Post

SecConcept -CMMI Capability Maturity Model Integration

[toc]


CMM - Capability Maturity Model Integration

Capability Maturity Model Integration (CMMI)

  • a process level improvement training and appraisal program.
  • Administered by the CMMI Institute, Subsidiary of “ISACA”
  • required by many U.S. Government contracts, especially in “Software development”.
  • CMMI can be used to guide process improvement across a project, division, or an entire organization.
  • may also be used as a framework for appraising the process maturity of the organization.
  • CMMI defines the following maturity levels for processes: Initial, Managed, Defined, Quantitatively Managed, and Optimizing.

Originally CMMI addresses three areas of interest:

  1. Product and service development – CMMI for Development (CMMI-DEV),
  2. Service establishment, management, – CMMI for Services (CMMI-SVC),
  3. Product and service acquisition – CMMI for Acquisition (CMMI-ACQ).

In version 2.0 these three areas (that previously had a separate model each) were merged into a single model.


Representation

CMMI existed in two representations:

  • continuous and staged.
  • the continuous representation allow the user to
    • focus on the specific processes that are considered important for the organization’s immediate business objectives,
    • or those to which the organization assigns a high degree of risks.
  • The staged representation
    • provide a standard sequence of improvements,
    • can serve as a basis for comparing the maturity of different projects and organizations.
    • The staged representation also provides for an easy migration from the SW-CMM to CMMI.

CMM衍生出了一些改善模型,比如:

  1. SW-CMM (Software CMM) 软件CMM
  2. SE-CMM (System Engineering CMM) 系统工程CMM
  3. SA-CMM (Software Acquisition CMM) 软件采购CMM
  4. IPT-CMM (Integrated Product Team CMM) 集成产品群组CMM
  5. P-CMM (People CMM)人力资源能力成熟度模型

The CMMI Process Areas (PAs) can be grouped into the following 4Each process area is defined by a set of goals and practices. There are two categories of goals and practices:

Generic goals and practices: They are part of every process area.

Specific goals and practices: They are specific to a given process area. categories to understand their interactions and links with one another regardless of their defined level:

  • Process Management
  • Project Management
  • Engineering
  • Support

Each process area is defined by a set of goals and practices.

  • There are two categories of goals and practices:
  • Generic goals and practices: They are part of every process area.
  • Specific goals and practices: They are specific to a given process area.

Maturity levels for services

Screen Shot 2020-11-29 at 17.49.27

The process areas below and their maturity levels are listed for the CMMI for services model:

Maturity-Levels

603af918fcd7d6544d7796ff9a1d5c0b

CMMI-Reference-Model-See-ISACA-for-details-on-CMMI-https-cmmiinstitutecom

CMMI Maturity Levels

unnamed

cmmi_en

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
| Level:        | Maturity Level 1 – Initial 初始级        | Maturity Level 2 – Managed                      | Maturity Level 3 – Defined / Standardized               | Maturity Level 4 – Quantitatively Managed           |   Maturity Level 5 – Optimizing / Innovation    |
| ------------- |-----------------------------------------|------------------------------------------------ |-------------------------------------------------------- | --------------------------------------------------- | ----------------------------------------------- |
| Character     | - poor control 软件过程是无序 甚至混乱的    | - 制定了必要的过程纪律 能重复类似项目取得的成功经验     | - develop standard processes, measures and trining      | - Process measured and Controlled                    | - Focus on process improvement                  |
|               | - process unpredictable 对过程几乎没有定义 | - build disciplined work unit management         |   for product and service offerings                     | - 分析对软件过程和产品质量的详细度量数据,对软件过程和产品都有| - 过程的量化反馈和先进的新思想、新技术                |
|               | - 成功取决于个人努力                       |   to stabilise work and conrol commitments      | - 将软件管理和工程两方面的过程文档化 标准化 综合成标准软件过程    |   定量的理解与控制。                                   |   促使过程持续不断改进。                           |
|               | - poorly reactive 管理是反应式的          | - process are planned, documented, performed,   | - 所有项目均使用经批准 剪裁的标准软件过程来开发和维护软件        | - 管理有一个作出结论的客观依据 管理能够在定量的范围内预测性能 | - Implement continuous proactive through        |
|               | - motivate people to overcome problem   |   monitored and controlled at project level     | - 软件产品的生产在整个软件过程是可见的                        | - exploit benefits of standardization               |   incremental and innovative technological      |
|               |   just "get the job done"               | - often reactive                                | - Process, standards, procedures, tools... are defined   | - Process are controlled using statistical and      |   improvement to achieve business goals         |
|               |                                         |                                                 |   at the organizational level.                          |   other quantitative techniques                     |                                                 |
|               |                                         |                                                 | - Proactive                                             |                                                     |                                                 |
|               |                                         |                                                 |                                                         |                                                     |                ---
| ------------- |-----------------------------------------|------------------------------------------------ |-------------------------------------------------------- | --------------------------------------------------- | ----------------------------------------------- |
| Description   | - Firefighting, heroic efforts          | - basic project management, many times reactive | - Process Standardization                               | - Quantitative Mangement                            | - continuous process improvement      ---
| ------------- |-----------------------------------------|------------------------------------------------ |-------------------------------------------------------- | --------------------------------------------------- | ----------------------------------------------- |
| Capabilities  | - design, develop, integrate, test      | * CM – Configuration Management                 | * CAM – Capacity and Availability Management            | – Quantitative Process Management                   | * OPM – Organizational Performance Management.  |
|               | * REQM – Requirements Management        | * MA – Measurement and Analysis                 | * DAR – Decision Analysis and Resolution                | * OPP – Organizational Process Performance          | * CAR – Causal Analysis and Resolution.         |
|               | * SAM – Supplier Agreement Management   | * PPQA – Process and Quality Assurance          | * IRP – Incident Resolution and Prevention              |                                                     |                                                 |
|               | * SD – Service Delivery                 |                                                 | * IWM – Integrated Work Managements                     |                                                     |                                                 |
|               | * WMC – Work Monitoring and Control     |                                                 | * OPD – Organizational Process Definition               |                                                     |                                                 |
|               | * WP – Work Planning                    |                                                 | * OPF – Organizational Process Focus                    |                                                     |                                                 |
|               |                                         |                                                 | * OT – Organizational Training                          |                                                     |                                                 |
|               |                                         |                                                 | * RSKM – Risk Management                                |                                                     |                                                 |
|               |                                         |                                                 | * SCON – Service Continuity                             |                                                     |                                                 |
|               |                                         |                                                 | * SSD – Service System Development                      |                                                     |                                                 |
|               |                                         |                                                 | * SST – Service System Transition                       |                                                     |                                                 |
|               |                                         |                                                 | * STSM – Strategic Service Management       ---
| ------------- |-----------------------------------------|------------------------------------------------ |-------------------------------------------------------- | --------------------------------------------------- | ----------------------------------------------- |
| result        | - risk and waste                        | - risk and waste 6 : Productivity and Quality 4 | - risk and waste 4 : Productivity and Quality 6         | - risk and waste 2 : Productivity and Quality 8     | Productivity and Quality                        |
|               | - ad hoc processes                      | - Repeatable practices                          | - Productivity growth                                   | - Stable processes                                  | Planned innocations                             |
|               | - inconsistent outcomes                 | - Reduces rework                                | - Effective automation                                  | - Reuse/knowledge management                        | Change management                               |
|               | - rework                                | - Satisfied commitments                         | - Economy of scale                                      | - Predictable results                               | Capable processes                               |
|               |                                         |                                                 |                                                         |                                                     |                                                 |


Security

To address user security concerns, two unofficial security guides are available.

  • OPSD – Organizational Preparedness for Secure Development
  • SMP – Secure Management in Projects
  • SRTS – Security Requirements and Technical Solution
  • SVV – Security Verification and Validation

While they do not affect maturity or capability levels, these process areas can be reported in appraisal results.


Process Areas Detail:

The CMMI contains 22 process areas indicating the aspects of product development that are to be covered by company processes.


1. Causal Analysis and Resolution (CAR) Support Level 5

Purpose: identify causes of defects and other problems and take action to prevent them from occurring in the future.

Specific Practices by Goal

  • SG 1 Determine Causes of Defects
    • SP 1.1 Select Defect Data for Analysis
    • SP 1.2 Analyze Causes
  • SG 2 Address Causes of Defects
    • SP 2.1 Implement the Action Proposals
    • SP 2.2 Evaluate the Effect of Changes
    • SP 2.3 Record Data

2. Configuration Management (CM) Support Level 2

Purpose: establish and maintain the integrity of work products using configuration identification, configuration control, configuration status accounting, and configuration audits.

Specific Practices by Goal

  • SG 1 Establish Baselines
    • SP 1.1 Identify Configuration Items
    • SP 1.2 Establish a Configuration Management System
    • SP 1.3 Create or Release Baselines
  • SG 2 Track and Control Changes
    • SP 2.1 Track Change Requests
    • SP 2.2 Control Configuration Items
  • SG 3 Establish Integrity
    • SP 3.1 Establish Configuration Management Records
    • SP 3.2 Perform Configuration Audits

3. Decision Analysis and Resolution (DAR) Support Level 3

Purpose: analyze possible decisions using a formal evaluation process that evaluates identified alternatives against established criteria.

Specific Practices by Goal

  • SG 1 Evaluate Alternatives
    • SP 1.1 Establish Guidelines for Decision Analysis
    • SP 1.2 Establish Evaluation Criteria
    • SP 1.3 Identify Alternative Solutions
    • SP 1.4 Select Evaluation Methods
    • SP 1.5 Evaluate Alternatives
    • SP 1.6 Select Solutions

4. Integrated Project Management +IPPD (IPM) Project Management Level 3

Purpose: establish and manage the project and the involvement of the relevant stakeholders according to an integrated and defined process that is tailored from the organization’s set of standard processes.

Specific Practices by Goal

  • SG 1 Use the Project’s Defined Process
    • SP 1.1 Establish the Project’s Defined Process
    • SP 1.2 Use Organizational Process Assets for Planning Project Activities
    • SP 1.3 Establish the Project’s Work Environment
    • SP 1.4 Integrate Plans
    • SP 1.5 Manage the Project Using the Integrated Plans
    • SP 1.6 Contribute to the Organizational Process Assets
  • SG 2 Coordinate and Collaborate with Relevant Stakeholders
    • SP 2.1 Manage Stakeholder Involvement
    • SP 2.2 Manage Dependencies
    • SP 2.3 Resolve Coordination Issues

IPPD Addition:

  • SG 3 Apply IPPD Principles
    • SP 3.1 Establish the Project’s Shared Vision
    • SP 3.2 Establish the Integrated Team Structure
    • SP 3.3 Allocate Requirements to Integrated Teams
    • SP 3.4 Establish Integrated Teams
    • SP 3.5 Ensure Collaboration among Interfacing Teams

5. Measurement and Analysis (MA) Support Level 2

Purpose: develop and sustain a measurement capability that is used to support management information needs.

Specific Practices by Goal

  • SG 1 Align Measurement and Analysis Activities
    • SP 1.1 Establish Measurement Objectives
    • SP 1.2 Specify Measures
    • SP 1.3 Specify Data Collection and Storage Procedures
    • SP 1.4 Specify Analysis Procedures
  • SG 2 Provide Measurement Results
    • SP 2.1 Collect Measurement Data
    • SP 2.2 Analyze Measurement Data
    • SP 2.3 Store Data and Results
    • SP 2.4 Communicate Results

6. Organizational Innovation and Deployment (OID) Process Management Level 5

Purpose: select and deploy incremental and innovative improvements that measurably improve the organization’s processes and technologies. The improvements support the organization’s quality and process-performance objectives as derived from the organization’s business objectives.

Specific Practices by Goal

  • SG 1 Select Improvements
    • SP 1.1 Collect and Analyze Improvement Proposals
    • SP 1.2 Identify and Analyze Innovations
    • SP 1.3 Pilot Improvements
    • SP 1.4 Select Improvements for Deployment
  • SG 2 Deploy Improvements
    • SP 2.1 Plan the Deployment areas
    • SP 2.2 Manage the Deployment
    • SP 2.3 Measure Improvement Effects

7. Organizational Process Definition +IPPD (OPD) Process Management Level 3

Purpose: establish and maintain a usable set of organizational process assets.

Specific Practices by Goal

  • SG 1 Establish Organizational Process Assets
    • SP 1.1 Establish Standard Processes
    • SP 1.2 Establish Life-Cycle Model Descriptions
    • SP 1.3 Establish Tailoring Criteria and Guidelines
    • SP 1.4 Establish the Organization’s Measurement Repository
    • SP 1.5 Establish the Organization’s Process Asset Library

IPPD Addition:

  • SG 2 Enable IPPD Management
    • SP 2.1 Establish Empowerment Mechanisms
    • SP 2.2 Establish Rules and Guidelines for Integrated Teams
    • SP 2.3 Balance Team and Home Organization Responsibilities

8. Organizational Process Focus (OPF) Process Management Level 3

Purpose: plan and implement organizational process improvement based on a thorough understanding of the current strengths and weaknesses of the organization’s processes and process assets.

Specific Practices by Goal

  • SG 1 Determine Process Improvement Opportunities
    • SP 1.1 Establish Organizational Process Needs
    • SP 1.2 Appraise the Organization’s Processes
    • SP 1.3 Identify the Organization’s Process Improvements
  • SG 2 Plan and Implement Process Improvement Activities
    • SP 2.1 Establish Process Action Plans
    • SP 2.2 Implement Process Action Plans
  • SG 3 Deploy Organizational Process Assets and Incorporate Lessons Learned
    • SP 3.1 Deploy Organizational Process Assets
    • SP 3.2 Deploy Standard Processes
    • SP 3.3 Monitor Implementation
    • SP 3.4 Incorporate Process-Related Experiences into the Organizational Process Assets

9. Organizational Process Performance (OPP) Process Management Level 4

Purpose: establish and maintain a quantitative understanding of the performance of the organization’s set of standard processes in support of quality and process-performance objectives, and to provide the process performance data, baselines, and models to quantitatively manage the organization’s projects.

Specific Practices by Goal

  • SG 1 Establish Performance Baselines and Models
    • SP 1.1 Select Processes
    • SP 1.2 Establish Process Performance Measures
    • SP 1.3 Establish Quality and Process Performance Objectives
    • SP 1.4 Establish Process Performance Baselines
    • SP 1.5 Establish Process Performance Models

10. Organizational Training (OT) Process Management Level 3

Purpose: develop the skills and knowledge of people so they can perform their roles effectively and efficiently.

Specific Practices by Goal

  • SG 1 Establish an Organizational Training Capability
    • SP 1.1 Establish the Strategic Training Needs
    • SP 1.2 Determine Which Training Needs Are the Responsibility of the Organization
    • SP 1.3 Establish an Organizational Training Tactical Plan
    • SP 1.4 Establish Training Capability
  • SG 2 Provide Necessary Training
    • SP 2.1 Deliver Training
    • SP 2.2 Establish Training Records
    • SP 2.3 Assess Training Effectiveness

11. Product Integration (PI) Engineering Level 3

Purpose: assemble the product from the product components, ensure that the product, as integrated, functions properly, and deliver the product.

Specific Practices by Goal

  • SG 1 Prepare for Product Integration
    • SP 1.1 Determine Integration Sequence
    • SP 1.2 Establish the Product Integration Environment
    • SP 1.3 Establish Product Integration Procedures and Criteria
  • SG 2 Ensure Interface Compatibility
    • SP 2.1 Review Interface Descriptions for Completeness
    • SP 2.2 Manage Interfaces
  • SG 3 Assemble Product Components and Deliver the Product
    • SP 3.1 Confirm Readiness of Product Components for Integration
    • SP 3.2 Assemble Product Components
    • SP 3.3 Evaluate Assembled Product Components
    • SP 3.4 Package and Deliver the Product or Product Component

12. Project Monitoring and Control (PMC) Project Management Level 2

Purpose: provide an understanding of the project’s progress so that appropriate corrective actions can be taken when the project’s performance deviates significantly from the plan.

Specific Practices by Goal

  • SG 1 Monitor Project Against Plan
    • SP 1.1 Monitor Project Planning Parameters
    • SP 1.2 Monitor Commitments
    • SP 1.3 Monitor Project Risks
    • SP 1.4 Monitor Data Management
    • SP 1.5 Monitor Stakeholder Involvement
    • SP 1.6 Conduct Progress Reviews
    • SP 1.7 Conduct Milestone Reviews
  • SG 2 Manage Corrective Action to Closure
    • SP 2.1 Analyze Issues
    • SP 2.2 Take Corrective Action
    • SP 2.3 Manage Corrective Action

13. Project Planning (PP) Project Management Level 2

Purpose: establish and maintain plans that define project activities.

Specific Practices by Goal

  • SG 1 Establish Estimates
    • SP 1.1 Estimate the Scope of the Project
    • SP 1.2 Establish Estimates of Work Product and Task Attributes
    • SP 1.3 Define Project Life Cycle
    • SP 1.4 Determine Estimates of Effort and Cost
  • SG 2 Develop a Project Plan
    • SP 2.1 Establish the Budget and Schedule
    • SP 2.2 Identify Project Risks
    • SP 2.3 Plan for Data Management
    • SP 2.4 Plan for Project Resources
    • SP 2.5 Plan for Needed Knowledge and Skills
    • SP 2.6 Plan Stakeholder Involvement
    • SP 2.7 Establish the Project Plan
  • SG 3 Obtain Commitment to the Plan
    • SP 3.1 Review Plans that Affect the Project
    • SP 3.2 Reconcile Work and Resource Levels
    • SP 3.3 Obtain Plan Commitment

14. Process and Product Quality Assurance (PPQA) Support Level 2

Purpose: provide staff and management with objective insight into processes and associated work products.

Specific Practices by Goal

  • SG 1 Objectively Evaluate Processes and Work Products
    • SP 1.1 Objectively Evaluate Processes
    • SP 1.2 Objectively Evaluate Work Products and Services
  • SG 2 Provide Objective Insight
    • SP 2.1 Communicate and Ensure Resolution of Noncompliance Issues
    • SP 2.2 Establish Records

15. Quantitative Project Management (QPM) Project Management Level 4

Purpose: quantitatively manage the project’s defined process to achieve the project’s established quality and process-performance objectives.

Specific Practices by Goal

  • SG 1 Quantitatively Manage the Project
    • SP 1.1 Establish the Project’s Objectives
    • SP 1.2 Compose the Defined Processes
    • SP 1.3 Select the Subprocesses that Will Be Statistically Managed
    • SP 1.4 Manage Project Performance
  • SG 2 Statistically Manage Subprocess Performance
    • SP 2.1 Select Measures and Analytic Techniques
    • SP 2.2 Apply Statistical Methods to Understand Variation
    • SP 2.3 Monitor Performance of the Selected Subprocesses
    • SP 2.4 Record Statistical Management Data

16. Requirements Development (RD) Engineering Level 3

Purpose: produce and analyze customer, product, and product-component requirements.

Specific Practices by Goal

  • SG 1 Develop Customer Requirements
    • SP 1.1 Elicit Needs
    • SP 1.2 Develop the Customer Requirements
  • SG 2 Develop Product Requirements
    • SP 2.1 Establish Product and Product-Component Requirements
    • SP 2.2 Allocate Product-Component Requirements
    • SP 2.3 Identify Interface Requirements
  • SG 3 Analyze and Validate Requirements
    • SP 3.1 Establish Operational Concepts and Scenarios
    • SP 3.2 Establish a Definition of Required Functionality
    • SP 3.3 Analyze Requirements
    • SP 3.4 Analyze Requirements to Achieve Balance
    • SP 3.5 Validate Requirements

17. Requirements Management (REQM) Engineering Level 2

Purpose: manage the requirements of the project’s products and product components and to identify inconsistencies between those requirements and the project’s plans and work products.

Specific Practices by Goal

  • SG 1 Manage Requirements
    • SP 1.1 Obtain an Understanding of Requirements
    • SP 1.2 Obtain Commitment to Requirements
    • SP 1.3 Manage Requirements Changes
    • SP 1.4 Maintain Bidirectional Traceability of Requirements
    • SP 1.5 Identify Inconsistencies between Project Work and Requirements

18. Risk Management (RSKM) Project Management Level 3

Purpose: identify potential problems before they occur so that risk-handling activities can be planned and invoked as needed across the life of the product or project to mitigate adverse impacts on achieving objectives.

Specific Practices by Goal

  • SG 1 Prepare for Risk Management
    • SP 1.1 Determine Risk Sources and Categories
    • SP 1.2 Define Risk Parameters
    • SP 1.3 Establish a Risk Management Strategy
  • SG 2 Identify and Analyze Risks
    • SP 2.1 Identify Risks
    • SP 2.2 Evaluate, Categorize, and Prioritize Risks
  • SG 3 Mitigate Risks
    • SP 3.1 Develop Risk Mitigation Plans
    • SP 3.2 Implement Risk Mitigation Plans

19. Supplier Agreement Management (SAM) Project Management Level 2

Purpose: manage the acquisition of products from suppliers for which there exists a formal agreement.

Specific Practices by Goal

  • SG 1 Establish Supplier Agreements
    • SP 1.1 Determine Acquisition Type
    • SP 1.2 Select Suppliers
    • SP 1.3 Establish Supplier Agreements
  • SG 2 Satisfy Supplier Agreements
    • SP 2.1 Execute the Supplier Agreement
    • SP 2.2 Monitor Selected Supplier Processes
    • SP 2.3 Evaluate Selected Supplier Work Products
    • SP 2.4 Accept the Acquired Product
    • SP 2.5 Transition Products

20. Technical Solution (TS) Engineering Level 3

Purpose: design, develop, and implement solutions to requirements. Solutions, designs, and implementations encompass products, product components, and product-related life-cycle processes either singly or in combination as appropriate.

Specific Practices by Goal

  • SG 1 Select Product-Component Solutions
    • SP 1.1 Develop Alternative Solutions and Selection Criteria
    • SP 1.2 Select Product Component Solutions
  • SG 2 Develop the Design
    • SP 2.1 Design the Product or Product Component
    • SP 2.2 Establish a Technical Data Package
    • SP 2.3 Design Interfaces Using Criteria
    • SP 2.4 Perform Make, Buy, or Reuse Analysis
  • SG 3 Implement the Product Design
    • SP 3.1 Implement the Design
    • SP 3.2 Develop Product Support Documentation

21. Validation (VAL) Engineering Level 3

Purpose: demonstrate that a product or product component fulfills its intended use when placed in its intended environment.

Specific Practices by Goal

  • SG 1 Prepare for Validation
    • SP 1.1 Select Products for Validation
    • SP 1.2 Establish the Validation Environment
    • SP 1.3 Establish Validation Procedures and Criteria
  • SG 2 Validate Product or Product Components
    • SP 2.1 Perform Validation
    • SP 2.2 Analyze Validation Results.

22. Verification (VER) Engineering Level 3

Purpose: ensure that selected work products meet their specified requirements.

Specific Practices by Goal

  • SG 1 Prepare for Verification
    • SP 1.1 Select Work Products for Verification
    • SP 1.2 Establish the Verification Environment
    • SP 1.3 Establish Verification Procedures and Criteria
  • SG 2 Perform Peer Reviews
    • SP 2.1 Prepare for Peer Reviews
    • SP 2.2 Conduct Peer Reviews
    • SP 2.3 Analyze Peer Review Data
  • SG 3 Verify Selected Work Products
    • SP 3.1 Perform Verification
    • SP 3.2 Analyze Verification Results
  • The following Process Areas have been removed (all on Maturity Level 3):
    • Organisational Environment for Integration (OEI)
    • Integrated Teaming (IT)
    • Integrated Supplier Management (ISM)
  • The following additions have been made within existing Process Areas:
    • IPM . SG3 and SG4 were eliminated, new SG3 was added (all IPPD PAs)
    • OPD . SG was added, turning it in an IPPD PA
    • OPF . two SPs were extracted from SG and created SG3 together with two new SPs
    • REQD . SP3.5 was renamed Validate Requirements
    • SAM . SP2.1 was eliminated, two new SPs added in SG2
    • TS . SP1.2 was eliminated
    • VER . SP3.2 was renamed Analyze Verification Results

ref:

.

This post is licensed under CC BY 4.0 by the author.

Comments powered by Disqus.