Part One: Common Challenges for Implementing ISO/CMMI in a U.S. Government Contractor Environment
This article is the first of a five-part information series on implementing ISO standards and the CMMI model in a U.S. government contractor environment. This installment highlights common issues and misconceptions about ISO and CMMI. While this post is high-level, subsequent installments of this series will dive into deeper issues germane to various implementation scenarios.
Common Issues and Misconceptions
In this installment, we will dive into three broad categories of common issues and misconceptions, offering straightforward solutions to addressing them:
- Planning, Level of Effort, and Complexity
- System Scoping
- Business Integration
Planning, Level of Effort, and Complexity Issues
While some organizations organically choose to implement ISO or CMMI, many government contractors seek certification because it's required in order to bid on work, or because they believe it will offer them a business discriminator. The former is especially common for small businesses trying to move into prime contractor roles. In doing so the discover that most large GWAC and IDIQ vehicles either require one or both qualifications or offer additional incentives (points) for having them.
The idea of ISO or CMMI as a business discriminator is a tricky one. For many organizations, from a business development perspective, it's just an empty promise. The reality is that having the ISO or CMMI flag does not necessarily discriminate you from your competition. The qualification rather serves as a ticket to play in the U.S. government contractor environment and generally represents a checkbox required to bid on larger procurement. In other words, it serves as a gatekeeper.
That being the case, it's not a surprise that the business need for these qualifications often originates through the business development channel. The challenge is in the timing expectations for the external validations. Think about the number of times this been said in your organization: “We need this [ISO or CMMI] for a proposal that’s due in a month.” Or maybe this one, “We have ISO 9000 and want to add CMMI. We can do that in a couple of weeks, right?” At i3 Design and Consulting we specialize in helping organizations achieve their process improvement goals in record time. Most implementations don't need to take nine to twelve months to implement, but they need more than a month. If you're an organization that requires an ISO or CMMI implementation, you should be planning no less than three months in advance and if possible begin your implementation four to six months ahead of your deadlines. The driving factors in scoping the timing include the following:
- Type of required certification.
- ISO 9000 is the quickest and easiest to achieve. Putting the system in place can often take as little a three to four weeks (depending on size and complexity), but you will need some objective evidence that the system is operating as intended. For simple systems, this can be as little as two to three months. Other more complex systems will require more time to instantiate and prove use.
- CMMI for Development (Level 3 or higher) will be the longest implementation because there are simply more requirements to implement and your organization is going to have to generate the appropriate data artifacts to satisfy the appraisal requirements. For planning purposes, you should allow four to six months for a CMMI implementation. More complex implementations will add to that estimate.
- ISO 20000 and 27000 will require somewhere in the middle but is generally achieved within three to five months with a qualified consultant.
- Scheduling Auditors and Appraisers. Qualified auditors and appraisers can be a scarcity depending on the specific model or standard. There are firms that will promise an ISO 9000 (or other) certification but are not qualified registrars. For certification to be considered legitimate for government proposals, you need to make sure the entity is approved by ANSI-ASQ National Accreditation Board (ANAB).
- ISO 9000 external auditors are the easiest to find and schedule. Scheduling is done through the qualified registrars. ISO uses a two-stage audit process with an on-site readiness review followed by the certification audit. There generally needs to be at least 30 days between these events. At a minimum, you should have your auditor under contract 60 days from the certification audit date.
- ISO 20000/27000 use the same two-step audit process as ISO 9000. However, due to the scarcity of qualified ISO 20000/27000 auditors, you should minimally plan to have your auditor under contract at least 90 days from the certification audit date.
- CMMI (Development or Services) uses independent appraisers to provide recommendations for a staged or capability-based rating. It is not uncommon for the schedules for the better and more experienced appraisers to fill up six to nine months in advance. Finding an appropriate appraiser should be one of the first steps in your implementation plan. Otherwise, it will quickly become the key dependency on your critical path.
- Registrar and CMMI Institute Quality Review. Once the audit or appraisal is complete, the results must be validated by the registrar (ISO) or the CMMI Institute (CMMI) before the organization officially can claim its qualification. The CMMI Institute in particular has strict rules around public release of declarations before final review approval that could invalidate your results, leading to a redo the appraisal process. Though they are often completed faster, you should set aside two to three weeks for these reviews.
System Scoping
Understanding your work is critical to the types of appropriate external qualifications and process solution that will meet your organizational business needs while adding downstream value. Many government contractors run amok trying to align their process solutions to their marketing approaches. This is especially true for contractors that provide staffing resources to the government. Many market themselves as software development companies, or as technical service providers such as IT or cyber. In reality, they provide IT, Cyber, and development support as on-site contractors to the government.
So why does this matter in ISO and CMMI implementations? The processes used to do the technical work are not the contractors, but rather the customer’s processes. In these instances, the contractor’s ISO or CMMI system should focus on how to handle work submissions, hiring, onboarding, status reporting, invoicing, and the overall management of on-site personnel. Once the organization wraps its head around these scoping issues they often (and correctly) discover that the real value of their ISO/CMMI investment comes from enabling operational consistency and offering opportunities for cost savings.
Business Integration
ISO and CMMI implementations are an organizational investment and often have measurable costs associated with them. While many organizations will meet a business development need, the successful ones quickly transform the objectives of their investment to focus on the question, “How can we use this as an opportunity to make us more efficient and effective?” At i3, one of the first things we help the customer do is realize that they aren't building a quality system, they're building new and more efficient business systems that also meet the quality requirements associated with external validations. your ISO/CMMI implementation should focus on improving how you do business and should not be developed as a separate project or system operating outside of the normal business processes. Simply put, your new operational processes should be “how we do business.”
Almost every quality professional, when asked the keys to a successful implementation, will respond with Executive leadership support. This is absolutely true, but often not in the ways most people believe. Leadership support is required to ensure that the organizational investment in ISO and CMMI is not solely a quality initiative, but rather a business initiative to improve organization performance. Building the quality system or leaving it to operate outside of the normal business function (aka, leaving it solely to the Quality Group) will keep it from achieving the return on investment, or cause it to fail. It's the leadership's job to ensure that the necessary organizational process integration occurs and keeps the focus on improving business performance.
Informational Series
Over the next few weeks, this informational series will explore details of various implementation scenarios and the unique challenges of implementation in the U.S. contractor environment. Stay tuned for the next installments in this series:
- Part One: Common Challenges for Implementing in a U.S. Government Contractor Environment.
- Part Two: Implementing ISO and CMMI for Staffing Services Contractors
- Part Three: Implementing CMMI and Government Requirements in an Agile Development Shop
- Part Four: Leveraging ISO 27000 to Address FISMA and NIST 800-53 Cyber Security Requirements
- Part Five: Implementing ISO 20000 as a Practical Path to Address Government ITIL Implementation Requirements
About i3 Design and Consulting LLC
i3 Design and Consulting LLC is a boutique Information Technology, process consulting, and products firm headquartered in Leesburg, Virginia. Our company is defined by its deep content knowledge of its staff and partners. We bring twenty years of information technology and business process improvement knowledge to the table, with a record of success producing business value, increasing operational efficiency through IT innovation and process improvement, and driving customer focused service excellence. i3 provides consulting support to senior executives, as well as, leadership to transition organizations to the next level by transforming business processes and improving growth, margin, customer engagement, IT, and quality.