Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
United States Software IT

US Requirement For Software Dev Certification Raises Questions 228

dcblogs writes "U.S. government contracts often require bidders to have achieved some level of Capability Maturity Model Integration (CMMI). CMMI arose some 25 years ago via the backing of the Department of Defense and the Software Engineering Institute at Carnegie Mellon University. It operated as a federally funded research and development center until a year ago, when CMMI's product responsibility was shifted to a private, profit-making LLC, the CMMI Institute. The Institute is now owned by Carnegie Mellon. Given that the CMMI Institute is now a self-supporting firm, any requirement that companies be certified by it — and spend the money needed to do so — raises a natural question. 'Why is the government mandating that you support a for-profit company?' said Henry Friedman, the CEO of IR Technologies, a company that develops logistics defense related software and uses CMMI. The value of a certification is subject to debate. To what extent does a CMMI certification determine a successful project outcome? CGI Federal, the lead contractor at Healthcare.gov, is a veritable black belt in software development. In 2012, it achieved the highest possible Capability Maturity Model Integration (CMMI) level for development certification, only the 10th company in the U.S. to do so."
This discussion has been archived. No new comments can be posted.

US Requirement For Software Dev Certification Raises Questions

Comments Filter:
  • by SuperKendall ( 25149 ) on Monday December 30, 2013 @07:27PM (#45823369)

    'Why is the government mandating that you support a for-profit company?"

    Works for Obamacare.

    • by icebike ( 68054 ) on Monday December 30, 2013 @07:37PM (#45823449)

      Exactly. The Supreme Court already ruled you can be forced to contract with a private company for many different things. That cat is out of the bag.
      Expect more of this in the future.

      As for certifications, like virtually all of them, this one (CMMI) is totally useless in assuring quality.

      • by Bill_the_Engineer ( 772575 ) on Monday December 30, 2013 @07:41PM (#45823471)

        As for certifications, like virtually all of them, this one (CMMI) is totally useless in assuring quality.


        CGI Federal, the lead contractor at Healthcare.gov, is a veritable black belt in software development. In 2012, it achieved the highest possible Capability Maturity Model Integration (CMMI) level for development certification, only the 10th company in the U.S. to do so.

        • by Anonymous Coward on Monday December 30, 2013 @08:55PM (#45824173)

          Been a while since I worked for a company that cared about the CMMI (UPS back in '96 or so) but IIRC a company can not reach the highest level of CMMI. Only project teams can reach it. So just because CGI Federal had a project team with the highest level of CMMI doesn't mean that was the team working on Healthcare.gov.

          I also remember in my CMM training that they taught us that the highest level of CMMI (5 I think) should be reserved for things that essentially affect people's lives (medical equipment software, nuclear power plant software, etc...) and trying to reach anything past level 3 introduced inefficiencies in the development cycle that were unwarranted expenses to most software development.

          But I agree with your overall point, CMMI certification is a waste of time and money.

          • "Only project teams can reach it."

            And NOBODY cares.

            CGI was already notorious for failed large projects when it was selected for healthcare.gov. (Anybody who thinks the fact that a officer of CGI was a classmate of Michelle Obama does NOT have something to do with its selection is living in lala-land.)

            GOOD software developers, and software development organizations, almost universally oppose efforts at certification. Because the only thing it measures is bureaucracy, and the extent to which someone is willing to live with it.


      • Re: (Score:2, Funny)

        by Anonymous Coward

        As for certifications, like virtually all of them, this one (CMMI) is totally useless in assuring quality.

        Yeah, that CMMI stuff is old hat for waterfallers, but don't worry, by 2038, the government will have updated its requirements to mandate that all projects shall be conducted using Agile(tm) methods under the direction of a Certified Scrum Master(tm).

      • auto insurance is mandatory in all states, isn't it?

        if you get hit, your insurance company will pay instead of you having to track down the person who hit you.

        do you want to fight that idea, too? sure, there are people who drive uninsured, but most people don't 'fight the system' and they do buy car insurance. and its always by a private for-profit company, too.

        how is the dreaded obamacare so different? we 'force' car insurance on every driver; why is it so wrong to force everyone who is of age to partak

    • 'Why is the government mandating that you support a for-profit company?"

      Works for Obamacare.

      OK, point taken, but it's a lot more common than that, making the question seem naive. The government also requires you to have non-bald tires on your car, car insurance, wear clothing when you're out in public, and a hundred other things that you get from for-profit companies. And, trust me, you wouldn't enjoy a society in which everything mandated by the government was actually produced by the government.

      Of course, the core issue is whether CMMI does what it's supposed to. I have no idea, but will note th

      • by mrchaotica ( 681592 ) * on Monday December 30, 2013 @07:58PM (#45823597)

        The question in the summary left out an important word:

        "Why is the government mandating that you support a [particular] for-profit company?"

        This would be a lot less of an issue if the company in question didn't have a monopoly on providing the required certification.

        • by tlhIngan ( 30335 )

          "Why is the government mandating that you support a [particular] for-profit company?"

          This would be a lot less of an issue if the company in question didn't have a monopoly on providing the required certification.

          Actually, government has done it a lot of times. Education is huge - you may have heard of stuff like the Iowa Test of Basic Skills, the SATs, GMATs, and other degrees? Do you know that the Educational Testing Services (ETS) which provides those tests also own some rather fancy hotels and other

        • What monopoly are we talking about? If we're talking about health care, the cost monopoloy is always $WHATEVER_YOUR_EMPLOYER_GETS_YOU. It's pretty much never cheaper than that.
      • The difference being that the government does not require that you purchase non-bald tyres, car insurance, or clothing from a particular (monopoly) retailer.

        • No one is required to own a car or drive. Clothing is the only thing the government actually requires you to purchase, and that's pretty hard to get around in most places anyway because you'll get hypothermia if you're outside for too long without it, at least during some parts of the year.

      • The government also requires you to have non-bald tires on your car,

        If you own a car, which is NOT mandatory.

        car insurance,

        If you own a car, which is NOT mandatory.

        wear clothing when you're out in public,

        Unless you live in a nudist colony. And even if you don't, the government doesn't require you to go out in public.

        and a hundred other things that you get from for-profit companies.

        Thing is, the ACA is the first time since FDR was King that the Feds have required you to buy something from a private com

        • the government doesn't require you to go out in public

          I was under the impression that all fifty states had mandatory school attendance laws.

      • by rnturn ( 11092 )

        ``Of course, the core issue is whether CMMI does what it's supposed to. I have no idea, but will note that governments tend to love all sorts of mandatory "certification,"..

        Q: Does the CMMI certification require that all individuals that work on projects have some kind of certification? It's one thing for an organization to be certified but if they use that certification to win a contract but then staff it with a bunch of grunts that aren't capable of producing a usable product then there's a serious prob

    • 'Why is the government mandating that you support a for-profit company?"

      As well as the entire "defense" industry. And not entirely but still significantly the telecommunications, railroad, oil / natural gas, agriculture, airline, shipping, automobile, pharmaceutical, medical device, and finance industries. And I'm sure I'm leaving out a bunch.

      I mean, why do you think big companies pay big bucks for lobbyists and campaign contributions?

    • Works for Obamacare.

      There is a difference between a mandate to buy something when there are competing suppliers of the product and a mandate to buy something from a single for-profit supplier.

      • There is a difference between a mandate to buy something when there are competing suppliers of the product

        At least one state has only one Obamacare provider.

        Also none of the insurance companies really "compete" because they can't sell insurance across state lines. That's why insurance rates and health care costs are so high, because real competition is not allowed. A small number of players are allowed to control each state (Hello Cable Monopoly).

        • And, if there is only one ACA provider in a state, that's a business opportunity for other insurance companies, assuming the existing company tries to exploit its temporary monopoly position. If people don't like what they get from the CMMI Institute, then presumably another company will consider it a business opportunity and move...um...well, maybe not.

          That's the difference.

    • by ewieling ( 90662 )
      It also works for car insurance. Car insurance and health insurance require you purchase a product from a variety of companies. With CMMI requirements you can only purchase the product from a single company.
    • but we stilled needed some thing.

    • by Anubis IV ( 1279820 ) on Monday December 30, 2013 @08:54PM (#45824159)

      There's a big difference between " a for-profit company" and " this specific for-profit company". Even as someone who wasn't a fan of Obamacare, I can appreciate that mandating that everyone procure insurance from a company of their choice from among a wide selection of companies who are all competing against each other for your money is one thing, and that mandating that everyone get certified by the one and only company that the government has declared we must use and who has effectively been granted a monopoly by the government is something else entirely.

      • Except that some areas are only served by a single insurance company. It's sad but true. Many local monopolies still exist. The barriers to entry are just too high, or the expected return is just too low for anyone else to compete.

    • Re: (Score:3, Informative)

      by Anonymous Coward

      Not really on topic, but the original form of Obama care allowed people to buy insurance from the government, it's the republicans that required that that be dropped, and that people be required to buy from a for-profit company.

    • Cmmi is going from a federally funded entity, aka a cost center, to a profit center. Instead of bring supported by taxes it earns its own keep. And how is this bad?

      Only in the context of Obamacare. Did we not have the argument to prizatize NASA? It was terribly argued, but there were good points made. When you put it as it is in tfs, it sounds horrible. Saying it is privatized sounds way better.

      And Obamacare was poor legislation all the way through, to the point that supporters didn't know what they were ge

  • Proof! (Score:5, Insightful)

    by Cornwallis ( 1188489 ) on Monday December 30, 2013 @07:31PM (#45823401)

    That CGI "achieved the highest possible Capability Maturity Model Integration (CMMI) level for development certification..." more than proves that the entire model is useless!

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      I've learned that to get successful software, you simply cannot do things "by the book". That's why Skunkworks projects happened, exactly BECAUSE if you go "by the book" (or "follow the process") stuff just won't get done, or will get semi-done spectacularly crappy.

      • by hey! ( 33014 )

        There's a big difference between people who are capable of doing things "by the book" making an informed decision not to do so, and people deciding to do things in an ad hoc manner because they can't master the "by the book" method.

        Every successful project, in my opinion, requires both discipline and risk taking; the art is knowing how much of each the project you are currently managing needs. Every project should have a bit of a stretch built into it, otherwise people get sloppy because they've become com

    • Actually, CGI has some great talent in both engineering and project management. How do I know this? Because I have worked at CGI Federal for three years now. The company's track record of successful deliveries is enviable in the Federal space. I say this based on 10+ years of experience in US Govt software development and contracting.

      Of course, none of this is relevant to the CMMI discussion. Bringing up the CGI bogeyman as a counter example to the value of CMMI is purely intellectual dishonesty and FUD-mon

    • Re:Proof! (Score:4, Insightful)

      by tricorn ( 199664 ) <sep@shout.net> on Monday December 30, 2013 @08:19PM (#45823787) Journal

      I remember working on a product produced by a company that proudly trumpeted their Six Sigma certifications. Had a problem with a board that was sold with the explicit feature of being able to do read-modify-write bus cycles on shared memory (each board had a section of on-board memory that could be shared with the other boards across multibus).

      Unfortunately, it turned out that the target board would get memory corrupted when you did that (interfered with refresh cycles, I believe it was). Once I figured out that was happening, I contacted the company.

      Six Sigma is all about repeatable and documented processes. Well, they documented it all right. They documented that they had no idea what was wrong, that the person who had designed the hardware had retired, and that they had no one there who was qualified to even understand what I was talking about. I guess since the problem with the board was repeatable, that justified their Six Sigma level! They continued selling that board, with the same claim of capability, for several more years.

      Ever since then I've had little respect for that type of certification - worried more about the proper process than about the actual results.

  • by russotto ( 537200 ) on Monday December 30, 2013 @07:35PM (#45823437) Journal

    CMMI was always SEIs way of trying to reduce programming to bricklaying (only with a lot more paperwork), leaving academics like them as the only real thinking people in the process. It can't work and will never work.

    • As part of becomming CMM 3, we had to uabe code reviews. We paid a shitload for some asshole who wrote a book to come in and teach us.

      "Do your review before you even make sure it will compile!" he swore. My skeptic bullshit detector went off -- transparently he was trying to amp bug find statistics to make the process look good.

      But nevermind -- he got his giant check, the ignorantly savage management had a cover story of doing a good job, and we ate a shit sandwich.

      We never did find any real bugs in the s

      • by david_thornley ( 598059 ) on Monday December 30, 2013 @08:15PM (#45823741)

        If you're not using code reviews, chances are your code sucks. I don't see any need to pay somebody big bucks to tell you that. Similarly, coding standard violations increase the chance for bugs, and it's worth making code conform.

        In my experience, with very good people, we find a lot of bugs in code review. If you're not finding bugs, either you're superhuman or you do need instruction in code review.

      • by olau ( 314197 )

        Regarding code reviews: why do you think they are about finding bugs? While you can probably discover some problems through code reviews, a far more important goal is making sure that people are not turning out shitty code that will blow up the first time someone has to do any maintenance on it. You really want to make sure that people write understandable code.

        • Code reviews are quite valuable in large scale environments where there are many experienced eyes to review new code. Put together most of those people will have seen a lot of mistakes made, so they can help avoid the same mistakes in the future. But in small, agile environments, its not as much use.

      • by Alioth ( 221270 )

        We did CMM 3 and we never had anyone come and tell us that. We did all our code reviews after the code was at least unit tested.

        While the majority of what the reviews found was coding standard stuff (I suspect it usually is) we did have a lower defect rate on the delivered software than the industry average, and the code reviews had the side benefit that people in the team knew what each other's code did and how it worked, rather than having to try to figure it out when a crash report came in and the origin

    • Back when I actually paid attention to it, the CMMI was in levels. Level two was having procedures and sticking to them. Level three was using good software engineering techniques. Level four was measuring results in some manner, and level five was institutional commitment for improvement (and that's really hard in a large company). While I'm dubious about some of the things, it was hardly an attempt to make programmers into bricklayers.

  • "To what extent does a CMMI certification determine a successful project outcome? CGI Federal, the lead contractor at Healthcare.gov"

    Certs are next to useless in determining project outcome, all they do is generate revenue for the lawyers. How many PCI Compliant Credit Card clearing houses have been knocked off - hundreds. For a successfully project what you need is a small core team of top-notch programmers. Apart from getting awarded certs can you name any large-scale projects CGI Federal worked on tha
    • Oh please. Don't fucking insult our intelligence here. You damn well know that all future devices will be PRISM compliant (brandishing logo and all) and require anyone working in IT to have a full security background check. This certification will be weighted based on party affiliation and immigration status. It also must be renewed each year with a certification cost associated with it.

      That's the future of Government controlling IT. They damn well won't allow another "Snowden" incident to occur. EVER!!!

      • I could clarify this is for the entire civilian sector. In the interest of national security and all. Can't have cyber warfare going on without our civilian cyber warriors undocumented, now will we.

        We live in such an Orwellian world now, it's not a prediction, it's tyranny right on trajectory that can be mapped out in stages!

  • CMMI is a scam (Score:5, Informative)

    by drdread66 ( 1063396 ) on Monday December 30, 2013 @07:45PM (#45823505)

    In 2005, my employer at the time decided to go for CMMI level 3 because it was required by a govt customer for their project. Certification achieved. Then in 2007 my employer opted to shoot for the moon and go for CMMI level 5. Again, certification achieved.

    Two years later I left the company, because it was clear that CMMI level 5 was going to kill the company. CMMI level 5 introduced a high level of bloat, inefficiency, process overhead, documentation requirements, and (worst of all) process rigidity and attempts yo manage the development process by statistical analysis. Our delivery times more than doubled. The cost of delivering projects more than tripled. And the Holy Grail of reduced defect density? Nary a sign of such improvement. As far as I could tell, there was -zero- impact on code quality.

    Our customers started abandoning us, our reputation circled the bowl, and everyone who had any business sense left the place in droves. What was a $100M/yr contract software development house is now down to 1/4 of the staff and revenue it had in 2009, and I fully expect their parent company will close their doors this year.

    I firmly believe that CMMI Level 5 killed that company.

    • CMMI just the latest scam. I can't remember the names of all the attempts to "manage" software development that I experienced in about 30 years of it, but it was all a way to get expensive experts in expensive suits to annoy the crap out of the project and development groups. I don't know if it started in the days of Anderson Consulting (not to pick on them, but that was the period where I started to run into it). Six Sigma, anybody?

      Not really having project management is what made Healthcare.gov such a
      • So here's the part the press doesn't cover thoroughly: CGI Federal was not the Prime or Lead System Integrator on this contract. We had no authority to issue orders or assert requirements on any other contractor. Sure, CGI made some mistakes, but we can't be responsible for the other contractors when we have no contractual relationship with them!

        Testing, in particular, was something CMS reserved for themselves to manage as the LSI on the program.

        Again, I don't work for the CGI division that had the contract

    • by Stormin ( 86907 ) *

      My experience with CMMI level 5 was from a vendor with that certification providing us code years ago.

      They claimed as part of CMMI level 5 that errors would be detected at every possible point in the code. The problem was, this was applied without any thought to maintainability, nor to the fact that in certain places, if an error occurs, the implication is the system is so far gone that the error handler won't be able to run. The language was Sybase stored procedures; the below is a rough example. Their

  • .that you wrote an exam. Nothing else. However, PMI Certification is demanded in so many bloody places for no goddamned reason.

    • by rnturn ( 11092 )

      It was years ago but I seem to recall that one of the things you needed to do -- along with the normal completion of additional courses -- in order to maintain your project mgmt. certification was to promote the idea of project management certification, i.e., become a PMI evangelist. Seemed too much like a cult. (Plus I hadn't met anyone with such a certification that could manage a project worth a damn -- or at least not any better than most people without that piece of paper.) I'm sure there are some damn

  • If you're going to apply to work for the government, and be their subcontractor, it is acceptable to imagine they'll be telling you what to do in exchange for the checks they hand you. That's what the people who write the paychecks do. (In my experience)
  • by MichaelSmith ( 789609 ) on Monday December 30, 2013 @07:57PM (#45823587) Homepage Journal

    High CMMI maturity levels are really only achievable if you are in the business of mass producing something. They emphasise continuous refinement of production processes, as opposed to research and the development of totally new products. You can write procedures for R&D but they don't allow you to include steps like and then a miracle happens.

  • Meh. There are a few times when certification that are useful--certification for certain contractors makes it more likely they follow certain safety rules, but you can also deal with that just by making inspections common, cheap, and painless. For the most part, certification processes are really about excluding people from local markets--rampant protectionism by people in power. (Like any institution, you become a part of it, gain its advantages, and then it begins to seem hunkey-dorey, if it didn't alr

    • You're comparing institutional certification with individual certification. CMMI level 3 is an attempt to guarantee that a company uses good software engineering techniques. It's similar in concept to ISO 9001, but actually applicable to software development. It actually has some use. My experience with individual certifications in software is that they're mostly useless, and as you point out it frequently acts to reduce competition.

  • some of it is useful (Score:5, Interesting)

    by Goldsmith ( 561202 ) on Monday December 30, 2013 @08:13PM (#45823719)

    I've worked in the past as part of the DoD Acquisitions Workforce.

    CMMI is really just part of a broader obsession in DoD with project and program management. Abstractly, these are good things. When implemented correctly, they make debacles like healthcare.gov nearly impossible. Good planning, budgeting and in-progress evaluation are generally applicable to basic research projects, software development and building ships. We all want to work on projects which are well run.

    The problem is, blindly stepping through the predefined process of project management has nothing to do with actually managing a project. You still need good managers who can recognize problems in the technical fields they're working with, understand what to do when problems crop up and are empowered to act. DoD in general fools itself into thinking it has people like this because the paperwork is done right. I suspect that's a fairly common problem.

    We all know there's a problem with treating the "talent" (i.e. programmers) as interchangeable blocks using these systems. I think treating management the same way is worse. The ideas that management is mastery of a process and operates solely for organizational interest over individual interest are flawed, but central to things like CMMI.

  • I really love to watch programming by contract systems fall flat on their face. First they write a huge specification for what a bid will look like. Then in the bid they write a huge specification for the bid which is a bid to write a specification. Then when they start the project they write one last specification that lays out in extreme detail what they are going to build. This is then signed off on and finally they start to build something huge.

    But the entire process is not focusing on sorting out th
    • Yes, I have been there, on both sides actually LOL. Sometimes the business actually REQUIRES some sort of bid document and generally it is safer to propose the preliminary design phase before committing to the rest of it, as one generally does not know what is involved before actually finding out what is needed. That is, asking over and over again, what do you need to know and when do you need to know it? Anything bigger than a breadbox requires a bit of planning.

      The point is not that you have to produc
  • by Guillermito ( 187510 ) on Monday December 30, 2013 @08:18PM (#45823777) Homepage

    I live in Argentina, where any software company getting a CMMI certification can apply for a tax cut. Because of that, CMMI was all the rage around eight years ago or so. Turns out CMMI was so utterly useless and cumbersome that at this point most companies prefer to forget about the tax cuts rather than bother with being CMMI certified. Only companies seeking government contracts continue doing so.

  • Yet another dig bites man story. Government requirements often mandate testing and certification by third parties, For example, FCC emissions testings.
  • There is no sense, no reason to it. If you are not prepared to cynical up and drain the public trough to enrich yourself providing no public benefit whatsoever, stay away from federal contracting. Far away. They are quite dangerous to the naively sincere.
  • http://en.wikipedia.org/wiki/Capability_Immaturity_Model [wikipedia.org]

    Reading that made me cry, for the wasted years of my youth.

    If you are there, quit now, it's not worth it.

  • It's a joke (Score:2, Insightful)

    by Anonymous Coward

    I have 30 years IT experience, last 15 as "design lead". Big projects, small projects, lots of programming.

    My company bought in IBM on a project, and I was told I was going to be working under a "Certified Master Architect". Great! This was going to be great learning experience, right?

    Day 1, in walks this 22 year old kid, freshly graduated. And, by virtue of the fact that IBM corporate had some certification, all their designated architects automatically became "Certified Master Architects".

  • http://it.slashdot.org/story/13/12/30/1646227/the-startling-array-of-hacking-tools-in-nsas-armory [slashdot.org]

    US "Requirement"?

    This is a joke, right?

    You have lost your moral high ground. You are not in a position anymore to demand or require anything from other people or other countries. And this includes certain western european countries as well.

  • It should be noted that a CMMI maturity level designation is not a certification. It may help to have some CMMI appraisal team experience to understand it (I do), but the designation is the result of an organization's self-assessment based on an appraisal model (SCAMPI) developed by SEI/CMMI Institute. When a company claims a certain maturity level, CMMI Institute does not say "we certify this organization (or organizational unit) is CMMI maturity level n." CMMI Institute says "based on our review of the

  • ... is fully state certified.

    Your honor, the prosecution rests.

The shortest distance between two points is under construction. -- Noelie Alito