The CMMI 2.0 is supposed to be an improvement over the prior version 1.3 of the famous Capability Maturity Model Integration, originally developed by Carnegie Mellon University and the Software Enterprise Institute (SEI.) In fact, CMMI 2.0 has taken all the worst aspects of 1.3 and exaggerated them, without making the case that the result will be any improvement over the results. And we have ISACA to thank for this new, self-licking ice cream cone.

ISACA purchased the CMMI scheme from SEI, and while it probably meant a quick influx of cash for them, it’s not quite worked out for end users. ISACA is a consulting company and shillbox for the usual array of industry “credentials” sold to dupes who are desperate to make their resumes look better. Think ASQ on steroids, with even less ethics.

The bar for entry to CMMI was already high. Under 1.3, a company would be expected to dole out at least $75,000 just to get started on their CMMI journey, with the norm being well over $100,000. And that factored in size not at all; meaning, if you were a three-man shop, you’d still spend the same amount of money. Larger companies, of course, could find themselves spending half a million.

Much of this was because SEI itself was infested with the private consultant mindset, despite having been birthed by its mothership, Carnegie Mellon. (The infection of universities by consultants isn’t new, and is only getting worse; for one example, see the CMMC consultant invasion of Southern Connecticut State University.)

To put it bluntly, SEI is smug. The very first original “CMM” (before they added the “I”) was easier to understand. They weren’t having that, though, so they rebuilt that model as “CMMI” and things started to go awry. In their defense, though, CMMI was an improvement over the original CMM.

But while building CMM/CMMI, the SEI ignored decades of existing quality assurance and risk management practices, and shunned ISO standards. On that latter point, they might have been correct — ISO standards in these areas are only getting worse, not better — but some alignment with existing methods and standards might have been nice. Instead, SEI decided they’d reinvent the wheel from scratch, hoping to come up with something better.

To some extent, CMMI was better than its quasi-cousins, the ISO certifications. CMMI made one smart decision: it branded itself as an “appraisal” scheme, in order to align with its goal of being a graded “maturity model.” CMMI was never intended to be a binary, pass-fail scheme like an ISO certification. It was intended to provide a slope, upon which an organization could decide to plant a flag, and then scale the mountain from that starting point. The idea of “maturity” implied that a company would improve over time, as its maturity advanced.

And so CMMI never used words like “audits” or “auditors” or “certification.” An “appraisal score” was given, called a “maturity level.” And audits were “appraisals,” conducted by “appraisers.” CMMI avoided all the controversies over words like “certification,” “accreditation,” and everything those words drag along with them.

But it came at a cost. Because the CMMI authors were intentionally uninformed (one might say “willfully ignorant”) on the decades of existing history related to management system standards and certifications, their attempt to start something new just meant they fell into old traps. The standard (called the CMMI “model”) became needlessly overcomplicated. The approaches aligned with nothing else at all in existence, forcing users to create entirely separate “CMMI systems” that didn’t mesh with their existing systems. CMMI became a set of documents you wrote, and artifacts you created, in order to placate a different auditor, and you really couldn’t use your existing ISO or other system materials to satisfy it.

Example: under CMMI 1.3, a company was directed to implement mandatory “process areas” dictated by SEI. Meanwhile, ISO was demanding a company adopt a “process approach,” and identify its own processes, without mandating them at all. ISO told you to manage whatever processes you identified, while CMMI told you what processes to have. Companies adopting both standards found they had two sets of processes: the ones they used every day (identified for ISO), and then another set of “PAs” specifically created to support CMMI.

But CMMI 1.3 was seen as a more “elite” award, and so companies put up with it. They spent the hundred grand in order to get lucrative US government contracts that were likely to earn them 100 times that amount.


Not to put too fine a point on it, ISACA fucked everyone. Not only did they decide that CMMI 2.0 would be an entire re-write of something that no one was demanding be fixed in the first place, but they committed the same exact sin that SEI did: they ignored everything that existed before, and started over. Again: willfully ignorant.

Then, they took the worse aspect of CMMI — that it was a make-work project for expensive consultants — and added about 40 cases of Red Bull and a random assortment of methamphetamines. CMMI 2.0 isn’t just a make-work project for ISACA, it’s a “buy me a new boat every day of the year” project.

For all those companies that build “process areas” to support CMMI, ISACA had great news: all the PAs were thrown out for an entirely new concept, called “practice areas.” They only sound similar, because in practice they’re nearly new creatures cooked up from scratch. This was a boon for the CMMI consultants out there, since anyone who had to upgrade from CMMI 1.3 to 2.0 had to hire a consultant — from ISACA, mind you! — to get the job done with any reasonable chance of passing their eventual appraisal.

ISACA knew that the more complicated they made the model, the more”training” and “certifications” they’d sell to anyone in their ecosystem.

But the bastards weren’t finished there. Now you can’t even read the CMMI model without paying a subscription to ISACA. As in, you can’t buy a PDF of it. You have to pay an annual fee to ISACA to access the model online, because ISACA is an asshole.

PDCA Can Suck It

From the standpoint of a quality assurance professional, the fact that the CMMI authors thought they could reinvent the classic Plan-Do-Check-Act model (PDCA) was hubris unbound. But they did it anyway, again ignoring sixty years of prior best practices.

Instead, CMMI 2.0 adopts a model based on its own, wholly-made-up stages: “Doing, Managing, Enabling, and Improving.” Yes, they skipped the whole planning thing entirely. Worse, the CMMI approach isn’t a cycle, where the last step feeds back into the first. It’s static.

And they only managed to maintain a four-step model, after removing “Planning,” because “Enabling” and “Improving” are essentially two parts of the same thing.

But had the CMMI 2.0 authors used the existing PDCA model, they wouldn’t have been able to sell endless books and seminars and mandatory training classes that teach people what “DMEI” is. Because a lot of people already understand PDCA.

Nearly every aspect of what was in CMMI 1.3, including the entire structure of the model hierarchy, appraisal methods, scoring, and branding — was changed. Any training you may have had was obsolete, and now you have to buy new training.

The resulting updated model is nearly impossible to parse. Between its DMEI “concepts,” industry focus “Capability Areas,” practice areas instead of processes, and dogged insistence on splitting out “quality” from the folks who actually do the work (welcome back, 1930s!), the CMMI 2.0 is an unmitigated mess.

And, my God, the prose. The model is written as if its authors were paid a bonus every time a reader had to refer to the thesaurus. SEI was bad enough, but this new gang couldn’t write a simple sentence if their lives depended on it. This is the product of people desperate to convince you they are smarter than you, without any concern for the fact that they may have “elited” the scheme right out of reach of nearly anyone, thus cutting off their own noses.

The legality of this is questionable, too. Multiple whistleblowers have already come forth and alleged ISACA is breaking business regulations, laws, or tax rules — or all three, simultaneously. I’m not smart enough to know for sure what is true, in that case, though.

What’s clear is that ISACA took an already obscure product that worked, to some degree, and that had a dedicated group of supporters, and turned it into a more-obscure nightmare that shit all over its core supporters. Then, to feed its own executive suite, ISACA needlessly added phenomenal costs, without ever making the case that they improved a single thing over the original. The only beneficiary of this mess is, of course, ISACA.

Oh, and one other group…

Proliferation of Indian Scam Kits

The sheer costs of CMMI 2.0 have had the usual, predictable side effect: third-world scammers, coming mostly (but not exclusively) from India, have begun pumping out wimpy template kits to help fast-track CMMI compliance. Then, as they do in the ISO scheme, they pay the necessary tribute to the authorities (ISACA, in this case) to get some level of formal recognition. As a result, everyone just ignores the fact that their template kits are complete garbage, copied-and-pasted a thousand times over, and done only to fool some idiot CMMI appraiser.

As a result, while the complexity of CMMI increases, the opposite happens related to the trust we can have in the CMMI mark: now, it’s become a pay-to-play scam far beyond anything dreamed of by Carnegie Mellon. If you pay, you win. And if you don’t want to pay a consultant to help build a meaningful system because it will be astronomical, you can now buy a cheap Indian kit, you still win, because ISACA got its money, and that’s all that really matters.

(Those purists saying the system requires “tailoring” can go eat a shoe. These kits have the same copy-and-paste language on “tailoring” and appraisers just ignore it.)

The Solution?

As usual, I like to provide a solution to a problem I’ve called out. Here, it’s more complicated. ISACA doesn’t listen to anyone, and their need to create a factory of self-licking ice cream cones isn’t about to be dismantled any day soon, no matter what I come up with.

The only fix is to get ISACA out of the scheme entirely, and for Carnegie Mellon to take back its baby. Then, inject rules prohibiting the dominance of private consultants in the scheme, to make things more user-friendly and value-added.

None of that is going to happen. An alternate solution, then, is to just ignore CMMI and let it die. That means companies have to push back on government Contracting Officers’ Representatives (CORs) who demand CMMI as a bid requirement, and tell them that it’s not the US government’s job to mandate pyramid schemes. They may not listen, however. This would probably only work if someone sued the Feds, and got a court ruling to back them up, which is another thing that is unlikely to happen.

But, to be clear, it is illegal for the US government to mandate the services of a single, private monopoly as a condition for bidding on government contracts. That’s not how fair and open competition works. US tax dollars shouldn’t be going to prop up ISACA, as they simultaneously jack up CMMI pricing to make money from both angles.

About Christopher Paris

Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001 and Surviving AS9100. He reviews wines for the irreverent wine blog, Winepisser.


ISO 45001 Implementation