Integrating ISO Standards and CMMI for Government Contracts

Most government and defense contracts require technology service providers to have some type of ISO certificate and CMMI maturity level 3. These requirements sound very simple; however, implementation is quite complex. There are three ISO standards and two different versions of the CMMI model that apply to technology companies. This has become a challenge for small and medium size companies.

The three ISO standards required in government contracts are: ISO 9001 (an all-purpose quality management system), ISO 20000 (IT service management) and ISO 27001 (information security management). The two CMMI variants are CMMI (DEV) designed for software and systems development and CMMI (SVC) designed for services.

The solution to this model quagmire depends on two factors: (1) selecting the CMMI model/ISO standard that is relevant to your business. If your organization is not delivering IT services, you should not try to implement ISO 20000 and CMMI (SVC). Similarly, if you are not developing systems or software, you should not try to implement CMMI (DEV). Having more certificatesdoes not give you an edge over your competitors, unless those are relevant to your business. (2)  The second factor is that you should never try to maintain ISO and CMMI as two separate systems. This would create an unnecessary overload for your organization.

Let’s talk about the basic concept of integration. ISO 9001 is an excellent standard that creates the foundation of your organization’s Quality Management System (QMS) i.e. organizational policies, management commitment, management reviews, roles and responsibilities, documentation structure and main procedures. CMMI generic goals will be satisfied by the same policies, senior management commitment and management reviews. Of course CMMI requires additional procedures, but those procedures will fit into the documentation structure created by the QMS. I recommend that you plan carefully when defining documentation structure and process architecture if you plan to implement multiple models and standards. There is no conflicting requirement between ISO 9001 and CMMI (DEV and SVC).

I’d like to discuss more specific elements of integration in my next post. Please keep reading.