Ask The CMMI Appraiser!: Level 2

Showing posts with label Level 2. Show all posts

Wednesday, April 1, 2026

Level up that new career with CMMI, bruh! Gyatt!

How CMMI Can Make Your Career Go From “Mid” to “Main Character Energy”

Starting your first big-kid job in your early 20s is low-key wild. One minute you’re vibing in lectures, the next you’re in an office where everyone talks in acronyms and the printer sounds like it’s haunted. But here’s the plot twist: if you learn industry frameworks like CMMI, you’re basically speedrunning adulthood.

CMMI? Sounds like a Roblox clan.

Not gonna lie, it does.

CMMI stands for Capability Maturity Model Integration, which is corporate speak for “how not to run your company like a hot mess.”

It’s the blueprint Sigma's use to make projects actually work instead of collapsing like that group project where one guy did nothing but make the slides look ‘aesthetic.’

Why This Is Not Just Extra Homework

Knowing CMMI makes you look goated. You’ll already get how stuff works, like:

How teams plan things without losing their sanity
Why writing things down actually matters (not just journaling your delulu era)
How companies avoid oopsies before they turn into full-on “IT, help” moments
What quality assurance is (spoiler: not vibes-based testing)
Why improving things nonstop is the whole slay

Basically, while other new hires are still pretending to understand meeting lingo, you’ll be out here nodding with confidence like, “Yeah, that tracks.”

Instant +10 to Professional Riz

Talking about process maturity or improvement cycles?
Bosses love that. It screams, “I’m young but not clueless.”

Even if your experience is just:

Fixing your parents’ Wi-Fi
Surviving group projects
Having a LinkedIn you barely use

You’ll still seem like someone who gets the Big Picture™.

Future Leader Arc Unlocked

Understanding process models helps you evolve from “confused intern energy” to “team leader era.” People with this knowledge:

Communicate clearly (no typing like you’re in a Discord server)
Collaborate better (yes, even with that one coworker)
Manage tasks like an absolute unit
Think ahead instead of chaos-reacting

Basically, you’re building your manager arc before you’ve even finished decorating your first apartment.

How to Start Without Rage-Quitting

No need to sweat it. Just start simple:

Google a beginner explainer
Watch a quick YouTube rundown
Compare CMMI to Agile or ITIL so you sound giga-brain
Join teams or internships where processes actually exist

Even a tiny bit of knowledge puts you ahead of the newbies who are still figuring out how to use the office coffee machine without summoning smoke.

Understanding CMMI is the easiest W you can grab early in your career. It makes you look smart, boosts your confidence, and unlocks a future where you’re not just surviving the workplace—you’re absolutely cooking. NO CAP.

Learn more about CMMI at https://broadswordsolutions.com

Thursday, August 28, 2025

ISACA Changes their IP policy regarding CMMI. What does that mean to us?

Hey Appraiser!

Our consultant just told us we had to purchase an Enterprise license in order to conduct a CMMI Appraisal now - what gives? ~Monet Grabba

3 Tips for passing you CMMI Appraisal!

Monet,

With the release of CMMI v3.0 also came a new IP policy. They discussed doing this when V2 came out, but wisely backed off. No longer.

The new policy is that the Practice names (statements), Value Statements, Intent, and examples are proprietary and cannot be shared with anyone who does not have an active license for the CMMI Model Viewer.

Many of these are the same exact practices that were in v1.3, which was, practically speaking, public domain because it was build with taxpayer dollars. It's gonna be hard to stuff that back in the bag.

What this means for Lead Appraisers and companies adopting CMMI without a license, is that appraisal results CANNOT state the name of the practice that is being reviewed and "scored" (characterized). So...if I need to tell a client that the 1st practice in Estimating has a weakness, that's all I can tell them, unless they have an active license for EVERYONE that is in the room!

Now, don't get me wrong. I know the fine folks at ISCA fairly well, and they're smart people, but this stuff ain't rocket science. "Establish an Estimate" (I paraphrase here so I don't get lashed with a wet noodle) isn't the stuff of process innovation. Most of CMMI descibes actions smart people would take if they have the right tools and training.

I understand the examples, value intent statements, and explanatory material. That is truly original (though sometimes uninspiring). But the practice names have been around, in some form, since v1.0, and everyone has them already.

Nevertheless, those are the new rules. So, if you're going to adopt CMMI you should get an enterprise license. You'll want it anyhow - there's actually some great stuff in there.

For further guidance, including training resources and instructional materials, please refer to www.broadswordsolutions.com or explore instructional content on CMMI, Agile methods, CMMI Appraisals, CMMI Training, and more via CMMI-TV .

Sunday, August 3, 2025

What do the "Characterizations" in a CMMI Appraisal Mean?

Dear Appraiser,

I keep hearing about "Characterizations" in the CMMI, like FM, LM, PM, and DM. What do these means? ~ Mick Filipini

Want to pass your CMMI Appraisal? Here's what not to do!

Hey Mick - good question!

When we conduct Benchmark appraisals we need a way to "score" each practice based on the two types of objective evidence - artifacts and affirmations. Each appraisal looks at both in order to determine each practice's strength. This is done by examining "artifacts" (documents, databases, videos, etc), and "affirmations," within the context of the organization's goals, and the Intent and Value statement of the Practice Area.

Fully Met (FM) = There is plenty of documentary and spoken/written evidence to convince the Appraisal Team that that practice is healthy and complete, given the context of the organization being appraised. The team has no indication that there are weaknesses, and all believe the practice is being executed well. This is like getting an "A" on a paper.

Largely Met (LM) = There is also plenty of evidence in both categories, but the team feels there is some improvement to be made, and they will tell you exactly what that is. Examples include: Not ALL projects were as strong as others, one piece of evidence wasn't as strong as the others, or maybe the method chosen to perform a piece of work might have been better by applying a different method. I see a lot of appraisals that use "planning poker" in a setting where that may not make sense. This is like getting a "B" on a college paper. You can have some of these and still be rated ML2/3/4/5, but there are caveats.

Partially Met (PM) = There is some evidence the practice is being performed effectively, but there are major holes, and they need to make improvements. For instance, maybe they are performed estimating using "Wide Band Delphi" but they didn't execute it the way it is intended. This is like getting a D on a college paper. You generally can't have any of these, although there are scenarios where you could pass if a project has one of these babies.

Doesn't Meet (DM) = There is little evidence that the practice is being performance. This is like getting an F. The presence of a single DM usually means a fail, but like PM, there are exceptions.

In a perfect appraisal, these are the only four characterizations that we would see, but there are two more!

Not Yet (NY) = The project hasn't reached the point in the project where they should be performing the practice. This is usually either a sampling error (why was that project selected for that Practice Area) OR a misunderstanding of the intention of the practice. We see this with Validation and Verification, where an organization claims they haven't reached testing, not realizing that these practices should also apply to earlier actions on the project, like planning or requirements. The final outcome of an NY depends on what other projects in the sample have scored, and the Appraisal team's view as to what affect that has on the overall organization.

Not Rated (NR) = When the appraisal team can't reach a consensus on the characterization, thereby forcing the end of the appraisal without rating the organization at a maturity level. This is usually a failure of the appraisal team, or dare I say it, a failure of the Lead Appraiser to facilitate the team's consensus. Once in a while, we have an Appraisal team member that refuses to compromise also - but that's rare.

So that's the system - here's to you all getting FMs and LMs!

Monday, July 14, 2025

How to be more agile TODAY

Hi Appraiser

I'm having some trouble. My boss keeps telling me to be 'more Agile.' what does that even mean? And how can I make an immediate turn toward Agility? ~Walter Fall

HI Walter,

We hear it all the time: "Be more agile!" But what does that really mean, and how can we actually start implementing it today?

Well, you're in luck, I've got three practical steps you can take right now to embrace agility.

On Airplanes and Agile

Involve Your Customer More Closely

The foundation of any successful agile project is a deeply involved customer. By integrating your customer as a product owner who can speak for the project, you're setting yourself up for success. If your customer isn't part of the team and doesn't have a voice in the project, it's like building a house without blueprints or feedback—you may end up with something you didn't expect.

Empower Teams to Define Their Processes

Agile isn't about sticking rigidly to one process; it's about evolution and improvement through retrospectives. Allow your teams the autonomy to define and refine their processes throughout the project. As they learn and adapt, so too will the processes, resulting in a more efficient and responsive way of working.

Clearly Define Roles and Accountabilities

Nothing steers a project off course quicker than uncertainty about roles and responsibilities. By clearly defining these at the outset, you give your team members the authority and responsibility to make decisions. This empowerment reduces the need for senior management intervention and streamlines the decision-making process, leading to a more agile project.

Implement these three steps, and you'll start feeling more agile right away.

Like this blog? Forward to your nearest engineering or software exec!

Jeff Dalton is a Certified Lead Appraiser, Certified CMMI Instructor, author, and consultant with years of real-world experience with the CMMI in all types of organizations. Jeff has taught thousands of students in CMMI trainings and has received an aggregate satisfaction score of 4.97 out of 5 from his students.

What is CMMI?

Visit www.broadswordsolutions.com for more information about running a successful CMMI program. Visit CMMI-TV to see some cool videos about CMMI, Agile, and more.

Monday, June 30, 2025

What Are the Different Levels of CMMI?

Hi Appraiser,

What happens when a customer requests that we become CMMI level three, or even level five? It's often hard to see the differences, right?

Signed,

Confused About the Difference. Hi Confused!

Actually, the distinctions between the Capability Maturity Model Integration (CMMI) levels are quite meaningful. Each level represents a progression of capabilities through the adoption of organized best practices within the organization's processes.

Let’s break it down:

Level 1: Initial

This is the foundational stage where the focus is purely on getting the work done. Organizations operating at this level may do a good job but aren’t necessarily focused on strategic processes or continuous improvement.

Level 2: Managed

At this stage, projects begin to organize around more structured process frameworks. There’s an emphasis on ensuring that project activities are being properly managed and measured, signaling the beginning of continuous improvement efforts.

Level 3: Defined

Organizations at this level are taking a broader view, applying established processes across projects. There's a consistent use of enterprise metrics and regular adoption of continuous improvement techniques to enhance performance.

Level 4: Quantitatively Managed

Here, the use of statistical models comes into play, underpinning performance improvements through data and metrics. This level reflects a sophistication in process management, where decisions are informed by hard data.

Level 5: Optimizing

The pinnacle of CMMI maturity, where statistical process models are applied across all facets of the organization. This ensures continuous improvement processes are deeply embedded, leveraging data for overall organizational benefit.

From Level 1 to Level 5, it’s an evolutionary journey for organizations to mature their processes, aiming to maximize efficiency and effectiveness by utilizing data and structured practices.

Like this blog? Forward to your nearest engineering or software exec!
Jeff Dalton is a Certified Lead Appraiser, Certified CMMI Instructor, author, and consultant with years of real-world experience with the CMMI in all types of organizations. Jeff has taught thousands of students in CMMI trainings and has received an aggregate satisfaction score of 4.97 out of 5 from his students.

What is CMMI?

Visit www.broadswordsolutions.com for more information about running a successful CMMI program.
Visit CMMI-TV to see some cool videos about CMMI, Agile, and More.

Thursday, June 26, 2025

How CMMI can help with CMMC (and ISO) adoption

How CMMI V3.0 Could Help You Conquer CMMC V2.0 (Without Losing Your Sanity)

* Disclaimer: Jeff Dalton is a board member at CyberAB, and is precluded from delivering CMMC-related services for a period of 2 years after his term has ended. Broadsword neither sells nor markets CMMC services.

Struggling to maintain all of your government CERTS?

Okay, folks. Imagine this: You’ve just heard that the Cybersecurity Maturity Model Certification (CMMC) V2.0 is the latest must-have accessory for any defense contractor or supplier who wants to stay in the game. You might be thinking, “How do I make this work with all the other processes and certifications I already have?” Enter CMMI V3.0—the superhero of process improvement, here to help you survive this new world of cybersecurity compliance, without turning into a stressed-out puddle of nerves.

Here’s how CMMI could help you implement CMMC V2.0 like a pro—without the crying and hair-pulling.

1. Aligning Business and Cybersecurity: Because Who Wants to Juggle Two Different Worlds?

CMMI V3.0: This guy is all about linking process improvements to business outcomes like customer satisfaction, productivity, and those mythical things we call "efficiency."
CMMC V2.0: This one’s a bit more intense. Based on NIST 800-171, It’s got your back when it comes to safeguarding Controlled Unclassified Information (CUI). No one's stealing your secrets, buddy.

How CMMI V3.0 Can Help: Wouldn't it be nice if you didn’t have to choose between your business goals and cybersecurity? CMMI V3.0 can help you connect the dots between the two. It’s like setting up a dating profile for your business and cybersecurity goals. “Looking for mutual understanding, growth, and lots of collaboration.” CMMC's cybersecurity goals would seamlessly integrate into your broader strategy without breaking a sweat. Romantic, right?

2. Scalable Maturity Models: Because We All Want to Get Better, but Not Overnight

CMMI V3.0: Offers five levels of maturity, from “meh” to “wow, look at you go!” It’s a process of gradual improvement, one awkward baby step at a time.
CMMC V2.0: Same deal, but three levels—everything from “basic hygiene” (no, not THAT hygiene) to “advanced security practices” (aka your cybersecurity is so tight even James Bond would be impressed).

How CMMI V3.0 Can Help: CMMI V3.0 would let these two frameworks walk hand-in-hand, like an ideal couple. As your organization matures in CMMI, you can simultaneously level up your CMMC compliance. It’s like getting a gym buddy who shows up every day. Together, you’ll get stronger, more secure, and less likely to collapse in a heap.

3. Integrated Governance: For When Your Company Needs a Little “Tough Love”

CMMI V3.0: Governance is all about creating clear, documented processes and making sure everyone is following the rules. It’s like having a really strict librarian who checks over your shoulder to make sure you’re reading the right book.
CMMC V2.0: Requires you to establish strict governance over your cybersecurity efforts too. No, this doesn’t mean you get to be the "cybersecurity sheriff" at the office (but imagine the badge!).

How CMMI V3.0 Can Help: Imagine having the ultimate “cybersecurity watchdog” at your disposal. With CMMI V3.0, you get shiny new tools—like real-time dashboards and audit trails—that help keep track of all your compliance activities without breaking a sweat. No more scrambling through piles of paper or scrolling through endless email chains trying to prove you’ve got your act together.

4. Process Improvement for Cybersecurity: Because Even Cybersecurity Needs a Tune-Up

CMMI V3.0: This model is about making things work better. Think: better risk management, incident management, and configuration management. It’s like fixing up an old car—just with more spreadsheets.
CMMC V2.0: It’s the fancy new sports car that needs to be carefully maintained with precise cybersecurity practices. If something’s off, you’ll know it!

How CMMI V3.0 Can Help: You don’t need to treat CMMC like some separate thing. CMMI V3.0 would help you integrate cybersecurity directly into your everyday process improvement. It’s like having a mechanic who can not only fix the engine but also make sure it’s well-oiled for maximum performance. Incident management? Risk assessment? Check and check. You’ve got it all covered!

5. Documentation and Evidence: Because You Can’t Just Say You Did It (Spoiler: You Have to Prove It)

CMMI 3.0: We all know that good documentation is key—plans, procedures, metrics. Without it, you’re just a business without a paper trail. And that’s basically like being a superhero without a cape.
CMMC V2.0: You gotta document everything. Every incident response. Every access log. Every cybersecurity procedure, like you're preparing for a NASA mission.

How CMMI V3.0 Can Help: Imagine if CMMI V3.0 made documentation as easy as taking a selfie. (Okay, maybe not that easy, but close.) By helping you integrate cybersecurity documentation with your regular process improvement docs, CMMI V3.0 would make it a breeze to collect and organize the evidence you need for CMMC audits. No more scrambling at the last minute. You’ll look like the most organized person in the room. You're welcome!

6. Employee Training and Awareness: Because You Can’t Just Tell People, You Gotta Show Them

CMMI V3.0: Employee training is crucial. It’s like teaching your team the secret sauce of success—processes that everyone needs to follow to improve the company.
CMMC V2.0: If you think employee training for CMMI is tough, try training them in cybersecurity. We’re talking about protecting CUI, not the company coffee machine.

How CMMI V3.0 Can Help: Instead of making training feel like a boring lecture on a Friday afternoon, CMMI V3.0 could offer training modules that help employees learn about cybersecurity while also mastering process improvement. It’s a win-win—your team gets smarter about both CMMI and CMMC without the pain of attending yet another workshop.

7. Real-Time Monitoring and Feedback: So You Don’t Have to Guess How You’re Doing

CMMI V2.0: Gives you feedback in real-time, so you’re not left in the dark wondering how your process improvements are progressing.
CMMC V2.0: Requires you to constantly monitor cybersecurity efforts. Yes, it’s a lot of work, but think of it like a fitness tracker for your organization.

How CMMI V3.0 Can Help: With CMMI V3.0, you can track both your process maturity and your cybersecurity compliance in real time. It’s like having a GPS for your business—except it doesn't just tell you where you’re going, it tells you how fast you’re going, how much fuel you have left, and if you’ve passed the last exit for “Cybersecurity Best Practices.”

8. Integrating Cybersecurity and Risk Management: Because Cybersecurity Isn't Just a "Side Job" Anymore

CMMI V2.0 Risk Management: Think of CMMI as the thoughtful planner who sits down and evaluates risks from every angle—so nothing surprises you later.
CMMC V2.0 Risk Management: Requires a similar, but more intense, focus on cybersecurity risks—except now you have to be prepared for potential hackers and cyber threats that could derail your entire operation.

How CMMI V3.0 Can Help: With CMMI V3.0, you can bring your cybersecurity risk management into the broader enterprise-wide risk management framework. It’s like upgrading from a bicycle to a rocket ship. You’ll handle cybersecurity risks AND general business risks with the grace of a ballet dancer on roller skates.

Conclusion: CMMI V3.0—Your Ultimate Sidekick for Conquering CMMC V2.0

While CMMI V2.0 has already done wonders for organizations looking to implement CMMC V2.0, the potential of CMMI V3.0 could make the whole process feel less like a battle and more like a well-choreographed dance. With improved tools, real-time monitoring, and integrated frameworks, CMMI V3.0 can help you embrace CMMC compliance with open arms. And, let’s face it, in today’s world of cybersecurity, that’s about as close to superhero status as you’ll get.

So, strap in, folks. The future of CMMC V2.0 and CMMI V3.0 is looking brighter—and much less stressful—than ever before.

Wednesday, June 25, 2025

Are CMMI Appraisals really too expensive?

How NOT to pass a CMMI Appraisal

I love a good game of “bunchball.”

You’ve seen it: a dozen little Pelés chasing the soccer ball down the field, every one of them trying to score the goal that wins the game. Eventually, one fast kid breaks away, gets a clean shot, and—yippee!—saves the day with the only goal scored. The team wins.

Fun to watch? Absolutely. Championship-level play? Not quite.

Meanwhile, there’s always one kid who hangs back—playing defense, watching the field, covering the goal. Not chasing glory, just playing their role. That kid isn’t flashy, but they’re going places. Why? Because they’re playing the game, not just the moment.

Sound Familiar?

At recent CMMI events, there’s been growing concern that CMMI appraisals are too expensive. Attendees talk about thousands of hours spent preparing, assembling documents, and scrambling to “get ready.” The cost, some argue, far exceeds the benefit.

If that’s really true—yes, we should be concerned.

But it raises an important question: Are these organizations truly operating at the level they’re trying to appraise? Or are they just playing a high-stakes version of bunchball?

Visualizing the Problem

Anyone who knows me knows I love whiteboards. I’m a visual thinker, and I often sketch out problems to get clarity. One of my favorite drawings is a (very rough) cliff scene with two sets of stick figures:

One group is clawing their way up the cliff, fingernails barely holding on, shouting:
“Whooo hoooo! We MADE Level Three!”
The other group is already on top of the cliff, lifting barbells, stretching, and quietly saying:
“We ARE Level Three.”

Now tell me—which appraisal was “too expensive”?

It’s Cheaper to Be Great

Here’s the reality: appraisals only feel expensive when organizations aren’t truly performing at the level they’re aiming for.

If your team is spending months digging up “evidence,” assembling PIIDs, and creating artifacts from scratch just to meet the requirements—you’re not appraisal-ready. Not yet.

That doesn’t mean you’re not doing great work. It just means you haven’t built a systemic approach yet. You’re still chasing the ball around the field.

The Championship Analogy

Let’s imagine a school principal tells a youth soccer coach:

“You must win the league championship before the end of fiscal year 2014.”

The coach might:

Hire consultants to teach a few winning techniques from last year
Bring in “ringers” to fill key roles like goalie
Assign consultants to shadow players and correct every mistake
Lobby the league for friendly referees

Sure, they might win a few games. But when the season ends, they’re still just a bunchball team.

Now imagine a wiser coach replies:

“We’re not ready to win the championship yet, but we can have a winning season.”

And then that coach:

Trains and practices regularly
Teaches kids to play their positions and work as a unit
Brings in experts to build skills, not just win trophies
Puts players in roles suited to their strengths
Gets honest, unbiased feedback from referees

That’s how real champions are built. And it’s the same with organizations pursuing CMMI maturity.

Appraisals Aren’t the Problem—Readiness Is

CMMI is a global benchmark of excellence. If we want appraisals to mean something, they should be challenging. But they don’t have to be expensive.

If an organization is already operating at Maturity Level 2 or 3, proving it shouldn’t be painful. The cost of the appraisal is reasonable, because the behaviors are already present.

If you’re not quite there yet? Trying to appear ready can cost a fortune—and might still fall short.

“But What About All the Paperwork?”

Good question. Someone at a recent conference asked:

“Don’t document inventories take a huge amount of time?”

They can—but they shouldn’t.

In a well-run ML2 or ML3 organization, work products are well-managed. Strong Configuration and Data Management practices mean artifacts are easy to locate and demonstrate. There’s no need to compile huge inventories from scratch—because the data already exists in good order.

That means fewer headaches. Lower prep time. Lower cost.

The Bottom Line

CMMI appraisals are only expensive when you’re faking it. Not because the model is broken, but because the team isn’t ready.

It’s cheaper to be great than it is to fake it.

Focus on building capability. Develop your team. Play your positions. When you're truly performing at a high level, appraisals become proof—not a burden.

Feel free to leave me a question here or email me at AskMe@broadswordsolutions.com.

Like this blog? Forward to your nearest engineering or software exec!

What is CMMI?

Visit www.broadswordsolutions.com for more information about running a successful CMMI program.

Visit CMMI-TV to see some cool videos about CMMI, Agile, and More

Visit https://askthecmmiappraiser.blogspot.com/ to see the old (V2) Blog (lots of content!)