Comparison with CMMI
30.5.1. CMMI Overview
CMMI (Capability Maturity Model Integration) is a framework for assessing and improving the process maturity of organizations. It was developed by the Software Engineering Institute (SEI) at Carnegie Mellon University and is currently operated by the CMMI Institute under ISACA.
CMMI evolved from CMM (Capability Maturity Model), which was originally created for quality management of U.S. Department of Defense software development projects. CMMI V1.1 was released in 2002, and a major revision was made with CMMI V2.0 in 2018. CMMI V2.0 features a simplified structure and strengthened performance-oriented assessment methods compared to previous versions.
CMMI is widely adopted primarily by large-scale software development organizations, SI (System Integration) firms, and the defense/aerospace sectors. In South Korea, large SI companies and organizations bidding for public projects are sometimes required to achieve CMMI Level 3 or higher.
The core characteristic of CMMI is its "maturity model" that assesses an organization's process capability in stages. It objectively diagnoses the current level of an organization and indicates which processes must be improved to advance to the next level.
30.5.2. Five Maturity Levels
CMMI classifies an organization's process maturity into 5 levels.
| Level | Name | Description | Key Characteristics |
|---|---|---|---|
| 1 | Initial | Processes are not defined. Dependent on individual capabilities | Unpredictable, reactive, inconsistent |
| 2 | Managed | Basic processes are defined and managed at the project level | Project planning, requirements management, configuration management, quality assurance |
| 3 | Defined | Standard processes are defined at the organizational level and applied to all projects | Organizational standard processes, training, decision analysis |
| 4 | Quantitatively Managed | Process performance is quantitatively measured and controlled | Statistical process control, quantitative project management |
| 5 | Optimizing | Continuous process improvement is established as organizational culture | Root cause analysis, continual improvement, innovation |
Each level includes the processes of all previous levels. To achieve Level 3, all Level 2 processes must already be satisfied. Most organizations aim to achieve Level 3, and organizations that reach Levels 4 and 5 are few even on a global scale.
30.5.2.1. Duration and Cost by Level
The duration and cost required for CMMI assessment vary significantly depending on the target level.
| Target Level | Preparation Period | Assessment Cost | Notes |
|---|---|---|---|
| Level 2 | 6-12 months | Tens of millions of KRW | Basic process definition and application |
| Level 3 | 12-24 months | Hundreds of millions of KRW | Organizational standard process establishment required |
| Level 4 | 24-36 months | Hundreds of millions of KRW or more | Quantitative management system establishment required |
| Level 5 | 36+ months | Hundreds of millions of KRW or more | Continuous improvement culture establishment required |
The preparation period includes process definition, training, pilot application, and internal assessment. External consulting costs are incurred additionally when consulting services are used.
30.5.3. Process Areas
CMMI V2.0 classifies Practice Areas into 4 categories.
30.5.3.1. Category Composition
| Category | Number of Practice Areas | Key Content |
|---|---|---|
| Doing | 7 | Processes directly related to product/service development and delivery |
| Managing | 6 | Processes for project and work planning and management |
| Enabling | 5 | Foundation processes that support Doing and Managing |
| Improving | 2 | Processes for improving process performance |
30.5.3.2. Key Practice Areas
| Practice Area | Category | Description |
|---|---|---|
| Requirements Development and Management (RDM) | Doing | Elicitation, analysis, verification, and management of product requirements |
| Technical Solution (TS) | Doing | Design, implementation, unit testing |
| Product Integration (PI) | Doing | Component integration, integration testing |
| Verification and Validation (VV) | Doing | Product verification (meeting technical requirements) and validation (meeting user requirements) |
| Planning (PLAN) | Managing | Project planning, resource/schedule estimation |
| Monitor and Control (MC) | Managing | Progress monitoring against plan, corrective action |
| Configuration Management (CM) | Enabling | Maintaining work product integrity, change control |
| Process Quality Assurance (PQA) | Enabling | Quality assurance of processes and work products |
| Process Management (PCM) | Improving | Definition, deployment, and improvement of organizational processes |
| Performance Improvement Management (PIM) | Improving | Quantitative analysis and improvement of process performance |
30.5.3.3. Assessment Method (SCAMPI)
CMMI maturity level assessments use SCAMPI (Standard CMMI Appraisal Method for Process Improvement), the official assessment method.
| Type | Name | Purpose | Duration |
|---|---|---|---|
| SCAMPI A | Official Assessment | Official maturity level assignment, for external disclosure | 1-2 weeks (on-site assessment) |
| SCAMPI B | Interim Assessment | Readiness check for official assessment, for internal diagnosis | 3-5 days |
| SCAMPI C | Quick Assessment | Initial diagnosis, for improvement plan development | 1-2 days |
SCAMPI A assessments are performed by Lead Appraisers certified by the CMMI Institute. The assessment team evaluates the implementation level of each practice area through the organization's process documentation, project work products, and staff interviews.
30.5.4. Comparative Analysis with TQS
The following table summarizes the comparison between CMMI and TQS along key comparison axes.
| Comparison Axis | CMMI | TQS |
|---|---|---|
| Certification Purpose | Organizational process maturity assessment and improvement | Code-level technical quality verification |
| Verification Target | Organizational processes (requirements management, configuration management, quality assurance, etc.) | Project source code, build configurations, CI/CD pipelines |
| Verification Level | Process level ("Are processes defined and operated?") | Code level ("Does the code meet the criteria?") |
| Maturity Model | 5 levels (Initial -> Managed -> Defined -> Quantitatively Managed -> Optimizing) | 5 levels (TQS proprietary maturity model) |
| Maturity Focus | Process capability maturity | Technical implementation maturity |
| Audit Method | SCAMPI assessment (document review + interviews + on-site assessment) | Automated verification + code review |
| Configuration Management Verification | "Has a configuration management process been defined?" | "Is GitHub Flow applied and are Conventional Commits used?" |
| Quality Assurance Verification | "Is a quality assurance process being performed?" | "Test coverage 80%+, ESLint pass, build success" |
| Verification Cycle | 3 years (SCAMPI A assessment) | Per commit (CI/CD automated verification) |
| Certification Cost | High cost (hundreds of millions of KRW) | Free (internal self-certification) |
| Time Required | 12-36 months (preparation + assessment) | 1-2 weeks (audit) |
| Certification Body | CMMI Institute (under ISACA) | TIENIPIA Technical Standards Committee |
| Target Organization | Large-scale software development organizations | Project teams of all sizes |
30.5.4.1. Process Maturity vs Technical Maturity
The most fundamental difference between CMMI and TQS lies in what "maturity" means.
CMMI assesses how mature an organization's software development processes are. It answers questions such as "Has a requirements management process been defined?", "Are configuration management procedures applied consistently across all projects?", and "Is process performance being measured quantitatively?"
TQS verifies how mature the technical implementation of the software produced by the organization is. It answers questions such as "Is code formatting applied consistently?", "Is test coverage sufficient?", and "Are security settings correctly implemented?"
By analogy, CMMI inspects "how well the factory's production processes are maintained," while TQS inspects "whether the products coming out of the factory meet quality standards."
30.5.4.2. Difference in Cost and Duration
CMMI assessment requires a minimum of 12 months from preparation to official assessment, and when including external consulting and assessment costs, expenses in the hundreds of millions of KRW are incurred. This is because CMMI targets the processes of the entire organization.
TQS grants certification at the project level, and since automated verification is already integrated into the CI/CD pipeline, the audit period is only 1-2 weeks. No separate certification costs are incurred.
30.5.5. Relationship with the TQS Maturity Model
TQS also operates a 5-level maturity model. While CMMI's maturity model is based on process capability, TQS's maturity model is based on technical implementation capability.
30.5.5.1. CMMI and TQS Maturity Level Mapping
| Level | CMMI Maturity | CMMI Focus | TQS Maturity | TQS Focus |
|---|---|---|---|---|
| 1 | Initial | Processes undefined, dependent on individual capabilities | Initial | Code conventions not applied, no tests |
| 2 | Managed | Basic processes defined at project level | Basic | Formatter applied, basic tests exist |
| 3 | Defined | Organizational standard processes defined and applied | Standard | All TQS mandatory items met, CI/CD integrated |
| 4 | Quantitatively Managed | Process performance quantitatively measured | Advanced | Coverage 90%+, performance optimization, security hardening |
| 5 | Optimizing | Continuous process improvement established as culture | Optimizing | Automated reporting, quality trend analysis, proactive improvement |
30.5.5.2. Complementary Application of Both Models
CMMI maturity and TQS maturity are independent but complementary.
- An organization at CMMI Level 3 may still have low TQS maturity. This is a state where processes are well defined but actual code quality does not meet the criteria.
- Conversely, a project with high TQS maturity may have a low CMMI level. This is a state where code quality is excellent but organizational-level process standardization has not been achieved.
The ideal organization is one that raises both CMMI maturity (process capability) and TQS maturity (technical implementation capability) together. The most effective approach is two-directional quality management where CMMI standardizes "how work is done" and TQS verifies "whether the work output meets the criteria."
30.5.5.3. Application Scenarios
Scenarios where applying CMMI and TQS together is effective include the following.
- Large-scale SI projects: In public/defense projects that require CMMI Level 3 or higher, CMMI demonstrates process capability while TQS guarantees output quality.
- Organizations operating multiple projects: CMMI defines organizational standard processes, and TQS is applied to each project to consistently manage code quality per project.
- Organizations pursuing process improvement: While pursuing CMMI level advancement, TQS quantitatively measures the practical effect of process improvement (code quality improvement).
CMMI evaluates "whether the organization operates mature processes," and TQS verifies "whether mature processes actually produce high-quality code." The two models each address opposite ends of the cause-and-effect relationship between processes (cause) and deliverables (effect).