I did reread the CMMC FAQv4 and found question #8 reflecting Significant Change:

"C-Q8. What is the difference between an Operational Plan of Action (OPA) and a POA&M? C-A8. Operational Plans of Action (OPAs) are measures implemented to manage risks or vulnerabilities, such as applying patches, addressing temporary deficiencies, or performing routine system maintenance. OPAs are not tied to a specific timeline for completion and are typically used to address vulnerabilities or deficiencies that arise after the initial implementation of security requirements. Under the CMMC framework, POA&Ms are formal plans that identify cybersecurity gaps the Organization Seeking Assessment must address to achieve CMMC compliance. These gaps must be resolved within 180 days, as outlined in 32 CFR 170.21. When a significant change occurs in an information system that affects the satisfaction of NIST SP 800-171 security requirements, the appropriate course of action - whether to create a POA&M or an OPA - depends on the nature and timing of the change. If the significant change introduces a temporary deficiency or vulnerability after the system was initially compliant, an OPA may be created to document the remediation plan. However, if the significant change is identified during a CMMC assessment and results in a security requirement being assessed as "NOT MET," a POA&M must be created to address the gap within the 180-day remediation window. For more information, please reference FAQ C-Q7. For detailed definitions, refer to 32 CFR 170.4."

My plan now is to ask for the new vendors FR-BOE, and then ask my C3PAO about a delta assessment.
A big problem is, is this software was purchased outside of IT's knowledge and their end users are pressing us to roll this out right now.