Cole French a C3PAO on preparing for CMMC.
Opens with CMMC 2.0 lowered your documentation requirements. It did not. They are 100% the same
Then goes into software permission using a deny list and an allow list. They use the brdige approach with a permit by exception.