Capability Maturity Model Integration

CMMI (Capability Maturity Model Integration) is a development model.

It may be referred as SW-CMM.

History of CMMI

CMMI was created in 2006 by CMU (Carnegie Mellon University). It is currently administered by the CMMI Institute, a subsidiary of ISACA.

There is also CMM (Capability Maturity Model) created in 1986, but it has been largely supersede by CMMI. The major difference between these two is that CMM focuses on isolated processes, whereas CMMI focuses on the integration among those processes.

CMM could also be referred as SCMM or SW-CMM, from software CCM.

Description of CMMI

CMMI is standardized as ISO/IEC 21827. Its latest version as of 2023 is ISO/IEC 21827:2028, under the title “Information technology — Security techniques — Systems Security Engineering — Capability Maturity Model® (SSE-CMM®)”.

CMMI establishes 5 maturity stages on processes:

1. Initial
2. Managed (“repeatable” in CMM)
3. Defined
4. Quantitatively managed (“managed” in CMM)
5. Optimized

Incomplete means that work may or may not get completed.

Initial means that work gets completed but is often delayed and over budget.

Managed means that projects are planned, executed, measured and controlled.

Defined uses organization-wide standards provide guidance across projects, programs, and portfolios.

Quantitatively managed means that the organization is data-driven with quantitative performance improvement objectives that are predictable and align to meet the needs of internal and external stakeholders.

Optimized is focused on continuous improvement and is built to pivot and respond to opportunity and change.

CMMI is used in IT risk assessments, to assess the level of implementation of controls, as those defined in ISO/IEC 27001. It is also used on GAP analysis, to identify the current state and the objective state.

CMMI Certifications for Professionals

There are various certification levels for CMMI practitioners issued by CMMI Institute:
https://cmmiinstitute.com/learning/certifications

Other programs related to CMMI

CMMC (Cybersercuty Capability Maturity Model) is a USA DoD (Department of Defense) program that applies to Defense Industrial Base (DIB) contractors. You can find more information about CMMC on this external link.

You might also be interested in…

• Software Development Security

External References

• CMMI Institute; “CMMI Institute“; ISACA
• ISO: “ISO/IEC 21827:2008“; ISO
• Wikipedia; “Capability Maturity Model Integration“; Wikipedia
• “CIISP 9th Edition”, p.
• CMMI Levels
  • CMMI Institute; “CMMI Levels of Capability and Performance“; CMMI Institute