WE)), the removal of the Supplier Source Selection (SSS) Practice Area, from which context was extracted and incorporated into the Supplier Agreement Management (SAM) Practice Area. Lastly another change to observe is the new name for the Enabling Virtual Solution Delivery (EVSD) to Enabling Virtual Work (EVW).
CMMI V3.0 Practice Areas
What we gain – When comparing CMMI V3.0 with the predecessors, there’s a significant gain in terms of:
The main changes brought-in –
Changes in the Development and Services Model Practices
Here are the updates made to the Supplier Agreement Management (SAM) practices:
New Available Practice Areas
The main purpose of CMMI V3 is to promote various Process Areas (PAs), including Data Management (DM), Data Quality (DQ), Enabling Safety (ESAF), Enabling Security (ESEC), Enabling Virtual Work (EVW), Managing Security Threats & Vulnerabilities (MST), and Workforce Empowerment (WE). These PAs are optional and are structured around the Plan-Do-Check-Act cycle. However, there’s a concern that organizations might define the activities within these PAs too narrowly, potentially leading to trivial implementations. Over time, it will become clear which organizations adopt these PAs.
So, keeping in mind the entire discussion above, the conclusion can be summarized in the below 2 points:
Now that you have got the essence of the changes that CMMI V3.0 brings along, let’s throw a glance at some important considerations that emanate from this transition:
If your organization is considering CMMI V3.0 implementation, we are here to guide you: Simply put, although Maturity Level 2 now encompasses all Practice Areas (PAs), it doesn’t mandate adopting them all simultaneously. Instead, prioritize based on your specific challenges. Here are some suggestions:
You have two primary paths to consider:
Considering the growing prevalence of remote work, it’s crucial to adapt CMMI 3.0 principles and practices to support and enhance remote collaboration and productivity. Establishing an effective strategy for virtual work is key to improving delivery efficiency, reducing travel costs, and seamlessly executing remote tasks. This involves continuously identifying, evaluating, and managing virtual requirements and constraints.
A comprehensive approach necessitates coordinating virtual work, teams, and projects, considering various factors like personnel, processes, technical aspects, and security. Organizations must identify stakeholders, tasks, and limitations while prioritizing security, privacy, confidentiality, and data protection.
Implementation includes enforcing communication controls, ensuring resource availability, and adopting measures to enhance organizational resilience. Equipping personnel with tools and techniques for effective virtual work is essential, requiring alignment with evolving customer and business needs. Regular assessments facilitate ongoing improvements and innovations.
This approach also considers virtual delivery criteria to ensure effectiveness, efficiency, and quality while addressing security and privacy concerns. Contingency plans are developed to manage potential disruptions, focusing on people, processes, infrastructure, and tools/systems. Standardized collaboration platforms and protocols support organization-wide communication and collaboration, fostering optimal productivity, adaptability, and resilience in a digital and remote work environment.
The CMMI Virtual Work domain and practices involve systematically identifying, assessing, and addressing virtual, remote, and hybrid work requirements, constraints, and flexible solutions. These three new domains complement the existing ones: Development, Services, Supplier Management, Security, and Safety.
Summarizing this, we would like to quote the ISACA resources –
“CMMI has a proven track record in addressing problems all across the organization, focusing on outcome-based performance for faster, cheaper and better results.
This new model (V3.0) addresses and helps optimize key areas that are top of mind for many organizations right now around data quality and management as well as how they can ensure their people are performing at their full potential,” says Ron Lear, ISACA vice president, frameworks and models. “This just enhances what has already been the gold standard in providing a prioritized pathway to launch products, provide services, and manage suppliers to achieve goals with measurable outcomes, with added bonus of making everyone’s job easier along the way.”
(Ref: https://www.isaca.org/)
Integration of CMMI 3.0 with Cybersecurity Practices is capable of leveraging CMMI for Enhanced Cybersecurity Processes and Resilience. Below is a slight elaboration for a better clarity:
Enabling Security: Establishing and sustaining comprehensive security measures are central to enabling security. This proactive approach anticipates and addresses security issues to minimize their impact on the organization or its solutions. It’s an ongoing effort aimed at mitigating the effects of security threats and vulnerabilities on business operations. Security requirements encompass various aspects including physical, mission-related, personnel-related, process-related, and cybersecurity aspects. The foundational “CIA triad” (Confidentiality, Integrity, Availability) underscores the importance of data protection, preventing unauthorized alterations, and ensuring authorized access. Organizational security employs a defense-in-depth strategy, incorporating multiple security layers to defend against various attack vectors.
Managing Security Threats and Vulnerabilities: Managing security threats and vulnerabilities involves identifying potential risks, assessing their impacts, and implementing measures to address and mitigate them. This practice enhances an organization’s ability to recognize, mitigate, and recover from threats, contributing to overall risk management efforts. A systematic approach prioritizes critical risks based on their potential business or solution impact. Establishing a continuous threat and vulnerability management strategy throughout the project or solution lifecycle includes developing security risk and opportunity management plans, identifying risk sources, analyzing risks, and executing security measures. Regular security risk assessments prevent incidents, bolster customer confidence, and reduce incident and vulnerability management efforts.
Both enabling security and managing security threats and vulnerabilities are essential for maintaining a secure and resilient organizational environment. They safeguard critical assets and uphold the organization’s reputation and trustworthiness.
“Cybersecurity is the leading corporate governance challenge today, yet 87% of C-suite professionals and board members lack confidence in their company’s cybersecurity capabilities. Many CISOs and CSOs focus on implementing standards and frameworks, but what good is compliance if it does not improve your overall cybersecurity resilience?” – The CMMI Institute
Let us now take a deep dive into how organizations are successfully integrating Agile methodologies with CMMI 3.0 and explore best practices, challenges, and the benefits of combining these approaches:
CMMI V3.0 has also updated Context Specific Information by adding specific details for Data, DevSecOps, and People across both core and domain Practice Areas. The Context Specific information previously referred to as Agile with Scrum Guidance has been renamed to Agile Development, with all content revised for better clarity.
The Agile Approach, outlined in the Agile Manifesto, lays out principles for software projects characterized by collaborative, cross-functional teams closely interacting with customers. The primary aim is to deliver regular increments of functional software capability, ensuring satisfaction among customers and end users. Agile follows an iterative and time-boxed software delivery approach, emphasizing incremental building from the project’s outset rather than attempting comprehensive delivery at the project’s end. This methodology involves breaking projects into small units of user functionality called user stories, prioritizing them, and consistently delivering them in short two- or three-week cycles known as iterations. Agile frameworks are iterative and adaptable to evolving requirements.
The Capability Maturity Model Integration – Development (CMMI-Dev) is a framework designed to assist organizations in achieving and institutionalizing process maturity. Encompassing maturity levels 1-5, this model offers a comprehensive approach, emphasizing a process-centric alignment of operations with organizational objectives. Its goal is to enhance organizational performance and product quality by establishing a structured and mature approach to processes.
Simply put, Agile methodologies dictate HOW tasks should be executed, while CMMI specifies WHAT tasks should be undertaken. The perceived conflict between CMMI and Agile arises from Agile’s focus on deliverables directly contributing to the product, with any non-contributing deliverables seen as potential waste.
Looking into the future of CMMI and Agile, the latest version of the CMMI model (version 2.0) was released in March 2018, which includes specific Agile practices. Key improvements in CMMI V2.0 focus on enhancing Agile resilience and incorporating the latest trend methodologies used in the market.
Thus, CMMI processes, particularly at maturity level 4, can provide systems engineering practices that support an Agile approach, especially in large projects. Blending CMMI level 4 and Agile methodologies can result in successful software project delivery. The alignment and coordination activities necessary for larger, complex projects are outlined in the systems engineering practices found in various CMMI process areas, providing a safety net to reduce the risk of project failure. Organizations aiming to adopt Agile processes should consider CMMI level 4 as a means to achieve excellence in software development.
Although CMMI (Capability Maturity Model Integration) primarily serves as a framework for organizational process improvement, its advantages may not be immediately apparent to the average person. However, the effects of CMMI V3.0 can indirectly influence individuals in several ways:
Although individuals may not directly observe the impact of CMMI 3.0, its principles contribute to a more organized, efficient, and customer-focused business environment, indirectly benefiting consumers in various ways.
We, at ABS, have undertaken 50+ CMMI projects across various time zones. Do Contact Us here or drop-in your enquiry for us to get back to you with an extensive project proposal and time line.
You may also be interested in knowing more about CMMI in general. Please browse through the content here Capability Maturity Model (CMMi)
Kindly visit our Services page to explore more about our offerings.