Skip to content

The Capability Maturity Model (CMM)

5 Levels to Organizational Maturity

The Capability Maturity Model (CMM) is an organizational development model that is used today by countless organizations and teams across the globe. However, the model has very narrow, dedicated beginnings.

The original Capability Maturity Model was created by the Software Engineering Institute (SEI). While the model developed into the more widespread Capability Maturity Model Integration (CMMI), the original purpose of the model was for military research. In fact, the initial research at Carnegie-Mellon Software Engineering Institute was funded by the Department of Defense and the U.S. Air Force back in the 80’s. This research was used to develop an objective methodology for evaluating the maturity of software developed by military contractors. The model was then used extensively for avionics software and government projects.

The 5 Levels of the Capability Maturity Model

Speaking more broadley, the Capability Maturity Model (CMM) is a developmental model that was created back in 1986 that has become a standard for many teams across various industries, including cybersecurity. This model was developed based on the process model, and was created to assess an organization on a five point maturity scale level; Initial, Managed, Defined, Quantitatively Managed, and Optimizing. Each of these levels represent a stage of growth in the maturity of organizational processes. These phases follow a path of increasingly organized and more systematically mature processes for the organization. The model is used today as a benchmark to compare like organizations on an even playing field for efficiency and process improvement.

Overall, the CMM provides organizations and teams with a way to develop and refine their processes. Now that we have a baseline on the model’s inception, development, and modern day use, let’s break down each of the five levels:

CMM Level 1 — Initial

Organizations in the Initial level of the CMM are getting real work done, but often are finishing this work on a delayed timeframe and over their allotted budget. These organizations may have put a good group of talent together, but they lack the process necessary to be a cohesive and efficient team. Their processes are often unpredictable, fragmented, poorly controlled, and highly reactive in nature. This poor construction leaves little room for efficiency, and feels more like a cluster of individuals than a team working towards a common goal.

The focus for organizations stuck in the Initial level of the maturity model should be on controlling the efforts of the team, and finding a way for these efforts to be tracked. At level 1 the success of the team is likely to depend on individual efforts and not the team as a whole. These individual efforts can’t be repeated, because they likely are not being sufficiently defined and documented to allow them to be replicated.

CMM Level 2 — Managed

Organizational process in the Managed level of the CMM is being managed at least on the project level. This is a huge area of improvement, as the work of the collective is able to be planned, performed, measured, and controlled. This is because basic and repeatable processes are firmly established, allowing successes from the group to be repeated on some level.

This development from level 1 to 2 signals the ability for organizations to rely on existing requirements, processes, work products, and services, especially in times of need. While there is major improvement in the function of an organization operating on the Managed level compared to the Initial level, there is plenty of room for improvement. This is because most of the work being done is still reactive, and is reliant on reacting to and documenting reactive successes as opposed to working proactively towards an overarching goal.

CMM Level 3 — Defined

Organizations in the Defined level of the CMM are on their way to a healthy composition and structure. Processes in level 3 are well characterized and understood, and often are described with standards, procedures, tools, and methods. What really makes the Defined level stand out from the Managed level is the scope of the standards, process descriptions, and overall procedures.

On top of the larger scope at the Defined level, processes are more widespread and uniform. In the Managed stage there are many processes and procedures, but they vary wildly on a case-by-case basis. Organizations and teams in the Defined level often have their own unique process that pays better attention to documentation, standardization, and integration. However, there are a couple steps to go before the process is perfect. The Defined level has made great strides in efficiency, but lacks the quantitative aspect of level 4.

CMM Level 4 — Quantitatively Managed

Organizations in the Quantitatively Managed level of the CMM are realizing most of their full potential. The big drive in organizations and teams working at level 4 is the inclusions of data and other quantitative information in their processes. The improvement objectives for these individuals are predictable, and all align to meet the expectations of both internal and external stakeholders. These objectives are made based on the needs of the customer, end users, organization, and process implementers.

One reason for massive improvement from level 3 to 4 is the selection of sub-processes. These sub-processes greatly increase the  efficiency of the overall process, as the sub-processes are controlled using statistics and other quantitative measures. Another reason for improvement is the higher predictability in outcomes from level 3 to 4, as the quantitative aspect of this level allows for greater accuracy when compared to qualitative measures. These improvements allow for processes to be both measured and fully controlled, which largely fills the flaw that was present at the Initial level of maturity.

CMM Level 5 — Optimizing

The ultimate level of maturity for organizations and teams is level 5, Optimizing. The Optimizing level is focused on continuous improvement, and is built to pivot and respond to opportunity and change as it presents itself. This agility is based on the level of stability that the organization has built up over time. This stability allows a baseline of processes that can then be tweaked to better serve the needs of the organization at that present moment. To speak simply: This is an organization firing on all cylinders.

The Optimizing level of maturity gives organizations most everything they could need. Processes are established, clear, widespread, data-driven, and efficient in nature. This is a workplace that has been empowered with all the tools they need for success, something many organizations operating at this level enjoy. Improvement is actively a part of everyone’s role, and this drives the future of the organization in a natural and healthy manner. While the organization is not perfect and will seek further process improvement, the team’s efficiency is a far cry from the Initial level of organizational maturity.

Summing up the Capability Maturity Model (CMM)

The Capability Maturity Model represents the staged path for an organization’s performance growth and process improvement efforts based on a predefined set of practice areas. With each passing maturity level, the predefined set of practice areas provide organizations with a clear path for improvement, even at the highest maturity level. Each maturity level builds on the previous, adding layers of new functionality that improve processes dramatically.

Learn more about the PlexTrac platform here.

Introduction Guide to Penetration Testing 

Liked what you saw?

We’ve got more content for you

Request a Demo

PlexTrac supercharges the efforts of cybersecurity teams of any size in the battle against attackers.

See the platform in action for your environment and use case.