[jrodthree24]

This requirement can come from lots of places. I remember at the last place I worked, we had to get audited for SOC2 compliance and password expiry was part of the requirement. I imagine these things lag behind the recommended security guidelines by quite a few years.

[xmprt]

It feels extremely negligent of third party auditors to recommend (and sometimes require) companies to enforce worse, obsolete security practice.

[underwater]

SOC 2 is defined by the American Institute of Certified Public Accountants. Having computer security defined by accountants seems crazy, but is in the style of the bureaucratic mess of modern enterprise.

[tracker1]

Don't recall for SOC2 specifically, but a lot of the time, "best practices" suggestions and the requirements weren't the same, and people codified the suggestions internally, or the reviewers/auditors would.