The Pros & Cons of CMM

Computerworld - What's in a CMM rating?
Does hiring a CMM Level 5 service provider guarantee that an outsourced software project will come in on time and on budget?
Will a higher CMM rating automatically mean higher costs?
What impact does earning a rating have on software quality?
These are just a few of the questions confronting IT managers charged with contracting out an increasing volume of application development and maintenance work to lower-cost offshore outsourcers.
Developed by the Software Engineering Institute (SEI) at Carnegie Mellon University in Pittsburgh, CMM—short for Capability Maturity Model—is a set of rigorous standards for software development that's based on five levels. Of some 70 companies worldwide that have publicly acknowledged reaching the highest rating of Level 5, about 50 are in India, according to the SEI and Gartner Inc.
Not surprisingly, these Indian outsourcers aggressively tout their CMM rating, marketing themselves as top-notch developers with standardized, repeatable processes in place for delivering the highest quality software. Executing standardized processes also works to keep down costs, enabling Level 5 providers to pass on additional savings to customers, according to Sangita Singh, head of strategic marketing at Wipro Ltd., an Indian outsourcing company with U.S. headquarters in Santa Clara, Calif.
Research confirms that higher CMM levels correlate with fewer software defects (see chart below). But the highest CMM rating doesn't necessarily guarantee the greatest savings for customers. "The data on quality and maturity levels shows there is a definite improvement in costs and [on-time project completion] schedules," says Bill Peterson, program director for software engineering process management at the SEI. "But whether the supplier passes the savings on to the buyer, we don't know. That's more business than anything to do with the logic of costs.
"What we are saying is that as a Level 5, [suppliers] are better and they're able to charge more, not less," Peterson adds.
At the same time, a Level 5 CMM rating comes with no guarantees, and in some cases, it may even be overkill, experts say.
"CMM is a great discipline, and it is a great designation to have," says Bart Perkins, a Computerworld columnist and managing partner at Louisville, Ky.-based Leverage Partners Inc., which helps CIOs manage IT suppliers. "But the reality is that if an outsourcer is at Level 5 and the client is at Level 1 or 2, the client doesn't have the internal discipline to take advantage of the Level 5 provider's standardized routines."
Defining system or project requirements is a prime example. "With CMM, the entire requirements process is very rigidly defined. A Level 5 requirements document is very detailed and explicit and has metrics associated with it," Perkins explains. "But a company at a CMM Level 0 or 1 could have their requirements on the back of an envelope and no metrics. The Level 1 companies are lucky if they write out two pages."
The upshot, says Perkins, is that touting a CMM Level 5 rating to a Level 1 buyer "comes down to touting a feature that's of little value. It's like a car salesman in Alaska touting a car's great air conditioning. It may be great, but you can't take advantage of it."
Yet some companies, such as Farmers Insurance Group in Los Angeles, contract with Level 5 outsourcers exclusively, even though they may be unable to reap all of the benefits of doing so.
"The CIO dictated that we only do business with CMM Level 5 partners. It was a way of distinguishing the best companies from the rest of the pack," explains Alan Stanley, a program manager at Farmers.
"Beyond that, we don't take advantage of CMM. We tend to dictate how we want work done. We allocate work and processes based on what we do here, so I don't think we've really benefited from the CMM Level 5 side," he adds.
Helen Cousins, former CIO at Parsippany, N.J.-based Cendant Corp., says she believes that hiring a Level 5 outsourcer is a way to raise the bar for your own IT organization. "One of the things we gained out of necessity is the ability to more clearly define what we want," says Cousins, who is now CIO at Dex Media Inc. in Denver. "I've also noticed that when people working side by side are with people who are disciplined, it starts rubbing off."
But in a January 2003 report on the subject, Gartner analyst Partha Iyengar cautioned that users should also remember that CMM standards are descriptive rather than prescriptive, meaning that "they describe what must be done, rather than how it must be done." Consequently, a vendor can specify a certain way of executing a process that isn't the best possible implementation of that particular process.
In other words, Iyengar says, "CMM standards certification in no way guarantees that a vendor's internal implementation of these standards is best-in-class in any way."

CMM Checklist 1 2 3 Next page Print From CIO.com IT Job Spotting: Top 20 Metro Areas for Tech Jobs Facebook IPO: The Heftiest Paydays 4 Ways to Prevent Domain Name Hijacking Cybersecurity Report Stresses Need for Cooperation From CSO Online Devil in the details: How to secure an offsite meeting Rogues gallery: 9 infamous social engineers Tools and templates: Sample security policies Business continuity and disaster recovery basics Additional Resources WHITE PAPER Forrester Consulting - Optimizing Users and Applications in a Mobile World Solving application issues over the WAN requires careful consideration. Based on their independent research, Forrester Consulting offers recommendations on how to tackle application performance issues, insufficient bandwidth and the inability to quickly restore users in a disaster. Read now. WHITE PAPER Enter the Security KnowledgeVault Security is not an option. This KnowledgeVault Series offers professional advice how to be proactive in the fight against cybercrimes and multi-layered security threats; how to adopt a holistic approach to protecting and managing data; and how to hire a qualified security assessor. Make security your Number 1 priority. Read now. WHITE PAPER Cut Communications Costs Once and for All New IP-based communications systems are being deployed by small and midsized businesses at a rapid rate. Learn how these organizations are enabling faster responsiveness, creating better customer experiences, speeding office or mobile interactions, and dramatically reducing existing communications costs. Read now. Top Stories FAQ: WOA vs. x86, which Windows tablet to pick? The timeline's time has come Apple files another U.S. patent suit against Samsung Iran blocks access to some outside websites, services Free Insider Guide Excel 2010 Cheat Sheet Register for this Computerworld Insider Cheat Sheet and gain access to hundreds of premium content articles, guides, product reviews and more. Register for FREE now! » Project Management White Papers Overcome Top 7 Admin Challenges of Active Directory As Active Directory's role in the enterprise has drastically increased, so has the need to secure the data. Gain insight on creating repeatable,... Insiders Can Ruin Your Company. Take Action. Did you know that 80 percent of threats to an organization come from the inside? The threat from insiders is often overlooked in... Top Solutions and Tools to Prevent Devastating Malware Custom malware frequently goes undetected. According to Forrester Research, the best way to reduce risk of breach is to deploy file integrity monitoring... Streamline Compliance and Increase ROI Streamline, simplify, and automate compliance related activities; especially those that impact multiple business units. This white paper from NetIQ, outlines solutions that will... X-Ray of the PCI Process-4 Proactive Steps This white paper from Forrester Research Inc., helps break PCI into understandable components. Security and risk professionals will gain knowledge and insight into... All Project Management White Papers Project Management Webcasts Optimizing Networks for the Cloud Join guest speaker, Rohit Mehra, IDC Director of Enterprise Communications Infrastructure, to explore current trends, discuss best practices for optimizing Data Center and... Apps QuickStart Series Part 2: Designing and Deploying SQL Server on VMware vSphere Download this webcast to learn about the design considerations for virtualizing SQL workloads, performance and scalability information and high-availability options, as well as... Apps QuickStart Series Part 1: Designing and Deploying Exchange 2010 on VMware vSphere Download this webcast to learn the virtual hardware design considerations for Exchange 2010, deployment using the building block approach, options for high-availability and... Customer Spotlight: How IPC The Hospitalist Company Implemented Oracle on VMware Have you been looking to hear about customer's experiences with the new VMware vCenter Site Recovery Manager product? View this webcast to learn... Virtualize Business-Critical Applications with Confidence Virtualizing business-critical applications has become a key focus for organizations as they move along their virtualization journey. With the launch of VMware vSphere®... All Project Management Webcasts Newsletter Sign-Up Receive the latest news test, reviews and trends on your favorite technology topics Choose a newsletter Computerworld Daily News QuickPolls Operating Systems Security Industry Tech: Communication Carriers (ISP, Telecomm, Data Comm, Cable) Tech: Computer/Network Consultant Tech: E-commerce/Internet Tech: Manufacturing - Hardware/Software Tech: Retailer/Distributor/Wholesaler (computer-related) Tech: Service Provider (MSP, BSP, ASP, ESP, Web Hosting) Tech: VAR/VAD/OEM Tech: Other Non-Tech: Advertising/Marketing/PR/Media (Publishing, Broadcast, Online) Non-Tech: Aerospace/Defense Contractor Non-Tech: Agriculture/Forestry/Fisheries Non-Tech: Business Services/Consultant Non-Tech: Construction/Architecture/Engineering Non-Tech: Education Non-Tech: Finance/Banking/Accounting Non-Tech: Government - Federal (including Military) Non-Tech: Government - State/Local Non-Tech: Healthcare/Medical/Pharmaceutical/Bio-Tech Non-Tech: Insurance/Real Estate/Legal Non-Tech: Manufacturing & Process Industries Non-Tech: Mining/Oil/Gas Non-Tech: Retailer/Wholesaler/Distributor (non-computer) Non-Tech: Travel/Hospitality/Entertainment/Recreation Non-Tech: Transportation/Utilities (Energy, Water, etc.) Non-Tech: Other Job Title IT Management: CIO, CTO, CSO IT Management: Executive VP, Senior VP IT Management: VP IT Management: Director IT Management: Manager IT Management: Supervisor IT Management: Systems Integrator IT Management: Technical Consultant Business Management: CEO, COO, Chairman, President Business Management: CFO, Controller, Treasurer Business Management: Executive VP, Senior VP, VP, GM Business Management: Director, Manager Business Management: Other Corporate, Business Manager Business Management: Consultant (Non-Technical) Other: IT Staff Other: Non-Manager Company Size 20,000 or more 10,000 - 19,999 5,000 - 9,999 1,000 - 4,999 500 - 999 100 - 499 50 - 99 Less than 50 Country United States of America Afghanistan Albania Algeria Amercian Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bosnia-Herseg Botswana Bouvet Island Brazil British Indian Ocean Territory Brunei Darussalam Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos (Keeling) Islands Colombia Comoros Congo Cook Islands Costa Rica Cote DIvoire (Ivory Coast) Croatia Cuba Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic East Timor Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland-Malvinas Faroe Islands Fiji Finland France French Guiana French Pacific Islands (French Polynesia) French Southern Territories Gabon Gambia Georgia Germany Ghana Gibraltar Great Britain Greece Greenland Grenada Guadeloupe Guam Guatemala Guinea Guinea-Bissau Guyana Haiti Heard and McDonald Islands Holy See (Vatican City State) Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Israel Italy Jamaica Japan Jordan Kazachstan Kenya Kiribati Kuwait Kyrgyzstan Laos Latvia Lebanon Lesotho Liberia Libya Liechtenstein Lithuania Luxembourg Macau Macedonia Madagascar Malawi Malaysia Maldives (Maldive Islands) Mali Malta Marshall Islands Martinique Mauritania Mauritius Mayotte Metropolitan France Mexico Micronesia, Federated States of Moldova Monaco Mongolia Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands Netherlands Antilles New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island North Korea Northern Mariana Islands Norway Oman Pakistan Palau Panama Papua New Guinea Paraguay Peru Philippines Pitcairn Islands Poland Portugal Puerto Rico Qatar Reunion Romania Russian Federation Rwanda Saint Helena Saint Kitts and Nevis Saint Lucia Saint Pierre and Miquelon Saint Vincent and the Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and the South Sandwich Islands South Korea Spain Sri Lanka Sudan Suriname Svalbard and Jan Mayen Islands Swaziland Sweden Switzerland Syria Taiwan Tajikistan Tanzania Thailand The Democratic Republic of the Congo Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu Uganda Ukraine United Arab Emirates United States of America United States Minor Outlying Islands Uruguay Uzbekistan Vanuatu Venezuela Viet Nam Virgin Islands (American) Virgin Islands (British) Wallis and Futuna Islands Western Sahara Yemen Yugoslavia Zaire Zambia Zimbabwe US State Alabama Alaska Arizona Arkansas California Colorado Connecticut Delaware District of Columbia Florida Georgia Hawaii Idaho Illinois Indiana Iowa Kansas Kentucky Louisiana Maine Maryland Massachusetts Michigan Minnesota Mississippi Missouri Montana Nebraska Nevada New Hampshire New Jersey New Mexico New York North Carolina North Dakota Ohio Oklahoma Oregon Pennsylvania Rhode Island South Carolina South Dakota Tennessee Texas Utah Vermont Virginia Washington West Virginia Wisconsin Wyoming Puerto Rico Virgin Islands Guam American Samoa U.S. Minor Outlying Islands Armed Forces Africa Armed Forces Americas AA Armed Forces Canada Armed Forces Europe AE Armed Forces Middle East AE Armed Forces Pacific AP Subscribe View all newsletters | Privacy Policy IT Jobs See All Jobs Post a job for $295 Go Jobs by SimplyHired Project Management White Papers | All Project Management White Papers Overcome Top 7 Admin Challenges of Active Directory Top Solutions and Tools to Prevent Devastating Malware X-Ray of the PCI Process-4 Proactive Steps Smarter Commerce is redefining value chain visibility IBM Synchronizes its Commerce 2.0 Strategy with 'Smarter Commerce' Initiative CA Technology Brief: CA Point of View: Content Aware Identity & Access Management Enabling Storage Flexibility to Better Manage Data Growth Case Study: Firm Optimizes Storage, Shrinks Backup Window The Hidden Truth About Virtualizing Business-Critical Applications Enterprise Java Applications on VMware: Unix to Linux Migration Guide Insiders Can Ruin Your Company. Take Action. Streamline Compliance and Increase ROI Five Myths of Cloud Computing Digital Transformation: Creating New Business Models Where Digital Meets Physical Identity Governance: The Business Imperatives Optimize Data Backup to Ensure Data Protection Case Study: Publisher Cuts Backup Times by 98 Percent Forrester Total Economic Impact (TEI) Case Study - Oracle Top 10 Myths About Virtualizing Business-Critical Applications Indiana University Virtualizes Mission-Critical Oracle Databases Sponsored Links Customized information views & Twitter events at New Fulcrum Point E-book: Discover Business-Ready Storage Systems For Oracle Environments Splunk translates machine data into "aha" moments for IT and the business. Converge your infrastructure with HP. Access a valuable case study in the CI Resource Center now. Panasonic Toughbook® mobile computers. Rugged. Reliable. Powerful. Protect your customers with VeriSign SSL, now from Symantec Citrix NetScaler. 2x faster 2048-bit SSL performance than F5. 50% lower SSL costs. Cisco's Unified Fabric delivers resiliency for optimal performance. Learn More Arm Your Defense & Offense in 2012 with the Websense Threat Report MIT Sloan Executive Education. innovation@work A better way to share files, whenever, wherever. Accellion. Share Securely on the Go. Power your Dev Teams and Accelerate Software Delivery Connect with global CIOs now at Enterprise CIO Forum Pinpoint root cause of network issues up to 90% faster Download Microsoft's latest Data Protection Management tool Not All QSAs Are Created Equal: What You Should Know Before You Buy The arrival of Serial Attached SCSI (SAS) marks a new era in storage scalability The AMD Virtual Experience Virtual Trade Show "The Definitive Guide to Security Management" Chapter 1: Introduction to Security Management Evolving Your Data Center for the Cloud Get Ethernet speeds from 1 Mbps to 10 Gbps - Comcast Business Class ExaGrid Gets High Marks in Independent Report from ESG Converge your infrastructure with HP. Access white papers, case studies, videos and more. Redefine Software support with HP Citrix NetScaler. 2x consolidation. For less than F5. Shift up to the Cloud. Ready for the Cloud? Not with F5. Shift to Citrix NetScaler. Shift up to the Cloud. Join the Conversation. Follow Oracle EPM & BI on Twitter Today. Stop backing up. Start solving forward with CommVault® Simpana® software. Cognizant. Leading in Business, Application & Technology Services Cisco's Unified Fabric delivers resiliency for optimal performance. Learn More Still managing your projects with spreadsheets? Move your IT projects in the Cloud! M.S. in Information Studies at Northwestern University Tolly Performance Report  "Citrix NetScaler with nCore Outperforms F5 BIG-IP" ITwhitepapers.com - Access thousands of white papers on 300+ technical topics. Leverage Your Cisco infrastructure for Superior Application Performance Learn about the AMD Virtual Experience "The Definitive Guide to Security Management" Chapter 1: Introduction to Security Management Introducing: Project Icebreaker Resource Center See your link here Skip to top About Us Advertise Contacts Editorial Calendar Subscribe to Computerworld Magazine Help Desk Newsletters Jobs at IDG Privacy Policy Reprints Site Map Ad Choices The IDG Network: CFOworld CIO Computerworld CSO DEMO GamePro Games.net IDC IDG IDG Connect IDG Knowledge Hub IDG TechNetwork IDG Ventures InfoWorld ITwhitepapers ITworld JavaWorld LinuxWorld Macworld Network World PC World Copyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.