J. Software Engineering & Applications, 2010, 3: 280-286
doi:10.4236/jsea.2010.33034 Published Online March 2010 (http://www.SciRP.org/journal/jsea)
Copyright © 2010 SciRes. JSEA
Deriving Software Acquisition Process from
Maturity Models—An Experience Report
Hussain Alfaraj, Shaowen Qin
School of Computer Science, Engineering and Mathematics, Flinders University, Adelaide, Australia.
Email: hussain.alfaraj@csem.flinders.edu.au
Received October 26th, 2009; revised December 15th, 2009; accepted December 20th, 2009.
The establishment of an existing practice scenario was an essential component in providing a basis for further research in
the area of COTS software acquisition within the organisation. This report details the identification of means of
describing the existing practice of software acquisition within an organisation and identification of models that could be
used to present this view. The chosen best practices descriptions for the idealized model were maturity models, including
SA-CMM, CMMI-ACQ, and ISO/IEC 12207. This report describes these models briefly and then describes the process of
identifying the requirements for idealizing these maturity models into process frameworks that could be identified to
actually business process models from a real organisation in order to identify gaps and optimizations within the
organisations realization of the best practices model. It also identified the next steps in identification of the theoretical
best practice framework, which will involve translation of the model to YAWL Petri nets and simulation of the process in
order to identify potential modelling flaws or issues with framework efficiency. Implications of the currently ongoing
research include the identification and correspondence of specific tasks and activities from ITIL and CoBiT frameworks
with the generic key process areas of software acquisition frameworks and identification of sufficiently detailed structural
framework models for each level in order to identify appropriate frameworks for application even in cases where these
frameworks were not explicitly identified by the organisation or the researcher.
Keywords: BPM, Workflow, Software Acquisition, Simulation, CoBiT, ITIL
1. Introduction
The researcher’s current area of focus is on the deriva-
tion of the software acquisition model in use within or-
ganisations for commercial off the shelf (COTS) software
acquisition using BPM tools. Two different areas of in-
vestigation were chosen for this analysis, including de-
termination of an idealized model based on current best
practices and the description of the actual practice within
the organisation under study. While many organisations
do attempt to undertake the development of processes
under the best practices frameworks described below,
many organisations do not succeed in this goal either due
to deliberate divergence from the best practice in order to
accommodate organisational realities or because of in-
ability to reach the best practices condition for another
reason [1].
Existing best practice models for software acquisition
are built on commonly accepted standards that either
represent software acquisition as a standalone process or
integrate the acquisition process into the software lifecy-
cle. The diversity of these models means that an organi-
sation is likely to be able to choose an appropriate model
for its needs, but none of the best practices models is
likely to be fully adequate. Valuable information can be
gained by comparing the process as enacted within the
organisation with the template provided by the best prac-
tices model. This research required building theoretical
models for three commonly used software lifecycle
standards, the Capability Maturity Model for Software
Acquisition (CMMI-ACQ), the Software Acquisition
Capability Maturity Model (SA-CMM), and the ISO/
IEEE 12207 software lifecycle standard (which integrates
software acquisition into the lifecycle model as compared
to the other two models, which describe it separately).
This report describes these models in brief and then
focuses on the process of describing the idealized tem-
plate for the oldest model, SA-CMM, in order to demon-
strate the engagement of analytical tools. A discussion is
also provided regarding the next steps in identification of
organisational optimization and matches to this process.
The importance of this report is that it provides a scientific
understanding of the models as they relate to the software
acquisition process. Organizations that have likely used
Deriving Software Acquisition Process from Maturity Models—An Experience Report281
other methods in the past that may not have taken fully
into account both the managerial issues and the tasks
related to the best outcomes of software acquisition will
be provided not only with a model for the process, but an
understanding of the important elements of the model and
how to integrate them into real-world application.
2. Best Practices and Standards
Three best practices models or standards were identified
for inclusion based on the completeness of the standard
and the level of actual use within these organisations.
SA-CMM, the oldest model that is examined, is still in
active use within some organisations, while others have
enacted its successor, CMMI-ACQ [2]. Both of these
models were developed by the Carnegie Mellon Univer-
sity Software Engineering Institute to support the devel-
opment of processes in the organisation. The third model
ISO/IEC 12207, describes an overall view of the software
lifecycle that includes the acquisition process. Each of
these models presents a foundation that is important to
understand in order to examine the develop a model of the
software acquisition process that integrates both man-
agement issues and key tasks and procedures that are to be
followed for the opportunity for the best outcomes for an
organization. The examination not only examines these
theories, but also helps to bridge theory with real-world
needs and concerns.
2.1 SA-CMM
The SA-CMM best practices standard (currently version
1.03, released 2002), was developed to provide a capa-
bility maturity model that could be used in the context of
software acquisition [3]. Although it was developed for
use by the United States Department of Defence, it has
been widely used in educational and industrial contexts as
well. Companies have found that the SA-CMM best
practices standard provided a straight-forward process by
which to understand the important issues related to soft-
ware acquisition [3]. The SA-CMM model, which is
shown in Table 1, is based on a five-layer model in which
each level delimitates a different level of maturity. The
maturity level is made up of key process areas, which
include goals, institutionalization features (commitment
to perform, ability to perform, measurement and analysis,
and verification), as well as activities [3]. The SA-CMM
model is a staged model, indicating that the results are
cumulativefor example, it is necessary to meet the re-
quirements of Level 2 in order to achieve Level 3. Without
completing one stage successfully before moving to the
next, important issues are not entirely handled, and the
result is likely to not be the best outcome for an organi-
zation [3].
The goal of the SA-CMM best practices model is to
provide a description of the software acquisition process
that can be adapted to any organisational context, and as
Table 1. SA-CMM model
Level Focus Key Process Areas
1. Initial Competent People and Heroics
2. Repeat-
Basic Project
- Transition to Support
- Evaluation
- Contract Tracking and
- Project Management
- Requirements Development and
- Solicitation
- Software Acquisition Planning
3. DefinedProcess Stan-
- Training Program Management
- Acquisition Risk Management
- Contract Performance
- Project Performance
- User Requirements
- Process Definition and
4. Quanti-
- Quantitative Acquisitions
- Quantitative Process
5. Optimi-
- Acquisition Innovation
- Continuous Process
such it is a very wide-ranging [4]. However, this charac-
teristic makes the SA-CMM difficult to implement within
an organisation, as specific requirements for this imple-
mentation in terms of tools or identified techniques are not
complete. Another significant gap in the SA-CMM is that
it does not specify requirements, which is considered to be
essential for determination of the appropriate fit between
software and organisation [5]. As such, although the SA-
CMM is used in many organisational contexts it may not
be appropriate or optimal for all organisations.
The CMMI-ACQ best practices description (current re-
lease 1.02, September 2007) is the successor to the SA-
CMM model (although the SA-CMM model is still in use
in many organisations). [6] This model is built on the
older SA-CMM description, but provides a considerable
improvement over this model. It was generated from the
CMMI Architecture and Framework, an existing model
that describes various aspects of lifecycle development of
software [7]. This model is also intended to be a generic
model for organisational process description and im-
provement, applicable to any organisation [7].
Unlike the SA-CMM model, there are three levels of
inclusion for CMMI model components, including re-
quired, expected, and informative components [7]. There
are 22 identified process areas within the CMMI-ACQ
model, and like SA-CMM, the CMMI-ACQ model can be
used as a staged model; however, unlike the SA-CMM
model, the CMMI-ACQ model can also be used in a con-
Copyright © 2010 SciRes. JSEA
Deriving Software Acquisition Process from Maturity Models—An Experience Report
tinuous representation, which allows for transition be-
tween stages depending on existing capabilities [7]. What
this means for an organization is that it does not have to
feel that each stage must be completed, even if it does not
entirely apply to the organization or its needs, before
moving to the next. An organization has some control
over the model in the ability to make changes or adjust-
ments to specific issues or concerns in relation to how it
operates and the needs that it considers to be important.
Under the staged model, in which, as with SA-CMM,
transitions occur from one model to the next sequentially
and determined by achieving core competencies from
previous stages, there are five different stages that the
organisation can move through (Initial, Managed, Defined,
Quantitatively Managed, and Optimizing); these five
stages roughly correspond to the five stages of the
SA-CMM model [7]. However, the continuous model
allows for a sixth stage, Incomplete (in effect a Level 0).
This extra level in the model can be important for an or-
ganization because the assumption that a level has been
completed is not possible. An organization can indeed be
incomplete with regards to its acquisition efforts. The
difference between these two models is that the standard
presents a capability model in the continuous representa-
tion (which is intended to describe the individual capa-
bilities of the organisation at whatever level they have
occurred), while the staged representation is intended as a
maturity model, representing the overall maturity level of
the process within the organisation [7]. This means that
the staged and continuous representations do have dif-
ferent approaches to tasks and requirements for compe-
tence attainment, but the models are largely consistent
with each other.
While the CMMI-ACQ description did rectify some of
the challenges of SA-CMM including development of a
requirements determination activity area and introduction
of specific predefined tasks, it does retain some challenges
as well. These include lack of guidance offered on the
priority of process areas within the continuous represen-
tation [8]. This lack of prioritization means it can be
challenging for implementers of the process to determine
appropriate priorities or task ordering; while decision
support models have been identified that can rectify this
challenge to some extent it remains one of the highest
barriers to organisational implementation of this process.
In addition, for an organization that may be beginning the
process of truly thinking about best practices related to
software acquisition or having a scientific theory to guide
software acquisition, the use of a broad model that is more
oriented toward ideas as opposed to specific tasks can be
challenging. An organization can become so concerned
about ideas and concepts than it ignores the tasks that need
to be completed in order to successfully complete soft-
ware acquisition and ensure that it meets the needs of the
organization once it has been completed.
2.3 ISO/IEC 12207
The third standard that was undertaken during this analy-
sis process was ISO/IEC 12207, which implements the
software acquisition process as part of a full description of
the software lifecycle. ISO/IEC 12207 was the first stan-
dard to describe the full software lifecycle [9]. The
ISO/IEC 12207 family of standards is one of the most
commonly used standards for the definition of the soft-
ware lifecycle process as a whole, including the software
acquisition process, which is embedded in the standard
[10]. Starting from the acquisition process, the ISO/IEC
12207 standard describes the full software lifecycle, in-
cluding aspects such as human resources management and
infrastructure life cycle management. This means that
specific tasks that need to be completed, as opposed to
only focusing on issues and concepts, are part of the
model. In essence, this model allows for a bridge to be
created between purely issue-related software acquisition
and the tasks and duties that are part of the software ac-
quisition process [9]. However, only the software acqui-
sition process model was considered to be relevant for this
research process.
Unlike SA-CMM and CMMI-ACQ, the ISO/IEC
12207 model is not a capability or maturity model per se,
but is instead a lifecycle model. Also unlike the previous
two models discussed, it clearly defines operations, ac-
tivities, tasks, and provides a complementary Supply
Process that outlines the operations and activities required
of the supplier of the software [9]. This view of the
process from the supplier’s viewpoint increases the po-
tential that requirements of the organisation acquiring the
software are met, because the Supply Process specifically
addresses the requirement to meet purchaser requirements
[9]. Also unlike the CMMI-ACQ and SA-CMM model,
the ISO/IEC 12207 standard is not a staged model that is
based on the stage of organisational maturity, but is in-
stead a single process designed for use at all levels of
maturity [9]. This does allow the organisation to build
competence in these processes over time, but does not
provide a means of determining the organisation’s ma-
turity. However, there are sub-processes offered that al-
low for identification of greater detail in the process if
required. The model is much more detailed in this regard,
which is important for an organization that may be un-
dertaking software acquisition efforts in a scientific
manner for the first time. The specific details that are
listed provide a better guide for what needs to be per-
formed in order to achieve a successful outcome.
Thus, while the ISO/IEC 12207 model is not appropri-
ate for determining the maturity or capability level of an
organisation it does allow for the development of specific
skills and competencies related to software acquisition by
spelling out the required process for effective software
acquisition (and through the complementary Supply Pro-
Copyright © 2010 SciRes. JSEA
Deriving Software Acquisition Process from Maturity Models—An Experience Report
Copyright © 2010 SciRes. JSEA
cess, the effective supply of software to organisations). As
such, this can be seen to be a standard that would be put to
a different use from the organisational requirement that
led to the use of the capability maturity models described
by the SA-CMM or CMMI-ACQ frameworks.
3. SA-CMM Conversion Process
The description above provides an overview of the best
practices frameworks. However, there is still the question
of how these textual descriptions can be defined as a
framework that can be directly compared to process
models derived from organisational studies. There were a
number of issues identified in this experience. First, the
textual descriptions offered little information regarding
the specific tasks and activities. Second, the varying ma-
turity levels within this capability maturity model offer
different activities and processes, making the model
complex to describe as a single model framework. In
order to overcome these challenges, the specific tasks and
activities were kept generic in order to comply with the
framework of the discussion, and the individual models
were described in separate frameworks. It is understood
that since the SA-CMM model is a cumulative framework,
that organisations would be able to compare their ob-
served processes serially against the models in order to
determine which capability level met the requirements
most effectively.
3.1 Description of the Framework
The SA-CMM framework presented is the Level 2 ap-
proach to software acquisition. However, a similar proc-
ess was followed to describe the process at all five levels
of the organisation. (This process was also performed for
all levels within the CMMI-ACQ framework as well as
the Acquisition process within ISO/IEC 12207). The
process was as follows:
1) Identify key process areas that were described within
the model;
2) Create a definition of the key process area that tex-
tually described the inputs, process, and outcomes of the
process area;
3) Identify inputs;
4) Identify outputs;
5) Identify people;
6) Identify cost.
The key process areas identified at Level 2 (Repeatable)
included Software Acquisition Planning, Solicitation,
Requirements Development, Project Management, Con-
tract Tracking and Oversight, Evaluation, and Transition
to Support [3]. As can be seen in Figure 1, the key proc-
ess areas are a mixture of competencies and process areas,
including technical, project planning and management,
and legal aspects of the acquisition process, which indi-
cates that the process will engage different individuals and
organisational competencies within the region.
The process flow indicated by the Level 2 (Repeatable)
description with the SA-CMM model was exceptionally
simple. This process was a linear process with little room
for deviation from the existing model or translation from
one end of the model to another.
The model above describes the process of software
acquisition at maturity Level 2 within the SA-CMM. The
steps involved in software acquisition in the model are
standard in terms of key process areas, but actual tasks and
activities vary depending on the organisation. The issues
of cost and resource allocation are strongly dependent on
individual implementation and are not determined in the
standard; as such, they will need to be determined on
observation of individual implementations of the standard.
However, the key process areas must all be identified and
effectively engaged in if the firm wishes to move beyond
the Level 2 (Repeatable) level of implementation, just as it
was necessary for all the key process areas at Level 1 to be
met effectively in order to move to Level 2 [7]. Because of
this, a maturing software organisation will move into an
effective implementation of all identified key process
areas before moving forward to the Level 3 (Defined)
model. As discussed above, there is a considerable chal-
lenge within this model, as tasks and activities are not
actually clearly defined and there is no way to identify a
generic standard for tasks and activities; as such, there
will be representative tasks and activities identified in
order to attempt to create a framework that can be used to
describe a generic situation that meets the demands of a
Level 2 organisation.
3.2 Identification of Tasks and Specific Activities
The model above has an obvious weakness, in that it does
not describe specific tasks and activities, but instead fo-
cuses on the identification of process and management
related functions. Once again, the disconnect that seems to
exist between purely theoretical concerns as opposed to
concerns related to real-world software acquisition and
implementation are noticeable. In practice, the organisa-
tion will need to implement the best practices framework
with actual tasks and activities, which may be refined
from organisational needs or may be identified from ad-
ditional best practices frameworks. The best practices
frameworks that have been identified as ideal for use in
construction of the framework models include the Infor-
mation Technology Infrastructure Library (ITIL) best
practice guide, published by Great Britain’s Office of
Government Commerce, and the Control Objectives for
Information and Related Technologies (CoBiT) frame-
work, which provides IT governance best practices
Deriving Software Acquisition Process from Maturity Models—An Experience Report
The ITIL framework, which is shown in Figure 2, is
commonly used in conjunction with CoBiT to incorporate
governance and best practices, and there is a specific
guideline intended to facilitate this co-incorporation [11].
The applicable ITIL volume is the Software Asset Man-
agement volume, which addresses software management
at all stages of the lifecycle [14]. These additional best
practices frameworks mimic the addition of supplemental
frameworks, policies and standards within an actual or-
ganisation in order to determine appropriate tasks and
activities. Additionally, researchers have identified these
frameworks as being commonly implemented within the
organisational environment, meaning that it is likely that
an organisational study will reveal a similar process of
identification of actual tasks and activities that would take
place. As such, this is considered to be an appropriate
supplement for the structure demonstrated above.
The combining of the ITIL and CoBiT models can ac-
tually be performed with relative ease. Figure 3 provides
a model for combining ITIL and CoBiT. Combining the
models overcomes the problem of the lack of specific
tasks and activities that is found in the SA-CMM Level 2
process flow. The combined ITIL and CoBiT model
brings together management functions and company ac-
tivities. In essence, what has occurred in the combined
model is that software acquisition as moved from being
purely managerial in nature to something that involves
employees at all levels of an organization.
4. Refinement of the Framework
This report describes only the first iteration of a process
that is expected to have several stages of refinement. One
potential way in which the identified models can be re-
fined and further clarified is the use of simulation to
identify potential difficulties and challenges within the
framework. Business process simulation is commonly
used in organisational environments for such tools as
business process re-engineering and new process imple-
mentation, because it allows for identification of flaws
within the proposed process Model [15]. The use of
simulation within this context allowed for the identifica-
tion of areas that could be problematic if implemented in
actual practice. These areas will then be analysed in order
to determine whether this is a specification error or
whether it represents an actual area of implementation
difficulty or inefficiency within the best practices
framework. In the first case, the model will be refined to
account for the identified difficulty, while in the second
case further research will be performed with this area of
weakness as a focal point.
The identified simulation and modelling tool that will
be used for this process is YAWL (Yet Another Workflow
Language), which is an open source workflow modelling
and simulation tool [16]. This tool has been used exten-
sively in academic BPM research as it is extensible and
has a greater level of flexibility than most commercial
offerings, which are primarily intended for analysis and
are not aimed toward researchers. This process will re-
quire translation from the current BPML to YAWL’s Petri
nets structure, but the use of simulation in order to identify
potential difficulties in the framework models that will be
used for comparison of actual cases will provide signifi-
Negotiation and
Legal Tasks
Termination and
Figure 1. SA-CMM Level 2 process flow
Figure 2. ITIL framework
Copyright © 2010 SciRes. JSEA
Deriving Software Acquisition Process from Maturity Models—An Experience Report285
Information Criteria
(Business Process) Plan & Organization
Monitor & Evaluate
IT Resources
Deliver & Support
Acquire & Implement
Figure 3. Combined ITIL/CoBiT model
cant benefits to the current research and as such this is
considered to be an acceptable requirement.
5. Conclusions
The use of best practices frameworks and standards is
common within organisations, but the specific needs of
the organisation drives the choice of framework or stan-
dard. The three most common best practices standards
provide different advantages and disadvantages to the
organisation, and can be used in different ways to improve
the organisation. The organisation that wants to engage in
a specific process that is consistent across maturity levels
and stages and includes specific tasks is likely to choose
the ISO/IEC 12207 standard, while an organisation intent
on developing capabilities in software acquisition will
choose the CMMI-ACQ model. An organisation intend-
ing to develop maturity in the software process could use
either CMMI-ACQ or the SA-CMM model. This discus-
sion has demonstrated the process by which the textual
descriptions were converted to idealized process frame-
works that could be used to actualize process models
identified from organisational studies. However, some
issues have remained unresolved form this experiment,
including the ability to identify specific activities and
structures. This is not especially a problem with the
ISO/IEC 12207 standard, which spells out specific or-
ganisational activities and a specific process, but does
remain a challenge with SA-CMM and CMMI-ACQ,
which are more flexible in terms of identification of the
process activities and requirements (and in fact in some
cases do not have specific requirements in this regard at
all). In this discussion, it was suggested that the imple-
mentation of standards including ITIL and CoBiT could
be used to identify the specific tasks and processes that are
missing from these structures. However, the use of or-
ganisational studies will be required in order to determine
how the organisations themselves have resolved this issue
have these organisations used these best practices IT
governance frameworks, or have they merged software
capability and maturity models with uniquely identified
models or practices? This is one of the outstanding issues
that the researchers hope to resolve through the current
research process.
It should be noted that the majority of organisations that
use the SA-CMM framework for description of software
acquisition processes currently operate at Level 2, which
was the model described within this framework [17]. Thus,
the description of the Level 2 framework was engaged in
first in order to be able to describe the widest potential
organisational pool. However, this process was followed
for other frameworks and organisational levels as well.
The researchers hope to use this generic description as a
means of creating a template on which organisations can
be matched following the identification of actual proc-
esses within the organisation in order to provide identifi-
cation of processes from the research perspective, even in
organisations that do not use the frameworks or models
explicitly. This could yield information both for imple-
mentation of the models within other contexts (for exam-
ple, providing information regarding optimizations in
generic frameworks that can be identified from actual
organisational studies) as well as provide information for
organisations in terms of process improvement and in-
creasing efficiency. Thus, the identification not only of
key process areas, but also association of tasks and ac-
tivities as described by ITIL and CoBiT to these key
Copyright © 2010 SciRes. JSEA
Deriving Software Acquisition Process from Maturity Models—An Experience Report
process areas, is expected to be key to the eventual utility
of this research.
[1] M. Biro, C. Deak, J. Ivanyos, and R. Messnarz, “From
compliance to business success: Improving outsourcing
service controls by adopting external regulatory require-
ments,” Software Process Improvement and Practice, Vol.
11, pp. 239–249, 2006.
[2] L. Anderson, M. Fisher, and J. Gross, “Case study: IRS
business system modernization process improvement,”
Carnegie Mellon University, Software Engineering Ins-
titute, Carnegie Mellon University, Pittsburgh, PA, USA,
[3] J. Cooper and M. Fisher, “Software Acquisition Capability
Maturity Model (SA-CMM) Version 1.03,” Technical
Report, Carnegie Mellon University, Software Engineer-
ing Institute, Pittsburgh, PA, USA, 2002.
[4] J. White, “Managing information in the public sector,” M.
E. Sharpe, London, UK, 2007.
[5] J. A. Mykkanen, M. P. Tuomainen, “An evaluation and
selection framework for interoperability standards,” Infor-
mation and Software Technology, Vol. 50, pp. 176–197,
[6] F. Navarrete, P. Botella, X. Franch, “Reconciling agility
and discipline in COTS selection processes,” Proceedings
of the 6th International IEEE Conference on Commercial-
off-the-Shelf [COTS]-Based Software Systems, pp. 1–11.
IEEE, 2007.
[7] “CMMI product team: CMMI for acquisition, version 1.2:
CMMI-ACQ, version 1.2,” Technical Report, Carnegie
Mellon University, Software Engineering Institute,
Pittsburgh, PA, USA, 2007.
[8] S. J. Huang, W. M. Han, “Selection priority of process
areas based on CMMI continuous representation,” Infor-
mation and Management, Vol. 43, pp. 297–307, 2006.
[9] J. Moore, T. Doran, A. Kark, “Systems and software
engineering—software lifecycle processes,” Software &
Systems Engineering Standards Committee of the IEEE
Computer Society, Institute of Electrical and Electronic
Engineers, 2rd Edition, Piscataway, 2008.
[10] Y. Hwang, J. G. Park, “Approaches and requirements to
develop and improve the standard processes for a research
and development organisation,” Systems Engineering, Vol.
9, No. 1, pp. 35–44, 2006.
[11] D. Nichols, “Governing ITIL with COBIT, DITY News-
letter,” itSM Solutions LLC, Lexington, USA, 2007.
[12] “ITGI/ISACA: COBIT 4.1,” IT Governance Institute,
USA, 2007.
[13] “ITGI/OCG: Aligning COBIT, ITIL, and ISO 1799 for
business benefit: Management summary,” Office of
Government Commerce, Norfolk, 2007.
[14] “Office of government commerce: Software asset mana-
gement,” Stationery Office, London, 2003.
[15] I. Lee, “Selected readings on information technology and
business systems management,” Idea Group Inc, London,
[16] “YAWL: Yet another workflow language,” http://www.
[17] C. Meyers and P. Oberndorf, “Managing software acqui-
sition: Open systems and COTS products,” Addison-
Wesley, Sydney, 2001.
Copyright © 2010 SciRes. JSEA