[tpmoney]

I've encountered situations where the requirement to rotate passwords was obligated by contractual agreements. For instance, this is still the published guidance documentation on the HHS website for HIPAA compliance (https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/ad...):

  > Covered entities must train all users and establish
  > guidelines for creating passwords and changing them
  > during periodic change cycles.

If you have a contract that deals in HIPAA related information, you might be contractually obligated by the entity subject to HIPAA to have password rotations so that they can check the right boxes for compliance. Even though HIPAA isn't supposed to dictate specifics, I sure would't want to be the person that has to explain why they didn't have password rotations in a HIPAA breach report, not matter what NIST said people "should" do. Because between a NIST "should" and the document labeled "HIPAA Security Series" and "Security Standards", in the middle of a shit storm, I wouldn't be counting on folks appreciating the nuances between the two.