When done correctly, CMM is a costly, time-consuming effort. The average time for a company to move from Level 1 to Level 5 is seven years, and the expense of building a really robust, repeatable software development process with project and metric tracking is many times the cost of a CMM assessment (which alone costs about $100,000). For small companies short on funds and staff, or startups, forgoing business while building a software process capable of receiving a Level 5 assessment may seem more risky than fudging a number?especially when your customers don’t know enough to ask about it. And mature companies that already have a high CMM level may not want to risk the disruption, cost and potential disappointment of getting assessed again regularly.

Officials at the SEI deny that companies are exaggerating or lying about their CMM claims.

"There is no one who will declare ’We are CMM Level 3 as an organization,’" says the SEI’s Douglass. "They’ll say they are Level 3 in this development center or that product group."

Not true. A quick Nexis search revealed four companies?Cognizant, Patni, Satyam and Zensar?claiming "enterprise CMM 5," with no explanation of where the assessments were conducted or how many projects were assessed, or by whom. Dozens more companies trumpet their CMM levels with little or no explanation.

Indeed, all of the services companies we interviewed for this story claimed that their CMM assessments applied across the company when in fact only 10 percent to 30 percent of their projects were assessed. That’s partly because experts say that assessing every project at a big company would be too unwieldy and expensive.

Yet few of those same experts support the idea that assessing a 10 percent slice of projects?even those considered to be representative of all the different types of work a company does?should lead to claims of "enterprisewide CMM." Vendors argue that there is logic behind these claims. The higher CMM levels (3 and above) require that a company have a centralized process for software development and project tracking, among other things. Since everyone across the company is supposed to use that same process that was used in the projects that were assessed at Level 5, for example, all projects across the company can be assumed to be at Level 5.

But as soon as you dig beneath the surface, the logic falls apart. The process may have changed completely since the assessment was performed. Indeed, Indian services companies in particular, where the most CMM Level 5 assessments have been reported, are growing so quickly?some adding as many as 50 to 60 new developers a week?that avoiding change is nearly impossible. The company also may have changed the types of work it does and perhaps acquired other companies along the way that were not assessed at any level. And if the company does not have an excellent training program for all its project managers and developers?so they can work at the same level as those in the projects that were assessed?the assessment means little.