Extension to and Augmentation of CMMI Version 2.0

CMMI V2.0 is expected to get extended much beyond the three domains it has conventionally been applied till date - development, services and supplier management (acquisition).

The plan seemingly is to extend CMMI V2.0 by augmenting it with newer domains like workforce management (people), security and safety.

Workforce Management

It is, however, interesting to note that "people" area was already there as part of a separate model called as P-CMM (written with a "dash after "P").

P-CMM had its last release more than a decade earlier in July 2009.

The version was quite incidentally 2.0!

P-CMM never saw much traction and hence never had another release.

In a way, having a separate model for people practices was never a logical thing to do in the first place.

Managing people practices in isolation has no meaning and must be seen as one of the several elements that form part of effective management of work in an organization.

Following people practices will find a place in CMMI V2.0 under the capability area "Managing the Workforce (MWF)":

• Compensation and Rewards
• Staffing and Workforce Management
• Career and Competency Development
• Empowered Work Groups
• Organizational Training

Organizational Training was already there in the first release of CMMI V2.0, and has been a part of CMMI framework for quite a long time.

P-CMM has continued on life-support for many years and CMMI V2.0 will help resuscitate it by subsuming it in a manner that makes sense.

That is why there are just five people practices that will there in CMMI V2.0.

It is actually just four if one were to take out the Organizational Training also.

It is easy to see the right-sizing of P-CMM in CMMI V2.0 from 22 practices to just 4!

The HR folks who used to make a lot of unnecessary hullabaloo, misplaced hype and a big mountain out of the P-CMM mole-hill have also been right-sized along with their pet model.

For more details about P-CMM, read the following post:

• P-CMM or People CMM
• Some Thoughts on PCMM

Security (Management)

Another extension to CMMI V2.0, is the Security domain which has conventionally been associated with ISO 27001, the ISO standard for information security.

The above should be extended further by organizations to the Data Privacy domain though it is not explicitly asked for.

This is crucial given the importance of Data Privacy, which has extended the information security domain to special protection of personal information through regulations such as GDPR.

For more details about Data Privacy, read the following posts:

• EU GDPR (General Data Protection Regulation) - Some Key Points
• Personal Data Privacy Regulations - Some Interesting Corollaries

Following security practices will find a place in CMMI V2.0 under the capability area "Managing Security (MSEC)".

• Managing and Planning Security
• Developing Secure Solutions
• Managing Security Threats and Vulnerabilities
• Selecting and Managing Secure Suppliers
• Planning and Supporting Security in Work

For more details about Information Security, read the following posts:

• Data Privacy and Information Security - How are they different and how are they same? 
• ISO 27001

Safety (Management and Engineering)

Another extension to CMMI V2.0, is the Safety domain which has conventionally been associated with specific safety standards.

In addition, there is a framework known as CMMI + SAFE that was developed to provide a safety add-on the to CMMI-DEV model.

The last version of +SAFE, version 1.2, was released more than a decade back, in March 2007.

Following safety practices will find a place in CMMI V2.0 under the capability area "Managing Safety (MSAF)".

• Communication and Coordination
• Managing and Planning Safety
• Ensuring Safety

For more details about Safety, read the following posts:

• CMMI +SAFE - Safety Extension to CMMI
• Process Framework for Avionics Software

CMMI +SAFE - Safety Extension to CMMI

CMMI +SAFE was developed with the purpose of providing an option to organizations that wanted to extend their CMMI implementation to include safety considerations.

The last version of +SAFE, version 1.2, was released way back in March 2007.

+SAFE, version 1.2 was provided as an add-on for safety over CMMI for Development, version 1.2 and has not been kept current with CMMI V2.0, the latest version of the CMMI model.

It was developed by the Australian Department of Defence and not the US DoD which had funded the development of CMMI models till version 1.3.

The technical report published on +SAFE described how to use this framework as either an independent thread or as an add-on to CMMI implementation in the organization.

Since developing and maintaining safety-critical products require specialized processes, skills, and experiences, +SAFE was intended for guiding the implementation of such practices in an organization.

It was also intended for subsequently appraising an organization's capabilities in managing the development and maintenance of safety-critical products.

+SAFE supplements CMMI-DEV with two additional process areas:

• Safety Management
• Safety Engineering

Key details of the specific goals and specific practices in the above two process areas available in +SAFE are as given below.

Safety Management

This process area pertains to identification and planning for addressing safety requirements and considerations and corresponds to Project Management process areas in CMMI-DEV.

SG 1 Develop Safety Plans
SP 1.1 Determine Regulatory Requirements, Legal Requirements, and Standards
SP 1.2 Establish Safety Criteria
SP 1.3 Establish a Safety Organization Structure for the Project
SP 1.4 Establish a Safety Plan

SG 2 Monitor Safety Incidents
SP 2.1 Monitor and Resolve Safety Incidents

SG 3 Manage Safety-Related Suppliers
SP 3.1 Establish Supplier Agreements That Include Safety Requirements
SP 3.2 Satisfy Supplier Agreements That Include Safety Requirements

Safety Engineering

This process area pertains to execution and monitoring of the plan developed in the "Safety Management" and corresponds to Engineering process areas in CMMI-DEV.

SG 1 Identify Hazards, Accidents, and Sources of Hazards
SP 1.1 Identify Possible Accidents and Sources of Hazards
SP 1.2 Identify Possible Hazards

SG 2 Analyze Hazards and Perform Risk Assessments
SP 2.1 Analyze Hazards and Assess Risk

SG 3 Define and Maintain Safety Requirements
SP 3.1 Determine Safety Requirements
SP 3.2 Determine a Safety Target for Each Safety Requirement
SP 3.3 Allocate Safety Requirements to Components

SG 4 Design for Safety
SP 4.1 Apply Safety Principles
SP 4.2 Collect Safety Assurance Evidence
SP 4.3 Perform Safety Impact Analysis on Changes

SG 5 Support Safety Acceptance
SP 5.1 Establish a Hazard Log
SP 5.2 Develop a Safety Case Argument
SP 5.3 Validate Product Safety for the Intended Operating Role
SP 5.4 Perform Independent Evaluations

+SAFE was designed to cut down the dependence of CMMI appraisals on the need for safety domain expertise with the members of the appraisal team.

This extension was developed for standalone use but can be used in combination model with the primary CMMI implementation track.

There are intentional overlaps with CMMI model content and some safety standards though it is neither meant to be seen as an integral part of the CMMI model nor rely upon any specific safety standards.

Since +SAFE is an extension of the CMMI framework, it adopts the same assumptions, model structure, conventions, and terminology as the CMMI model and is also affected by the general process-area and capability-level interactions inherent in the CMMI model.