Introduction
(Updated 8/18/24)
See Neil’s related video on YouTube
The main communication points from ISACA (the custodian of the CMMI) are:
- A new model architecture to reduce the time and resources it takes to make updates
- New Practice Areas (PA) covering safety, security, data management, staff development, and virtual delivery
The main changes in Version 3 are:
- Maturity Level 2 is now defined as all Practice Areas at Capability Level 2; this a major change in philosophy
- Supplier Agreement Management has two additional practices for supplier selection (from a previous model version)
- The new PAs (described below)
All the other Practice Areas in the Development and Services model remain unchanged apart from some minor wording updates.
The New Definition of Maturity Level 2
Figures 1 and 2 (below) show Maturity Level 2 in the old and new versions.
The reason for the change is that ISACA thinks of the model now as a methodology for performing work defined at different levels of process maturity, rather than a maturity model that defines priorities for improvement. The model was originally intended as a maturity model that guided an organization on what practices to master before taking on more advance practices (e.g., mastering estimation and commitments before mastering design). The rationale was that unless you have good planning in place, there will be little time for tasks such as design, since the project will end up as a death march without a plan.)
Figure 1 — Green Block = Maturity Level 2 in CMMI Version 2
Figure 2 — Green Block = Maturity Level 2 in CMMI Version 3
An example version 3 argument would be as follows: Since all teams need to do design (substitute any CMMI topic for the word design), make sure design is performed at each maturity level, even if that is Maturity Level 1 or 2. In version 3, process maturity is the improvement of all processes in parallel instead of focusing on project management and project scope management as a foundation.
How You Could Use V3 of the Model
Just because Maturity Level 2 has been redefined to include all PAs, it does not mean that you must adopt all PAs at once. You can still adopt them in the order you need based on the challenges you have.
Here are some examples of the order they could be adopted in.
- Focus first on the old ML2 Practice Areas to make sure projects are well managed
- Use process improvement planning (PCM Practice Area) to plan for model adoption. Start with a simple task list that defines what, who, and when
- Add risk and opportunity management (RSK) to your project planning activities
- Adopt peer reviews (PR) to find errors in requirements and proposals
- Run a causal analysis (CAR) on a few project successes and failures to see what you can learn
Changes in the Development and Services Model Practices
The changes in the DEV and SVC model practices are listed below. They are mostly very minor.
- CAR: Deleted the word “root” from “root cause.
- GOV: Minor word changes to practices 2.2, 2.3, and 4.1.
- II: Added new practice 4.1 – Develop the organizational capability to understand and apply statistical and other quantitative techniques to accomplish the work.
- MPM: Minor word changes to practices 3.5. 5.1, 5.2, and 5.3.
- OT: Minor word changes to practice 3.5.
- PLAN: Changed wording in 2.6 from “Ensure plans are feasible by reconciling available and estimated resources” to “Ensure plans are feasible by reconciling estimates against capacity and availability of resources.”
- PAD: Deleted practice 3.5 (“make assets available”) since it was redundant with practice 3.3. The new 3.3 practice is “Develop, keep updated, and make the organization’s processes and assets available for use in a process asset library.”
- PCM: Minor word changes to practice 3.6.
- RDM: Merged 2.1 and 2.3 into 2.1 which is now “Elicit stakeholder needs, expectations, constraints, and interfaces or connections, and confirm understanding of requirements.”
- SAM: Practices 2.1 and 2.2 have been brought back from earlier versions. SAM is now:
- 2.1 Identify evaluation criteria, potential suppliers, and distribute supplier requests.
- 2.2 Evaluate supplier responses according to recorded evaluation criteria and select suppliers.
- 2.3 Manage supplier activities as specified in the supplier agreement and keep agreement updated.
- 2.4 Verify that the supplier agreement is satisfied before accepting the acquired supplier deliverable.
- 2.5 Manage invoices submitted by the supplier according to the supplier agreements.
- 3.1 Conduct technical reviews of supplier performance activities and selected deliverables.
- 3.2 Manage supplier performance and processes based on criteria in the supplier agreement.
- 4.1 Select measures and apply analytical techniques to quantitatively manage suppliers against their performance targets.
The new PAs are listed below. All of the changes from V2 are listed in a document created by Pat O’Toole click here to download
New Available Practice Areas
The primary reason for CMMI V3 is to promote the PAs listed below. They are not required to be used.
- Data Management (DM)
- Data Quality (DQ)
- Enabling Safety (ESAF)
- Enabling Security (ESEC)
- Enabling Virtual Work (EVW)
- Managing Security Threats & Vulnerabilities (MST)
- Workforce Empowerment (WE)
Each one is based on the format, Plan X, Do X, Check X, and Act on the results of X. The downside of this is that you could define X to be trivial and then appraise Maturity Level 3 with a trivial implementation. Only time will tell to see who adopts them.
If you decide to include one or more of these in a CMMI appraisal, the appraisal team will need to take a new four-day Building Organizational Capability class that covers all Practice Areas. There will also be a new Practitioner exam to go along with the class. There is a self-study option available through 3/31/24 to save on class costs.
This new class is additional to the existing classes, Foundations of Capability (two days, covering the core PAs) and Building Excellence (e.g., 1-day DEV and 1-day SVC class). These existing classes will be updated to cover changes in the DEV and SVC models.
Paths Forward
You have two basic paths to choose from:
A) If you are planning on a DEV or SVC appraisal, then:
- Existing appraisal team members (ATM) who are trained in CMMI V2 only need to pass the Associates exam when their certification expires after three years. The new exam will cover some of the V3 changes, so work with your LA to learn about them.
- New appraisal team members (who have not taken a CMMI V2 Foundations and DEV/SVC class) need to take the appropriate classes and pass the Associates exam.
B) If you are planning on appraising one or more of the new PAs, then the appraisal team will have to:
- Take the new 4-day Building Organizational Capability class and pass the new Practitioner exam. The class will be offered through your Lead Appraiser (LA) if the appraiser has chosen to pursue the new PAs.
- Verify appraisal team member domain experience. The ATMs will still be subject to the experience requirements for an appraisal. For example, if you are on a Data Management appraisal, the team will need 15 years of domain (Data Management) experience, and only one team member can have less than 2 years of experience. This might become a challenge to find the right people for the team. LA years of experience are not used in the calculation.
The LA will need between five and eight years of experience in the selected domain to qualify as an LA for that domain, and that might eliminate many LAs from getting certified to lead these new appraisals.
Appraisal Method Changes
- SAM is optional. SAM is in the Supplier domain, and selecting more than one domain is optional. SAM is a really good idea to protect your interests from bad suppliers, but the appraisal team has to take the 4-day Building Organizational Capability course and pass the larger 4-hour Practitioner exam. Most teams don’t want to do this.
- There are no other major changes to the appraisal method in V3.
Conclusion (Neil’s and Mary’s Opinion)
- The new definition of ML2 is a shift in what the original model was intended to be.
- Not many organizations target ML2 so it will not present a challenge very often. Groups that were going to target ML2 might now target ML3 since all the PAs have to be addressed.
- Neil and Mary don’t plan on pursuing the new PAs since we really have no expertise in them and don’t think the demand will be very high.
Please feel to contact us if you need help improving or navigating CMMI.
You can see all of the model changes in a document created by Pat O’Toole click here
[Forward this email to your boss! Subject: CMMI V3 changes] Quick Link
Version 3 New Practice Areas
Data Management (DM)
DM 1.1 Identify data management objectives.
DM 1.2 Use metadata to manage data.
DM 2.1 Develop, keep updated, and follow a data management approach that is aligned to objectives.
DM 2.2 Establish a data management architecture to support the data management approach.
DM 3.1 Establish and deploy an organizational data management capability.
DM 3.2 Perform reviews periodically on the effectiveness of the organization’s data management capability and take action on results.
Data Quality (DQ)
DQ 1.1 Identify data quality parameters.
DQ 1.2 Perform data cleansing activities.
DQ 2.1 Define criteria for data cleansing.
DQ 2.2 Develop, keep updated, and follow a data quality approach.
DQ 2.3 Perform data cleansing based on criteria and data quality approach.
DQ 3.1 Conduct data quality assessments.
DQ 3.2 Perform reviews periodically on the effectiveness of the organization’s data quality activities and take action on results.
Enabling Safety (ESAF)
ESAF 1.1 Identify and record safety needs and hazards.
ESAF 1.2 Address prioritized safety needs and hazards.
ESAF 2.1 Identify critical safety needs and constraints, keep them updated, and use to develop and keep safety objectives current.
ESAF 2.2 Develop, keep updated, and follow an approach to address workplace environment safety.
ESAF 2.3 Develop, keep updated, and follow an approach to address functional safety for the solution.
ESAF 3.1 Establish and deploy an organizational safety capability.
ESAF 3.2 Perform safety evaluations periodically and take action on results.
ESAF 3.3 Develop, keep updated, and follow organizational safety control strategies.
Enabling Security (ESEC)
ESEC 1.1 Identify and record security needs and issues.
ESEC 1.2 Address prioritized security needs and issues.
ESEC 2.1 Identify and record security needs, keep them updated, and use to develop a security approach and objectives.
ESEC 2.2 Develop, keep updated, and follow an approach to address physical security needs.
ESEC 2.3 Develop, keep updated, and follow an approach to address mission, personnel, and process-related security needs.
ESEC 2.4 Develop, keep updated, and follow an approach to address cybersecurity needs.
ESEC 3.1 Establish and deploy an organizational security operations capability.
ESEC 3.2 Develop, follow, and implement an organizational security strategy, approach, and architecture; and keep them updated.
ESEC 3.3 Periodically perform security reviews and evaluations throughout the organization and take action on results.
Enabling Virtual Work (EVW)
EVW 1.1 Identify and record virtual work needs and constraints.
EVW 1.2 Perform virtual work.
EVW 2.1 Develop, keep updated, and use an approach to perform virtual work.
EVW 2.2 Monitor the virtual work approach and take corrective action when needed.
EVW 3.1 Develop, keep updated, and use an organizational strategy, approach, and functional capability for performing virtual work.
EVW 3.2 Perform reviews periodically on the effectiveness of the organization’s virtual work approach and take action on results.
Managing Security Threats & Vulnerabilities (MST)
MST 1.1 Identify and record security threats and vulnerabilities.
MST 1.2 Take actions to address security threats and vulnerabilities.
MST 2.1 Develop, keep updated, and follow an approach for handling security threats and vulnerabilities.
MST 2.2 Develop and keep updated criteria to evaluate security threats and vulnerabilities.
MST 2.3 Use recorded criteria to prioritize, monitor, and address the most critical security threats and vulnerabilities that arise during operations.
MST 2.4 Evaluate and report the effectiveness of the approach and actions taken to address critical security threats and vulnerabilities to the solution.
MST 3.1 Develop, keep updated, and follow an organizational security strategy, approach, and architecture to evaluate, manage, and verify threats and vulnerabilities.
MST 3.2 Analyze security verification and validation results to ensure accuracy, comparability, consistency, ad validity across the organization.
MST 3.3 Evaluate effectiveness of the organizational security strategy, approach, and architecture for addressing security threats and vulnerabilities.
Workforce Empowerment (WE)
WE 1.1 Identify and allocate commitments to workgroups.
WE 2.1 Record and allocate work assignments and keep them updated based on an assessment of qualifications, skills, and related criteria.
WE 2.2 Manage the transition of individuals in and out of roles and workgroups.
WE 2.3 Develop, keep updated, and use communication and coordination mechanisms within and across workgroups.
WE 3.1 Develop, keep updated, and use workforce competencies to build organizational capabilities and achieve objectives.
WE 3.2 Develop, keep updated, and use an organizational structure and approach to empower workgroups.
WE 3.3 Develop, keep updated, and use organizational compensation strategies and mechanisms.
The Process Group helps you improve your organization's capability to routinely meet deadlines and delivery quality expectations. We are certified CMMI appraisers / trainers and Certified Scrum Masters. 
