Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

CMM's explicit tie to IT quality

2 views
Skip to first unread message

Gary Stoneburner

unread,
Mar 15, 1999, 3:00:00 AM3/15/99
to
What are the explicit ties between CMM and the quality of the process
outputs?

My interest is primarily SSE-CMM, System Security Engineering-CMM.

In its present form, SSE-CMM is disjoint from metrics for output
quality. Therefore a process can achieve a high SSE-CMM rating
demonstrating consistency and "improvement", without "improvement"
having any relation to the quality of the output.

It appears to be a fundamentally flawed concept to allow an organization
to claim process improvement without any need to tie improvement of
process to improvement in the quality of the process outputs. The
fundamental problem is not that we need better processes, but that we
need better outputs. A process is better if it produces better
outputs. Being consistent is a very important starting point, but quite
insufficient. Consistent poor quality is of little use! And it seems
that if a process can be "improved" without producing higher quality,
then it is "improved" in name only.

With such a disconnect I find a SSE-CMM rating to be
counter-productive.

How is this situation handled with Software Engineering-CMM.

Cheers,
Gary

***********************************************************************
* Gary Stoneburner, Team Leader - Guidance and Assistance *
* National Institute of Standards and Technology (NIST) *
* Computer Security Division, Systems and Network Security Group *
* 100 Bureau Dr, Stop 8930, Gaithersburg, MD 20899-8930 *
* Phone: 301-975-5394, FAX: 301-948-0279, Email: Stone...@nist.gov *
***********************************************************************


Robert Altizer

unread,
Mar 18, 1999, 3:00:00 AM3/18/99
to
I'm not familiar with the SSE-CMM that Gary cites, but disconnection between
process improvement and product improvement is an issue that many SW-CMM
advocates have a tough time explaining. His statement that "A process is
better if it produces better outputs" is simple, eloquent, and usually ignored.

There is a lot of faith put in the proposition that a well constructed,
well run process that supports its own improvement through technology and
process change management will produce better outputs. Thus many process
improvement efforts fail to complete the feedback loop by linking process
changes to product quality improvements. (After all, to get an SEI SW-CMM
Maturity Level <n> badge you just have to demonstrate compliance with the
CMM's goals, not achieve any particular level of product quality.)

But the failure to make the process-product quality connection is not
the fault of the CMM; rather, the blame lies with process champions and
managers who work on the wrong problem. The _real_ problem is that their
product quality or process performance (e.g., defect level, on-time delivery)
is X when it needs to be Y, not whether they've reached an arbitrarily
determined Maturity Level goal. Using the SW-CMM as a basic framework of
key processes--a set that may need to be augmented to cover an organization's
whole problem space--and linking the effects on real quality and performance
measures to those KPAs enables an organization to make the kind of process
improvements Gary asks for. Working without this linkage to the real world,
with the SW-CMM as the only reference, leads to the counter-productivity he
observes.

Gary Stoneburner wrote:
>
> What are the explicit ties between CMM and the quality of the process
> outputs? My interest is primarily SSE-CMM, System Security Engineering-CMM.
>
> In its present form, SSE-CMM is disjoint from metrics for output
> quality. Therefore a process can achieve a high SSE-CMM rating
> demonstrating consistency and "improvement", without "improvement"
> having any relation to the quality of the output.
>
> It appears to be a fundamentally flawed concept to allow an organization
> to claim process improvement without any need to tie improvement of
> process to improvement in the quality of the process outputs. The
> fundamental problem is not that we need better processes, but that we
> need better outputs. A process is better if it produces better
> outputs. Being consistent is a very important starting point, but quite
> insufficient. Consistent poor quality is of little use! And it seems
> that if a process can be "improved" without producing higher quality,
> then it is "improved" in name only.
>
> With such a disconnect I find a SSE-CMM rating to be counter-productive.
> How is this situation handled with Software Engineering-CMM.

Regards,
Bob
--
# Robert Altizer - Member of the Technical Staff, Motorola SPS
# 2100 East Elliot Road, M/S EL714, Tempe AZ 85284-1801 USA
# +1-602-413-4158 (voice) / +1-602-413-8108 (fax) / 800-213-5934 (pager)
# Email: raj...@email.no-spam.mot.com # Remove no-spam to reply

0 new messages