Tiếng Việt
In software outsourcing in general, you may notice that some outsourcing providers state “CMMI Level 3” or “CMMI Level 5” directly on their websites or in their proposals. The immediate questions are “What is the CMMI standard?”, “How is it different from ISO?”, and “Does it really affect the quality of the software a business receives?”
The answer is YES, and the impact is significant. Let’s explore this standard in more depth with NLT Group tin the article below!
What is the CMMI standard?
CMMI (Capability Maturity Model Integration) is a model for assessing the maturity of software development processes, originally developed by the Software Engineering Institute (SEI) of the United States and currently managed by ISACA.
This standard does not certify products, nor does it certify individuals. It certifies that a software company has a standardized, well-controlled, and continuously improved process system, covering project management, internal communication, as well as system operation and maintenance.
How many levels does the CMMI standard have?
Currently, the CMMI model is divided into five maturity levels:
| Level | Name | Meaning |
| 1 | Initial | No standardized processes; work is ad hoc and depends heavily on individuals |
| 2 | Managed | Basic project management processes are in place but not yet optimized |
| 3 | Defined | Processes are standardized, documented, and applied across the entire company |
| 4 | Quantitatively Managed | Processes are measured using specific data and controlled through quantitative metrics |
| 5 | Optimizing | Continuous improvement based on feedback and measured data |
In Vietnam, most companies holding CMMI certification are at Level 3 or Level 5, the highest maturity level.
Why should Vietnamese businesses pay attention to the CMMI standard when outsourcing software development?
Ensure projects are implemented with clear processes, without ambiguity
When a company achieves CMMI Level 3 or higher, businesses can be confident that:
- They have periodic reporting processes.
- They follow standardized documentation practices.
- Testing, reviews, and handover are conducted under controlled procedures.
Reduce the risk of “careless development” and compounding defects due to weak internal management
Many small companies in Vietnam operate in a “freelance-style” manner, without proper codebase management or testing checklists. The result is products delivered with numerous bugs, insufficient documentation, and systems that are difficult or impossible to maintain.
With CMMI, activities such as testing, backups, version management, repository updates, and related controls are enforced from the very beginning.
Increase the ability for long-term collaboration or future scalability
If a business plans to scale its system or raise investment, being able to demonstrate collaboration with a provider that follows CMMI-standardized processes is a significant advantage when working with investors and international clients.
How does CMMI for software development companies differ from ISO 27001 and ISO 9001?
| Standard | Primary objective | Scope of application |
| CMMI | Optimize software development processes | Project management, development, testing, and maintenance |
| ISO 27001 | Information security | Data, source code, and access rights |
| ISO 9001 | Quality management | Company-wide operations, administrative and service processes |
Many large software companies in Vietnam often achieve all three certifications to provide comprehensive coverage:
- CMMI to standardize development processes.
- ISO 27001 to protect data security.
- ISO 9001 to ensure efficient business operations.
Signs that a company “does not have CMMI” or “has it in name only”
| Indicator | Actual risk |
| No technical documentation provided | System modifications later become very difficult |
| No version management process | Each change overwrites old code, causing continuous defects |
| No sprint-based demos | Only one final delivery, customers cannot track progress |
| No testing before handover | Product contains many bugs, leading to extended warranty periods or complete rewrites |
| No task management tools used | Work assigned via Zalo or Excel, tasks cannot be tracked, timelines become chaotic |
Some software outsourcing companies in Vietnam with CMMI certification
| Company name | Achieved level | Certification year | Notes |
| FPT Software | Level 5 | Since 2006 | First enterprise in Vietnam to achieve Level 5 |
| TMA Solutions | Level 5 | 2010 | Global software export provider |
| KMS Technology | Level 3 | 2021 | Focused on the U.S. market |
| NashTech Vietnam | Level 3 | — | Member of a UK-based group |
Source: Official company websites and the ISACA Global Partner Directory
Conclusion: do not just ask “how many developers do you have?”, ask “what processes ensure quality?”
In software outsourcing, developer capability matters, but process capability matters even more. CMMI is evidence that a company knows how to:
- Manage work in a structured and disciplined manner.
- Reduce system defect risks.
- Deliver products that can be maintained over the long term.
If a business does not want to pay later to fix defects, it should invest upfront in having the right process.
Frequently asked questions (FAQ)
Do companies outsourcing software have to choose a CMMI-certified provider?
No, it is not legally mandatory, but for projects that:
1. Have multiple phases over a long duration (3–12 months).
2. Require long-term development and maintenance.
3. Integrate multiple systems (ERP, CRM, APIs).
It is advisable to prioritize vendors certified at CMMI Level 3 or higher to ensure end-to-end quality control throughout the project.
How can you tell if a company truly holds CMMI certification?
Do companies outsourcing software have to choose a CMMI-certified provider?
No, it is not legally mandatory, but for projects that:
1. Have multiple phases over a long duration (3–12 months).
2. Require long-term development and maintenance.
3. Integrate multiple systems (ERP, CRM, APIs).
It is advisable to prioritize vendors certified at CMMI Level 3 or higher to ensure end-to-end quality control throughout the project.
Is a higher CMMI Level always better? Which level should I choose?
A higher CMMI Level means:
1. Tighter process control.
2. Measurement and continuous process improvement (Levels 4 and 5).
However, for small and medium-sized enterprises, CMMI Level 3 is generally sufficient to ensure a structured process and stable quality. Level 5 is more suitable for large-scale, multinational, or highly complex technology projects.
How is CMMI different from Agile or Scrum? Do we need both?
1. Agile or Scrum are working methods focused on flexibility and iterative delivery.
2. CMMI is a framework for assessing, measuring, controlling, and improving processes.
A company may use Scrum to run sprints but still lack disciplined process control without CMMI. It is best to choose a provider that applies Agile practices and is certified at CMMI Level 3 or higher to optimize both delivery efficiency and output quality.
Is the cost of a CMMI-certified provider higher?
It can be higher by around 5–20%, but this comes with:
Clear task and progress control processes.
Complete reporting and documentation.
Lower defect rates and shorter warranty periods.
Easier handover and maintenance later on.
In the long run, the actual cost is lower because you do not have to pay extra for defect fixing, rework, or product restructuring.
I have already signed a contract with a provider that does not have CMMI. How can I control risk?
If a business has already signed a contract with a software outsourcing provider that does not have CMMI, it should require from the outset:
1. A Project Development Plan.
2. Mandatory progress updates by sprint or phase.
3. UI/UX approval before development and UAT testing before handover.
4. A testing checklist (test cases) and codebase management via Git.
If the provider lacks a process, the business must create its own “oversight process.” Do not fully delegate everything and simply wait for the final product.
