Capability Maturity Model Integration (CMMI) is an organisational performance and process-improvement model used to standardise how work is performed, improve product and service quality, reduce delays, defects and cost overruns, and make delivery predictable. The current model is CMMI V3.0 (released 2023), which supports eight domains and can be tailored to an organisation’s business objectives. CMMI describes what capabilities must exist — it is not a checklist, a product certification, an ISO standard, or a replacement for Agile, Scrum, DevSecOps, ISO, COBIT or ITIL.
The eight CMMI V3.0 domains
| Code | Domain | Focus |
|---|---|---|
| DEV | Development | Engineering software, platforms, hardware and product services |
| SVC | Services | Service strategy, delivery, continuity and incident resolution |
| SEC | Security | Security governance, requirements, threat and vulnerability management |
| SPM | Suppliers | Supplier selection, contracting, monitoring and performance |
| SAF | Safety | Safety-critical products and services (medical, aviation, automotive, energy) |
| DATA | Data | Data governance, architecture, lifecycle and quality |
| PPL | People | Workforce planning, competency, development and performance |
| VRT | Virtual | Remote, hybrid, offshore and distributed delivery |
CMMI V3.0 added the Data, People and Virtual domains to the existing capabilities.
Maturity levels 1–5
| Level | Name | Meaning |
|---|---|---|
| 0 | Incomplete | Work is ad hoc, incomplete or not consistently performed |
| 1 | Initial | Reactive and unpredictable; delivery may be late or over budget |
| 2 | Managed | Planned, performed, monitored and controlled at project/service level |
| 3 | Defined | Standard organisational processes are established, tailored and consistently used |
| 4 | Quantitatively Managed | Performance controlled using quantitative and statistical methods |
| 5 | Optimising | The organisation continuously improves and adapts to change |
Levels 4 and 5 are commonly called high maturity. A maturity level rates a defined organisational unit across a group of Practice Areas.
Capability levels vs maturity levels
A capability level (0–3: Incomplete, Initial, Managed, Defined) rates a single Practice Area, so you can target improvement precisely — for example Configuration Management at Capability Level 3 while Data Quality is at Level 1. A maturity level (0–5) rates a defined group of Practice Areas for an organisational unit. Capability levels run 0–3; maturity levels run 0–5.
The 31 Practice Areas
CMMI V3.0 contains 31 Practice Areas — 17 core and 14 domain-specific. The 17 core Practice Areas apply across every domain:
- CAR — Causal Analysis and Resolution
- CM — Configuration Management
- DAR — Decision Analysis and Resolution
- EST — Estimating
- GOV — Governance
- II — Implementation Infrastructure
- MPM — Managing Performance and Measurement
- MC — Monitor and Control
- OT — Organizational Training
- PR — Peer Reviews
- PLAN — Planning
- PAD — Process Asset Development
- PCM — Process Management
- PQA — Process Quality Assurance
- RDM — Requirements Development and Management
- RSK — Risk and Opportunity Management
- VV — Verification and Validation
Domain-specific Practice Areas include TS & PI (Development); CONT, IRP, SDM & STSM (Services); ESEC & MST (Security); SAM (Suppliers); DM & DQ (Data); ESAF (Safety); WE (People); and EVW (Virtual). The 2026 CMMI AIM material also embeds AI-related content across all 31 Practice Areas.
Appraisal types
| Type | Purpose | Validity |
|---|---|---|
| Benchmark | Obtain an official maturity- or capability-level rating; may be published | ~3 years |
| Sustainment | Confirm previously appraised capability continues (reduced scope) | ~2 years |
| Evaluation | Diagnostic — gap analysis, readiness, acquisition (not published) | n/a |
| Action Plan Reappraisal | Address specific weaknesses via an approved action plan and re-evaluate | n/a |
The appraisal lifecycle
- Business & scope definition — objectives, domain, target level, organisational unit, sponsor, Lead Appraiser.
- Gap assessment — map processes to the applicable Practice Areas and build the roadmap.
- Process development — processes, templates, lifecycle models, measurement and tailoring.
- Deployment — train, pilot and roll out across representative projects; collect evidence.
- Institutionalisation — management reviews, QA, metrics and repeated implementation.
- Readiness review — mock interviews, evidence sufficiency and traceability.
- Formal appraisal — evidence examination, interviews, characterisation, rating and optional publication.
CMMI with Agile, DevSecOps and ISO
| CMMI expectation | Agile / DevSecOps implementation |
|---|---|
| Planning | Sprint & release planning, roadmap |
| Requirements management | Product backlog, user stories, acceptance criteria |
| Monitor and control | Burndown, velocity, dashboards, stand-ups |
| Peer reviews | Pull-request / code-review workflow |
| Verification & validation | Automated + acceptance testing |
| Configuration management | Git, branch strategy, artifact repository |
| Measurement | DORA, quality and delivery metrics |
| Causal analysis | Retrospectives and root-cause analysis |
CMMI integrates with ISO too: CMMI-DEV with ISO 9001, CMMI-SVC with ISO/IEC 20000-1, CMMI-SEC with ISO/IEC 27001 and CMMI-DATA with ISO 8000.
Typical implementation timeline
| Target | Typical planning range |
|---|---|
| Initial gap assessment | 3–6 weeks |
| Level 2 implementation | 4–8 months |
| Level 3 implementation | 8–15 months |
| Level 4 implementation | 18–30 months |
| Level 5 implementation | 24–36+ months |
These are planning estimates, not fixed durations; actual timelines depend on size, number of projects, existing maturity, target level and evidence readiness.
CMMI AIM — Artificial Intelligence Maturity
In 2026, CMMI introduced the Artificial Intelligence Maturity (AIM) initiative, adding AI-specific context across the existing model rather than a separate framework. It addresses AI governance, responsible AI, AI lifecycle and data quality, model performance, AI security, human oversight and AI supplier management, and provides an AI benchmark view without changing existing non-AI appraisals.
How CyberSigma helps
CyberSigma provides CMMI implementation and appraisal-readiness consulting — scoping, gap assessment, the process library, deployment, metrics and a formal readiness review — in partnership with a licensed CMMI Lead Appraiser who conducts the benchmark appraisal, backed by full CMMI delivery capability. For most software and services organisations we recommend starting with CMMI Development + Services Maturity Level 3.
Frequently asked questions
Need help with CMMI?
CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.
