Definition

What is Capability Maturity Model (CMM)?

By
Published: Sep 03, 2025

The Capability Maturity Model (CMM) is a methodology used to develop and refine an organization's software development process. The model describes a five-level evolutionary path of increasingly organized and systematically more mature processes.

CMM was developed and is promoted by the Software Engineering Institute (SEI), a research and development center sponsored by the U.S. Department of Defense (DOD) and now part of Carnegie Mellon University. SEI was founded in 1984 to address software engineering issues and, in a broad sense, to advance software engineering methodologies. More specifically, SEI was established to optimize the process of developing, acquiring and maintaining heavily software-reliant systems for the DOD. SEI advocates industry-wide adoption of the CMM Integration (CMMI), which is an evolution of CMM. The CMM model is still widely used as well.

CMM is similar to ISO 9001, one of the ISO 9000 series of standards specified by the International Organization for Standardization. The ISO 9000 standards specify an effective quality system for manufacturing and service industries; ISO 9001 deals specifically with software development and maintenance.

The main difference between CMM and ISO 9001 lies in their respective purposes: ISO 9001 specifies a minimal acceptable quality level for software processes, while CMM establishes a framework for continuous process improvement. It is more explicit than the ISO standard in defining the means to be employed to that end.

CMM's five levels of maturity for software processes

There are five levels to the CMM development process. They are the following:

  1. Initial. At the initial level, processes are disorganized, ad hoc and even chaotic. Success likely depends on individual efforts and is not considered to be repeatable. This is because processes are not sufficiently defined and documented to enable them to be replicated.
  2. Repeatable. At the repeatable level, requisite processes are established, defined and documented. As a result, basic project management techniques are established, and successes in key process areas are able to be repeated.
  3. Defined. At the defined level, an organization develops its own standard software development process. These defined processes enable greater attention to documentation, standardization and integration.
  4. Managed. At the managed level, an organization monitors and controls its own processes through data collection and analysis.
  5. Optimizing. At the optimizing level, processes are constantly improved through monitoring feedback from processes and introducing innovative processes and functionality.
Diagram of the 5 levels of the Capability Maturity Model
The Capability Maturity Model takes software development processes from disorganized and chaotic to predictable and constantly improving.

CMM vs. CMMI: What's the difference?

CMMI is a newer, updated model of CMM. SEI developed CMMI to integrate and standardize CMM, which has different models for each function it covers. These models were not always in sync; integrating them made the process more efficient and flexible.

CMMI includes additional guidance on how to improve key processes. It also incorporates ideas from Agile development, such as continuous improvement.

SEI released the first version of CMMI in 2002. In 2013, Carnegie Mellon formed the CMMI Institute to oversee CMMI services and future model development.

ISACA, a professional organization for IT governance, assurance and cybersecurity professionals, acquired CMMI Institute in 2016. The next version -- CMMI V2.0 -- came out in 2018. It focused on establishing business objectives and tracking those objectives at every level of business maturity.

The current version of CMMI, Version 3.0, was released in 2023. It leverages comments from users and CMMI partners to improve various elements of the model, including changes to the architecture and development of new practice areas addressing people and data management, in addition to addressing virtual (e.g., remote) work environments.

CMMI adds Agile principles to CMM to help improve development processes, software configuration management and software quality management. It does this, in part, by incorporating continuous feedback and continuous improvement into the software development process. Under CMMI, organizations are expected to continually optimize processes, record feedback and use that feedback to further improve processes in a cycle of improvement.

One criticism of CMM is that it is too process-oriented and not goal-oriented enough. Organizations have found it difficult to tailor CMM to specific goals and needs. One of CMMI's improvements is to focus on strategic goals and additional practice areas. CMMI is designed to make it easier for businesses to apply the methodology to specific uses than with CMM.

Like CMM, CMMI consists of five process maturity levels. However, they are different from the levels in CMM.

The process performance levels of CMMI are the following:

  1. Initial. Processes are unpredictable and reactive. They increase risk and decrease efficiency.
  2. Managed. Processes are planned and managed, but they still have issues.
  3. Defined. Processes become more proactive than reactive.
  4. Quantitatively managed. Quantitative data is used to craft predictable processes that fulfill stakeholder needs based on more accurate measurement of adherence to business goals.
  5. Optimizing. The organization has a set of consistent processes that are constantly being improved and optimized.
Diagram of the 5 levels of the Capability Maturity Model Integration
The Capability Maturity Model Integration combines various software develop maturity models into one process.

The Capability Maturity Model Integration combines various software development maturity models into one process.

Pros and cons of CMMI

The latest version of the CMMI offers some important advantages, including an updated framework for structured process management, increased scalability to address a wider variety of organizations, and by achieving CMMI certification, an improved competitive position and reputation for excellence.

The above benefits also come with a few challenges, including the cost and time needed to achieve and maintain the CMMI model, complexity associated with the program implemented, and possible cultural resistance to CMMI processes and their application.

Preparing for CMMI assessment and certification

Assuming an organization wishes to pursue CMMI accreditation, it must first complete a self-assessment which is followed by a third-party assessment and, hopefully, an CMMI certification by the CMMI Institute.

The process has several steps, which start by gathering data on the assessment and certification processes from CMMI Institute or one of its approved partner organizations. The candidate organization may elect to receive training on the CMMI process and then proceed to a self-assessment of its current practices as compared to CMMI requirements. Deficiencies uncovered by the assessment can then be addressed.

Once the organization has completed the above steps and addressed the relevant assessment components, an appraisal can be scheduled by an approved third party. This can involve interviews, inspections, program and project reviews and other structured activities. Results of the appraisal report can be turned into an action plan to correct any issues. Working in concert with the third-party appraiser, the organization can then apply for certification by the CMMI Institute.

A key consideration of self-assessment, appraisal and certification is that the CMMI process does not end with certification. Instead, CMII processes should be part of an organization's continuous improvement activities.

Organizations that provide CMMI assessments and appraisals

The CMMI Institute provides details on how to organize an assessment and/or appraisal. The CMMI Institute Partner Directory lists all partners worldwide. Following is a brief list of CMMI certified lead appraisers.

  • ABI Consultants
  • Abridge Technology
  • Accenture LLP
  • ACE Guides, LLC
  • ActioNet, Inc.
  • AFNOR Certification
  • AG Kaizen Group
  • Brightline Performance Group
  • BVSLN System Services Private Ltd.
  • Delivery Excellence, Inc.
  • IBM
  • Layermark
  • Leading Edge Process Consultants, LLC
  • Plowright International LLC
  • Prescient Security
  • RSK Consulting
  • Sandhill Consultants Ltd.
  • Shanghai Fancier Info Tech Ltd.

The future of CMMI programs

Considering the latest iteration -- Version 3.0 -- of the CMMI model, its expansion into a global set of capability performance metrics, and a greater focus on advanced technologies, people management, virtual work, and environmental, social and governance (ESG) issues, the long-term view of CMMI is positive.

As software permeates all aspects of life, developers have an ethical duty to their users. Learn how to uphold this responsibility in software development. Also, learn about constructive approaches to enhancing IT sustainability, such as prioritizing e-waste reduction and adopting responsible AI practices.

Continue Reading About What is Capability Maturity Model (CMM)?

Dig Deeper on Agile, DevOps and software development methodologies