Get your ducks in a row

A cursory glance at information about technology
quality certifications reveals a bewildering
array of cryptic acronyms and numbers. A
casual reader can be forgiven for not knowing
ISO from CMMI from ITIL. But to contractors
and agencies, the certifications denote specific
accomplishments in implementing
methodical, disciplined processes.

To attain certifications, an organization
must establish the practices required to meet
the desired designation and then submit to an
audit, often from a private company whose
business it is to conduct such assessments. The
process can be difficult and almost certainly
will be costly, but it will pay off in increased
ability to win contracts, say business leaders
who have been through it.

"People come on site and they live with you
for a while," said David E. Bower, president and
chief operating officer of Data Computer Corp.
of America, a systems and software engineering
company in Ellicott City, Md. "You have to
make people available to them to interview. If
you say your processes have been institutionalized,
those people they talk to should understand
what those processes are."

Carnegie Mellon University's Software
Engineering Institute (SEI) developed the
Capability Maturity Model Integration
(CMMI) in 2001, as a blending of earlier CMM
models for software engineering, systems engineering,
software acquisition and related disciplines.
DCCA earned a CMMI Level 2 in 2004,
and a Level 3 in 2007.

The company probably will try to earn a
Level 4 rating ? CMMI Level 5 is the highest
possible ? and Bower is concentrating on laying
the groundwork that may ultimately
make that possible.

"It is a grueling effort to go from [CMMI
Level] 2 to 3," Bower said. "Some may say it's
easier to go from 3 to 4. We're institutionalizing
and continually improving on our processes
and looking at how we might improve those
processes to get to Level 4. At some point, we
may try to get an assessment."

A CRUCIAL INVESTMENT

Earning certifications is costly and time-consuming,
but companies cannot avoid making
the investment and expect to remain competitive,
said Thomas Asefi, president of Global
Analytic IT Services (GAITS) in Alexandria, Va.
The certifications themselves are just the
outward sign of the company's internal
quality, he said. "Once you have that in
place, the company will sell itself. The customer
more and more is looking for
processes that can be incorporated into the
[company's] environment."

GAITS recently earned International Standards Organization 20000-1:2005 certification, developed by ISO, which pertains to processes
for information technology service management.
The standard is closely aligned with the
best practices outlined in the IT Infrastructure
Library (ITIL) and replaces BS 15000, a British
standard also based on ITIL.

The company also holds ISO 9001:2000 certification,
which covers quality control systems
in production environments. GAITS is working
to earn an ISO 27000 certification for information
security. In 2006, it earned a CMMI Level
2 rating.

Robert Frey, a principal at Successful
Proposal Strategies LLC and an adviser to
GAITS, said agency solicitations are increasingly
likely to specify minimum certifications they
want their contractors to have. The trend is tied
to performance-based contracting, which holds
contractors accountable for meeting agency
needs.

The various certifications "give the federal
customer a much greater level of confidence
that contractors can perform to acceptable levels of quality," he said. "It's an important
credential for a company to be able to offer a
government customer that kind of external
accreditation."

However, the cost and commitment of
resources involved can be difficult for smaller
companies to meet because they usually have
limited means. Nevertheless, Frey said, it's vital
that they incorporate appropriate certifications
into their strategic plans.

"I would wager that many of them don't have
a strategic plan," he said. "They're worried about
how to get through next Tuesday. My advice
would be to do a certain amount of strategic
planning. There are all sorts of things the government
customer needs to see [in a potential
contractor]. They would be ignoring these credentials
at their peril."

Past performance still counts a lot when
agencies choose contractors, and a company
with a record of good performance can outcompete
one with a certification or two but little
experience ? if the agency's solicitation
doesn't explicitly require certain certifications,
Frey said. If the certification is required, "your
competitor without them is not even likely to
make the competitive range."

MATCH TO THE DOMAIN

Ruth Buys, vice president of process and
quality management at QinetiQ North
America's IT Services Group, said it's important
for companies to determine the most
useful certifications to pursue. Certifications
and ratings do not always apply to an entire
company. Often, a single business unit will
pursue credentials that are specific to the
unit's activities.

"The domain you're looking at tends to
drive the certification rating or standard you
go after," she said. "At ITSG, we have organizational
units that focus on infrastructure support.
Many times those units will go after ISO
or ITIL certification. Those areas involved in
software development will go after CMMI."

Coordinating the credentials with the company's
overall strategy is important, she said,
but it tends to happen automatically because
of the necessary management involvement in
the process.

The company's business development team
has "a vested interest in being able to offer the
best picture to a procuring organization that
they can," she said. "On the other hand, going
after one of these ratings really requires commitment
from senior management. You can't
get these ratings without being able to
demonstrate that senior management is
involved."

Once the company has the credential, it
falls to proposal writers to make the best use
of it for competition, she said.

"One thing I've found that appears to be
successful is if you can show how the reason
you got the certification reflects the way you
do business ? not something just to hang on
the wall, but the way we do business," she said.
"That adds a lot of credibility and helps them
believe that this really is internalized."

Companies should allow adequate time to
put the needed processes into place, get their
employees comfortable and familiar with
them and have the needed external assessments,
she advised.

"For CMMI, the SEI has some standard
times that they tell you," she said. "Level 2
takes approximately 24 months. To go to
Level 3 is another 18 to 24 months, and so on
through levels 4 and 5. A lot of companies are
doing a lot of good things anyway, and insofar
as they can leverage that, they can cut the time
significantly. But my experience is that doing
it in less than a year is very unusual if it's done
at all."

Management support is also important
after the certification is awarded and not just
because companies have to renew their certifications
periodically, Bower said. Management
support makes it clear to employees that the
quality processes are not just window-dressing
for procurement officials.

"What needs to happen in any organization
that has a CMMI certification is an understanding
that the senior executives within the
organization see the value," Bower said. "That
needs to flow down through the whole enterprise,
so that everyone in the organization sees
the value."

Michael Hardy (mhardy@1105govinfo.com) is an
associate editor at Washington Technology.