SPCA software dual-mode authentication

Authoritative evaluation system for software enterprise capability maturity

1. Definition and Background
SPCA is a national level certification system developed under the leadership of China Electronics Standardization Institute (CESI), based on the international standard ISO/IEC 15504 (SPICE) and the Chinese national standard "Information Technology Software Process Capability Assessment Model" (SJ/T 11234-2021), integrating local industry practices to provide enterprises with a scientific and standardized process improvement framework.         


2. Origin and positioning of SPCA
SPCA is a software process capability assessment system jointly promoted by the International Organization for Standardization (ISO) and the China Electronics Standardization Institute (CESI), which integrates the international standard ISO/IEC 15504 (SPICE) with the Chinese national standards SJ/T 11234-2021 and SJ/T 11235-2021. Its goal is to measure the software process maturity of an organization through quantitative evaluation and provide scientific basis for process improvement.         
        
3. Dual model architecture
SPCA adopts a "dual-mode authentication" mode, which includes software process capability assessment (continuous) and software capability maturity assessment (phased), covering 22 process areas and involving four major categories: process management, project management, engineering, and suppor

SPCA adopts a five-level maturity model, gradually guiding enterprises to move from unordered management to continuous optimization:SPCA adopts a five-level maturity model, gradually guiding enterprises to move from unordered management to continuous optimization:

1. Core values
• Enhance market competitiveness: Improve the bidding advantages of enterprises (some projects require SPCA level 3 or above), win customer trust, and expand international cooperation opportunities.
• Optimize processes and efficiency: By standardizing and quantifying management, reduce project delay rates and defect costs, and achieve cost reduction and efficiency improvement.
• Obtain policy dividends: Multiple local governments provide special subsidies (such as Hangzhou, Shenzhen, etc.), significantly covering certification costs and helping enterprises invest resources.
• Strengthen brand credibility: Obtain CNAS accreditation certificate, enhance corporate image, assist in financing and bank loan applications, and enhance market credibility.

2. Applicable fields
• Software development companies: improve delivery quality and efficiency, reduce project risks;
• IT service providers (such as cloud computing, AI, big data): standardize service processes and enhance customer trust;
• Digital transformation of traditional industries: helping enterprises in manufacturing, finance, healthcare and other fields build software development capabilities that comply with industry standards;
• Government and public project bidding: As an important additional item of enterprise qualification, it meets the mandatory requirements of bidding.

The following is a comprehensive explanation of the application requirements for SPCA (Software Process and Capability Maturity Assessment) certification, integrating the latest policy requirements and industry practices in 2025:

Application suggestion:
Small and medium-sized enterprises: Priority should be given to applying for levels 2-3 to solidify the basic process.
Large enterprises/high compliance industries: Targeting levels 4-5, enhance quantitative management and innovation capabilities.
Bidding requirements: Fields such as finance, healthcare, and military industry typically require SPCA level 3 or higher.

Both SPCA (Software Process Capability Assessment) and CMMI (Capability Maturity Model Integration) are important reference models for enterprises to enhance their software R&D and service capabilities. However, there are significant differences between the two in terms of origin, standard framework, and applicable scenarios. The following analysis will elaborate on their similarities and differences from multiple dimensions, aiming to help enterprises scientifically select a certification path.Both SPCA (Software Process Capability Assessment) and CMMI (Capability Maturity Model Integration) are important reference models for enterprises to enhance their software R&D and service capabilities. However, there are significant differences between the two in terms of origin, standard framework, and applicable scenarios. The following analysis will elaborate on their similarities and differences from multiple dimensions, aiming to help enterprises scientifically select a certification path.

（I.） Core process steps
1. Certification application
• The enterprise submits an Evaluation Application to the evaluation agency, clarifying the evaluation objectives and scope, and signs a contract after passing the review.
• Business license, project case, personnel social security certificate and other materials are required to be attached.

2. Preparatory examination
• The evaluation agency establishes an evaluation team, develops an evaluation plan, and conducts preliminary review to identify gaps between existing processes and SPCA standards.
• Key actions:
Improve the documentation system (including 18 types of documents such as quality manuals and risk management procedures);
Complete confidentiality training for personnel involved in classified matters (with an average of at least 16 hours per year).

3. On site evaluation
First meeting: The company showcases its improvement achievements, and the audit team clarifies the scope and selects an interview list.
Document verification: Randomly check project documents (requirement documents, test reports, customer acceptance forms, etc.) to verify the compliance of the R&D process.
Personnel interviews: covering key positions such as R&D, testing, and project managers, tracing requirement changes and code version consistency.
Final meeting: Announce non conformities and specify a 15 day deadline for rectification.

4. Evaluation decision and certification
After the technical committee reviews and evaluates the report, a CNAS accreditation certificate (valid for 3 years) will be issued.
Within 60 days after obtaining the certificate, one can apply for government subsidies (such as subsidies exceeding 300000 yuan in Hangzhou).

（II.） Special procedures and precautions
1. Additional processes for military software enterprises
• Need to pass on-site military inspections, including network attack and defense exercises, equipment interface compatibility testing, etc.
• Submit military software reliability testing report (failure rate ≤ 0.01%/thousand lines of code) and wartime emergency plan.

2. Requirements for upgrading digital audit
• The R&D environment needs to pass Level 3 certification for information security and be connected to the government certification platform.
• The proportion of remote video spot checks has been increased to 30%, and it is necessary to ensure the coverage of panoramic cameras in the conference room.

3. Continuous improvement and annual review
• Annual review materials (such as agile development cases and DevOps implementation records) need to be submitted annually.
• Rectification issues need to be closed within 15 working days (30 days for civilian use).


4. Special classification requirements
• Military software companies: must first obtain equipment manufacturing unit qualifications (A/B category), confidentiality qualification certification (level 2 or above), and the legal representative and personnel involved in confidentiality must have no overseas background.
• Frontier technology enterprises (such as artificial intelligence and quantum communication) can apply for green channels, with a 40% reduction in review cycles.


（III.） Optimization suggestions
• Rehearsal and training: Simulate the audit team's "five step traceability method" (requirements → design → code → testing → delivery) to ensure cross validation of each step.
• Application of technical tools: Use QMS system to generate process asset library, avoiding logical contradictions in manual writing.
• Policy utilization: Priority should be given to government recommended evaluation agencies (such as Cyber Certification Center) to accelerate mutual recognition of qualifications.