We use strictly necessary cookies to run this site, and — only with your consent — analytics & marketing cookies (Google Analytics, Google Tag Manager) to improve it. No analytics or marketing cookies are set unless you accept. See our Cookie Policy and Privacy Policy.

Knowledge Center / CMMI
ISACA / CMMI Institute · Global

CMMI V3.0

Capability Maturity Model Integration — a model for building repeatable, measurable, continually improving organisational capability.

Capability Maturity Model Integration (CMMI) is an organisational performance and process-improvement model used to standardise how work is performed, improve product and service quality, reduce delays, defects and cost overruns, and make delivery predictable. The current model is CMMI V3.0 (released 2023), which supports eight domains and can be tailored to an organisation’s business objectives. CMMI describes what capabilities must exist — it is not a checklist, a product certification, an ISO standard, or a replacement for Agile, Scrum, DevSecOps, ISO, COBIT or ITIL.

Organisations are appraised, not “CMMI certified.” A benchmark appraisal by an authorised Lead Appraiser produces a maturity- or capability-level rating for a defined organisational unit — the CMMI Institute does not issue an ISO-style certificate.

The eight CMMI V3.0 domains

CodeDomainFocus
DEVDevelopmentEngineering software, platforms, hardware and product services
SVCServicesService strategy, delivery, continuity and incident resolution
SECSecuritySecurity governance, requirements, threat and vulnerability management
SPMSuppliersSupplier selection, contracting, monitoring and performance
SAFSafetySafety-critical products and services (medical, aviation, automotive, energy)
DATADataData governance, architecture, lifecycle and quality
PPLPeopleWorkforce planning, competency, development and performance
VRTVirtualRemote, hybrid, offshore and distributed delivery

CMMI V3.0 added the Data, People and Virtual domains to the existing capabilities.

Maturity levels 1–5

LevelNameMeaning
0IncompleteWork is ad hoc, incomplete or not consistently performed
1InitialReactive and unpredictable; delivery may be late or over budget
2ManagedPlanned, performed, monitored and controlled at project/service level
3DefinedStandard organisational processes are established, tailored and consistently used
4Quantitatively ManagedPerformance controlled using quantitative and statistical methods
5OptimisingThe organisation continuously improves and adapts to change

Levels 4 and 5 are commonly called high maturity. A maturity level rates a defined organisational unit across a group of Practice Areas.

Capability levels vs maturity levels

A capability level (0–3: Incomplete, Initial, Managed, Defined) rates a single Practice Area, so you can target improvement precisely — for example Configuration Management at Capability Level 3 while Data Quality is at Level 1. A maturity level (0–5) rates a defined group of Practice Areas for an organisational unit. Capability levels run 0–3; maturity levels run 0–5.

The 31 Practice Areas

CMMI V3.0 contains 31 Practice Areas — 17 core and 14 domain-specific. The 17 core Practice Areas apply across every domain:

  • CAR — Causal Analysis and Resolution
  • CM — Configuration Management
  • DAR — Decision Analysis and Resolution
  • EST — Estimating
  • GOV — Governance
  • II — Implementation Infrastructure
  • MPM — Managing Performance and Measurement
  • MC — Monitor and Control
  • OT — Organizational Training
  • PR — Peer Reviews
  • PLAN — Planning
  • PAD — Process Asset Development
  • PCM — Process Management
  • PQA — Process Quality Assurance
  • RDM — Requirements Development and Management
  • RSK — Risk and Opportunity Management
  • VV — Verification and Validation

Domain-specific Practice Areas include TS & PI (Development); CONT, IRP, SDM & STSM (Services); ESEC & MST (Security); SAM (Suppliers); DM & DQ (Data); ESAF (Safety); WE (People); and EVW (Virtual). The 2026 CMMI AIM material also embeds AI-related content across all 31 Practice Areas.

Appraisal types

TypePurposeValidity
BenchmarkObtain an official maturity- or capability-level rating; may be published~3 years
SustainmentConfirm previously appraised capability continues (reduced scope)~2 years
EvaluationDiagnostic — gap analysis, readiness, acquisition (not published)n/a
Action Plan ReappraisalAddress specific weaknesses via an approved action plan and re-evaluaten/a

The appraisal lifecycle

  1. Business & scope definition — objectives, domain, target level, organisational unit, sponsor, Lead Appraiser.
  2. Gap assessment — map processes to the applicable Practice Areas and build the roadmap.
  3. Process development — processes, templates, lifecycle models, measurement and tailoring.
  4. Deployment — train, pilot and roll out across representative projects; collect evidence.
  5. Institutionalisation — management reviews, QA, metrics and repeated implementation.
  6. Readiness review — mock interviews, evidence sufficiency and traceability.
  7. Formal appraisal — evidence examination, interviews, characterisation, rating and optional publication.

CMMI with Agile, DevSecOps and ISO

CMMI expectationAgile / DevSecOps implementation
PlanningSprint & release planning, roadmap
Requirements managementProduct backlog, user stories, acceptance criteria
Monitor and controlBurndown, velocity, dashboards, stand-ups
Peer reviewsPull-request / code-review workflow
Verification & validationAutomated + acceptance testing
Configuration managementGit, branch strategy, artifact repository
MeasurementDORA, quality and delivery metrics
Causal analysisRetrospectives and root-cause analysis

CMMI integrates with ISO too: CMMI-DEV with ISO 9001, CMMI-SVC with ISO/IEC 20000-1, CMMI-SEC with ISO/IEC 27001 and CMMI-DATA with ISO 8000.

Typical implementation timeline

TargetTypical planning range
Initial gap assessment3–6 weeks
Level 2 implementation4–8 months
Level 3 implementation8–15 months
Level 4 implementation18–30 months
Level 5 implementation24–36+ months

These are planning estimates, not fixed durations; actual timelines depend on size, number of projects, existing maturity, target level and evidence readiness.

CMMI AIM — Artificial Intelligence Maturity

In 2026, CMMI introduced the Artificial Intelligence Maturity (AIM) initiative, adding AI-specific context across the existing model rather than a separate framework. It addresses AI governance, responsible AI, AI lifecycle and data quality, model performance, AI security, human oversight and AI supplier management, and provides an AI benchmark view without changing existing non-AI appraisals.

How CyberSigma helps

CyberSigma provides CMMI implementation and appraisal-readiness consulting — scoping, gap assessment, the process library, deployment, metrics and a formal readiness review — in partnership with a licensed CMMI Lead Appraiser who conducts the benchmark appraisal, backed by full CMMI delivery capability. For most software and services organisations we recommend starting with CMMI Development + Services Maturity Level 3.

Free 1-minute check
Free Security Assessment
Get a complimentary, no-obligation assessment from CERT-In empanelled senior auditors.
Try it free →

Frequently asked questions

Is CMMI a certification?
No — organisations are appraised, not certified. A benchmark appraisal by an authorised CMMI Lead Appraiser produces a Maturity Level (1–5) or Capability Level (0–3) rating for a defined organisational unit, typically valid three years.
What is the difference between a capability level and a maturity level?
A capability level (0–3) rates a single Practice Area; a maturity level (0–5) rates a defined group of Practice Areas for an organisational unit. Capability levels let you target improvement in specific areas.
How many CMMI domains and Practice Areas are there?
CMMI V3.0 has eight domains (Development, Services, Security, Suppliers, Safety, Data, People, Virtual) and 31 Practice Areas — 17 core plus 14 domain-specific.
How long does CMMI Level 3 take?
As a planning estimate, Level 3 typically takes 8–15 months after establishing Level 2 discipline, depending on organisation size, number of projects, existing maturity and evidence readiness.
Does CMMI replace Agile or ISO?
No — CMMI defines what capabilities must exist; Agile, Scrum and DevSecOps implement them. CMMI also integrates with ISO 9001, ISO/IEC 20000-1, ISO/IEC 27001 and ISO 8000.

Need help with CMMI?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.