Cole French a C3PAO on preparing for CMMC.

Opens with CMMC 2.0 lowered your documentation requirements. It did not. They are 100% the same

Auditing and MFA were the hardest part for Kratos to implement

Then goes into software permission using a deny list and an allow list. They use the brdige approach with a permit by exception.

Good discussion on the difference between the word specified, identified, and defined.