2.5.1. The project shall ensure that software is acquired, developed, and maintained by an organization with a non-expired Capability Maturity Model Integration for Development (CMMI-DEV) rating as measured by a Software Engineering Institute (SEI) authorized or certified lead appraiser as follows: For Class A software: CMMI-DEV Maturity Level 3 Rating or higher for software, or CMMI-DEV Capability Level 3 Rating or higher in all CMMI-DEV Maturity Level 2 and 3 process areas for software. For Class B software: CMMI-DEV Maturity Level 2 Rating or higher for software, or CMMI-DEV Capability Level 2 Rating or higher for software in the following process areas: a. Requirements Management. For Class C software: The required CMMI-DEV Maturity Level for Class C software will be defined per Center or project requirements. Organizations who have completed Standard CMMI Appraisal Method for Process Improvement (SCAMPISM) Class A appraisals against the CMMI-DEV model are to maintain their rating and have their results posted on the SEI Web site so that NASA can assess the current maturity/capability rating. Software development organizations need to be reappraised and keep an active appraisal rating posted on the SEI Web site during the time that they are responsible for the development and maintenance of the software. For Class A software development only, a transition period to obtain a CMMI-DEV Maturity/Capability Level 3 Rating will be allowed for organizations developing Class A software per the NASA Headquarters' Office of the Chief Engineer's approved Center Software Engineering Improvement Plan as described in SWE-003, SWE-004, and SWE-108. For Class B software, in lieu of a CMMI rating by a development organization, the project will conduct an evaluation, performed by a qualified evaluator selected by the Center Engineering Technical Authority, of the seven process areas listed in SWE-032 and mitigate any risk, if deficient. This exception is intended to be used in those cases in which NASA wishes to purchase a product from the "best of class provider," but the best of class provider does not have the required CMMI rating. When this exception is exercised, the Center Engineering Technical Authority should be notified. Implementation Notes from Appendix D of NPR 7150.2, NASA Software Engineering Requirements, include the following additional information: (SWEHB Editor note: Class B entry includes "Note 1," which duplicates the text provided in the previous section.) Class C is labeled with "P (Center)." This means that an approved Center-defined process that meets a non-empty subset of the full requirement can be used to achieve this requirement. "Note 1" can also be applied to the implementation of Class C software for this requirement. Class A_SC A_NSC B_SC B_NSC C_SC C_NSC D_SC D_NSC E_SC E_NSC F G H Applicable? X X P(C) P(C) Key: A_SC = Class A Software, Safety-Critical | A_NSC = Class A Software, Not Safety-Critical | ... | - Applicable | - Not Applicable The CMMI requirement is a qualifying requirement. The requirement is included to make sure NASA projects are supported by software development organization(s) having the necessary skills and processes in place to produce reliable products within cost and schedule estimates. This requirement provides NASA with a methodology to: The Capability Maturity Model (CMM) and CMMI-DEV is an internationally used framework for process improvement in development organizations. It is an organized collection of best practices and proven processes that thousands of software organizations have both used and been appraised against for over the past two decades. CMMI defines practices that businesses have implemented on their way to success. Practices cover topics that include eliciting and managing requirements, decision making, measuring performance, planning work, handling risks, and more. Using these practices, NASA can improve NASA software projects' chances of mission success. CMMI ratings can cover a team, a work group, a project, a division, or an entire organization. When evaluating software suppliers, it's important to make sure that the specific organization doing the software work on the project has the cited rating (as some parts of a company may be rated while others are not). Benefits of using CMMI include: The first Software CMM* Level 5 project was the supplier and maintainer of flight software for NASA's Space Transport System (Shuttle) in 1989. Since NASA's adoption of the CMMI framework for software development, CMMI has been widely used at NASA Centers as well as the Agency's contractor community. Carnegie Mellon University's Software Engineering Institute is the steward of CMMI which was developed under Department of Defense funding. It's important to note that for SWE-032, a CMMI-DEV rating is an organizational qualifier to acquire, develop, or maintain software for or by NASA for Classes A, B, and C. Many of the requirements in NPR 7150.2 are consistent with the established process areas in the CMMI-DEV framework. The CMMI-DEV rating as well as consistent NPR 7150.2 requirements are both needed to ensure that organizations have demonstrated the capability to perform key software engineering processes and have a binding agreement to continue to execute key software engineering processes during the development of NASA's most critical software systems. This requirement applies to both Safety Critical as well as Not Safety-Critical software in Classes A, B, and C. It is recommended that projects check the status of the software development or maintenance organization's CMMI rating at each major project life cycle review to ensure continued compliance and to identify potential risk areas in the software processes. A "check" can easily be done via the Software Engineering Institute's Published Appraisals website 457. General Software Acquisition Guidance: The content of the supplier agreement is critical to the acquisition of any software, including software embedded in a delivered system. In addition to the CMMI Maturity Level requirements placed on the supplier by SWE-032, the supplier agreement must also specify compliance with the software contract requirements identified in NPR 7150.2. The creation and negotiation of any supplier agreement involving software needs to include representatives from the Center's software engineering and software assurance organizations to ensure that the software requirements are represented in the acquisition agreement(s). The agreements clearly identify the following aspects of the acquisition: Representatives from the Center's software engineering and assurance organizations must evaluate all software-related contract deliverables prior to acceptance by the Project. The deliverables must be evaluated for: Class A software – If you acquire, develop or maintain Class A software the organization performing the functions is required to have a non-expired CMMI-DEV Level 3 or higher rating. Class A software acquisition guidance – To ensure that the solicitation, contract, and delivered products meet the requirements of this NPR, the Project's acquisition team must be supported by representatives from a software engineering and software assurance organization that is either rated at CMMI-DEV Maturity Level 3 or higher or rated at CMMI-DEV Capability Level 3 in at least the process areas of Supplier Agreement Management and Process and Product Quality Assurance. This support may be in the form of direct involvement in the development of supplier agreements or review and approval of these agreements. The support must also include review and approval of any software-related contract deliverables. The extent of the CMMI-DEV Level 3 rated organization's support required for a Class A acquisition can be determined by the Center's Engineering Technical Authority responsible for the project. Identification of the appropriate personnel from a organization that has been rated at a CMMI-DEV Level 3 or higher (see description in previous paragraph) to support the Project acquisition team is the responsibility of the designated Center Engineering Technical Authority and Center Management. The Center Engineering Technical Authority has the responsibilities for ensuring that the appropriate and required NASA Software Engineering requirements are included in an acquisition. For those cases in which a Center or project desires a general exclusion from the NASA Software Engineering requirement(s) in this NPR or desires to generically apply specific alternate requirements that do not meet or exceed the requirements of this NPR, the requester can submit a waiver for those exclusions or alternate requirements for approval by the NASA Headquarters' Chief Engineer with appropriate justification (see SWE-120). Class A software development or maintenance guidance - The software organizations that directly develop or maintain Class A software are required to have a valid CMMI-DEV Level 3 or higher rating for the organization performing the activities. Support contracts supporting NASA in-house software development organizations can be included in the NASA organizational assessments. Project contractors and subcontractors performing Class A software development are required to have their own CMMI-DEV Level 3 rating. It is important for NASA and primes to pass this requirement down in contracts to ensure all subcontractors have the necessary CMMI-DEV rating. The CMMI-DEV Level 3 rating is to be maintained throughout the project's development or maintenance period. NASA requests organizations' CMMI ratings be posted on the SEI website 327. SEI vets the validity of the CMMI appraisals on this list and assures the rating hasn't expired (as of this writing CMMI ratings are valid for a 3 year period). In rare instances (rating earned in a classified environment) an organization may have a current CMMI-DEV rating, but it doesn't appear on the SEI website. In these cases the supplier's claim can be directly checked with SEI. Class B software - CMMI-DEV Maturity Level 2 Rating or higher for software, or CMMI-DEV Capability Level 2 Rating or higher for software in the following process areas: a. Requirements Management. b. Configuration Management. c. Process and Product Quality Assurance. d. Measurement and Analysis. e. Project Planning. f. Project Monitoring and Control. g. Supplier Agreement Management (if applicable). Class B software acquisition guidance - To ensure that the solicitation, contract, and delivered products meet the requirements of this NPR, the Project's acquisition team must be supported by representatives from a software engineering and software assurance organization that is either rated at CMMI-DEV Maturity Level 2 or higher or rated at CMMI-DEV Capability Level 2 in at least the process areas of Supplier Agreement Management and Process and Product Quality Assurance. This support may be in the form of direct involvement in the development of supplier agreements or review and approval of these agreements. The support must also include review and approval of any software-related contract deliverables. The Center Engineering Technical Authority responsible for the project determines the extent of the CMMI-DEV Level 2 rated organization's support required (see description in previous paragraph) for a Class B acquisition. Identification of the appropriate personnel from a organization that has been rated at a CMMI-DEV Level 2 or higher to support the Project acquisition team is the responsibility of the designated Center Engineering Technical Authority and Center Management. The Center Engineering Technical Authority has the responsibilities for ensuring that the appropriate and required NASA Software Engineering requirements are included in an acquisition. For those cases in which a Center or project desires a general exclusion from the NASA Software Engineering requirement(s) in this NPR or desires to generically apply specific alternate requirements that do not meet or exceed the requirements of this NPR, the requester can submit a waiver for those exclusions or alternate requirements for approval by the NASA Headquarters' Chief Engineer with appropriate justification (see SWE-120). Class B software development or maintenance guidance - The software organizations that directly develop or maintain Class B software are required to have a valid CMMI-DEV Level 2 or higher rating (via a Continuous or Staged representation) for the organization performing the activities. Support contracts supporting NASA in-house software development organizations can be included in the NASA organizational assessments. Project contractors and subcontractors performing Class B software development are required to have their own CMMI-DEV Level 2 or higher rating. The CMMI-DEV Level 2 maintains an active rating during the development or maintenance period. The rating is to be posted on the SEI website 327. Guidance on the exception for Class B software development and maintenance - If this option is used, the project is responsible for funding the evaluation and for addressing any all risks that are identified during the evaluation. A SCAMPI (Standard CMMI Appraisal Method for Process Improvement) B or SCAMPI C appraisal across the listed process areas in this requirement is one method for conducting this evaluation. The Center Engineering Technical Authority is responsible for maintaining all records associated with the evaluation for the life of the project. The decision on participators in the evaluation process is determined by the responsible Center Engineering Technical Authority on the project. Recommended guidance is that the "qualified evaluator" has demonstrated experience on a SCAMPI A appraisal or training, such as CMMI Practitioner Level 2 training. Completion of an introduction to CMMI training course must not be the only criteria used in the selection. Class C software -The required CMMI-DEV Level for Class C software will be defined per Center/project requirements. Class C software acquisition guidance – Center level directives provide information on how to satisfy " P (Center)" requirements for SWE-032 for Class C software. In the case of the Project acquiring a system that includes Class C software, it is recommended that the solicitation, contract, and delivered products meet the requirements of this NPR. The Project's acquisition team is to be supported by representatives from a software engineering and software assurance organization that is either rated at CMMI-DEV Maturity Level 2 or higher or rated at CMMI-DEV Capability Level 2 in at least the process areas of Supplier Agreement Management and Process and Product Quality Assurance. The Center decides the extent and evidence required to show that personnel in a CMMI-DEV Level 2 rated organization have participated in the acquisition activities. The extent of the CMMI-DEV Level 2 rated organization support required for a Class C acquisition is determined by the Center Engineering Technical Authority responsible for the project. If a Center does not have any CMMI-DEV Level 2 rated organizations, then the acquisition team can be supported by software engineers knowledgeable of the CMMI-DEV software development practices. Identification of the appropriate personnel that are knowledgeable of the CMMI-DEV software development practices to support the Project acquisition team is the responsibility of the designated Center Engineering Technical Authority and Center Management. The Center Engineering Technical Authority has the responsibilities for ensuring that the appropriate and required NASA Software Engineering requirements are included in an acquisition. For those cases in which a Center or project desires a general exclusion from the NASA Software Engineering requirement(s) in this NPR or desires to generically apply specific alternate requirements that do not meet or exceed the requirements of this NPR, the requester can submit a waiver for those exclusions or alternate requirements for approval by the NASA Headquarters' Chief Engineer with appropriate justification (see SWE-120). Class C software development or maintenance guidance – Recommended practice is that all software organizations that directly develop or maintain Class C software have a valid CMMI-DEV Level 2 rating for the organization performing the activities. Support contracts supporting NASA in-house software development organizations can be included in the NASA organizational assessments. Project contractors and subcontractors performing Class C software development are required to have their own CMMI-DEV Level/Capability rating consistent with Center/project requirements. These organizations are to maintain software process areas as well as an active CMMI-DEV rating during the development or maintenance period. The rating is to be posted on the SEI website 327. If a Center does not have a CMMI-DEV Level 2 rated organization, then the development and or maintenance team can be supported by a software engineer who has at a minimum completed the CMMI Practitioner Level 2 training and is knowledgeable of the CMMI-DEV software development practices. The level of support required is based on project risk and is determined by the Center Technical Authority responsible for the software activities. National Defense Industrial Association (NDIA) CMMI Working Group conducted a study on the use of CMMI-DEV within Small Businesses in 2010 158. One of the counter-intuitive findings was that the "Perceptions that CMMI is too burdensome for small businesses is not supported by data on CMMI-DEV adoption". Significant numbers of organizations in the 1-20 employees range adopted and achieved CMMI Level ratings. Small projects are expected to take advantage of Agency, Center, and/or organizational assets. Tools to aid in compliance with this SWE, if any, may be found in the Tools Library in the NASA Engineering Network (NEN). NASA users find this in the Tools Library in the Software Processes Across NASA (SPAN) site of the Software Engineering Community in NEN. The list is informational only and does not represent an “approved tool list”, nor does it represent an endorsement of any particular tool. The purpose is to provide examples of tools being used across the Agency and to help projects and centers decide what tools to consider. A documented lesson from the NASA Lessons Learned database notes the following: Acquisition Philosophy and Mechanism. Lesson Number 1414: "Since the procurement's goal is to minimize the time from start to finish, part of its philosophy is to instill efficiency into the Contractor-Government roles and relationships. Thus, it becomes paramount during the selection process to ensure that the Contractor's processes, procedures, and tools are adequate (as based on some established criteria such as ISO 9001 and/or CMMI) to allow the Government to take a 'hands-off' approach during implementation. Also, any criteria to be used to verify/validate and or assess the Contractor's work after contract award must be consistent and compatible with the performance criteria levied on the Contractor." 553 As part of its annual review, the Aerospace Advisory Panel included this finding in the Computer Hardware/Software section of its Annual Report for 2000: "NASA has initiated plans to have its critical systems processes evaluated according to the Capability Maturity Model (CMM) of the Software Engineering Institute and to work toward increasing the CMM level of its critical systems processes." 422
See edit history of this section
Post feedback on this section
1. Requirements
b. Configuration Management.
c. Process and Product Quality Assurance.
d. Measurement and Analysis.
e. Project Planning.
f. Project Monitoring and Control.
g. Supplier Agreement Management (if applicable).1.1 Notes
1.2 Applicability Across Classes
X - Applicable with details, read above for more | P(C) - P(Center), follow center requirements or procedures2. Rationale
3. Guidance
4. Small Projects
5. Resources
5.1 Tools
6. Lessons Learned
Additional CMM/CMMI Lessons Learned by NASA associated with implementing and maintaining this requirement are:
SWE-032 - CMMI Levels for Class A, B, and C Software
Web Resources
View this section on the websiteUnknown macro: {page-info}