Fog Creek Software
Discussion Board

CMM certification

How much sense does it make to go for one ? Does anyone have any experience in working for CMM certified software companies ? what are the pro's and con's ?

Wednesday, July 2, 2003

Read "PeopleWare" (2nd ed) for a good discussion of CMM.

It's also Recommend "Successful Software Development" by Donaldson/Siegel.

Finally, you could check out Joel's Article on McDonalds Vs. The Naked Chef:

In a nutshell:

  -- CMM forces you to have process maturity. That means things like Hungarian Notation, Code Review, Specs before you write a design document, design docs before you write a schedule, automated check-ins, testers, defect tracking software, etc.  (In other words, it's a super-dooper version of the Joel Test:

  -- Strict Adherence to standards means that if person X leaves the company or gets hit by a car, you can recover.  In this sense, CMM moves the relying on Heroics and Good Management to relying on process.

  -- Process can make a medicore programmer good, a good programmer excellent, and an excellent programmer great.


  -- CMM certification often involves trying to do the same thing, the same way, over and over again, and getting good at it.  As a result, you tend to work on an ever-shrinking niche Market.  As a result, YES, sure, your estimates get more accurate: But only because you're doing the same thing, over and over again.  Tom DeMarco stipulates that if you're doing CMM, the best project to do may be the one that threatens to move you DOWN the CMM ladder.


  From what I've seen, CMM level 2 is a lot like ISO 9000 - document everything, do it for a year, then bring in an auditing group to show that you've documented your processes.  (Level 2 is "managed" - basically, "we do stuff a certain way, but we don't know why.  When a real crisis happens, we will revert to what we did before.)

  Level 3 involves steering.  You take pains to figure out what is happening and correct it before it becomes a crisis.  Level 3 companies know the policy, and can understand -why- the process is in place.

  Level 4 is about Measuring.  NOT just KLOCs (Measuring by KLOC is tragic and deceptive), it's things like PSP (personal software process), defect rates per KLOC, expected defects, function points, etc.  With level 4, you can predict things.  (Again, only if you don't expect much to change.  Throw in a new database, new programming language, move to the web, whatever ... your carefully collected data becomes allmost meaningless.)

  Level 5 is optimizing.  At level 5, you know why you put the measurements in place, and are getting better and better at it every day.  You have a process to change your process.

  I hope that helps.  For a good discussion of the levels/patterns, I'd check out "Quality Software Management Volume I: Systems thinking" by Gerald Weinberg.

good luck!

Matt H.
Wednesday, July 2, 2003

From my experience, the journey is far more important than the destination when it comes to CMM. Granted, after that much time and money invested, your boss is probably going to want something to show for it, but the changes to company culture and practice are what really matter.

If you're a small firm, I'd say following best practice concepts are better than the overhead generated by CMM. You get more bang for the buck, as it were. Large companies need the structure and focus CMM provides. Again, just remember that the point isn't to get certified, it's to write better software more efficiently.


Wednesday, July 2, 2003

And then there is level 6 - a process for modifying the process for changing the process.

Wednesday, July 2, 2003

In general, it doesn't make a great deal of sense to go for the certification unless you have a client base that requires it.  Military or aviation projects often fall into this group but the group of people who demand to see the word certification is growing.

Actually following the steps laid out to work your way through the CMM steps is something that I would recommend.  So far, I have only been on a team audited to level 3, but we did see a marked decrease in the number and scope of crises we dealt with.

That said, the certification just a piece of paper you can wave at a client.  The process you develop is the important thing.

Wednesday, July 2, 2003

CMM certification is a way for large corporations to attempt to emulate the type of quality of the best developers, even though they don't have them.

It should never be seen as a substitute for actually having those best developers, and in many ways it's a pointer that the company doesn't have them.

Wednesday, July 2, 2003

Our company is certified CMM Level 2, and will probably be Level 3 next year. The funny part is that we in the trenches got to know about the Level 2 stuff only after we were actually certified. Like, "What's CMM???" It has to be said we've been certified ISO 9000 for many years though.

Wednesday, July 2, 2003

Don't assume that CMM is always a "Very Good Thing". 

Check out this article:

Nick Brosnahan
Wednesday, July 2, 2003

"How much sense does it make to go for one ?"

How much business will you lose if you don't?

Friday, July 4, 2003

*  Recent Topics

*  Fog Creek Home