I think it's new as of the 2019 revision, though it wouldn't surprise me if it's been ignored for a while. I don't think CMMC requirements specifically call out expiration periods, so hopefully a good sign.
Microsoft seems to be fairly forward thinking[1] on passwords, doing away with expiration requirements and focusing more on their risk based MFA stuff.
Microsoft seems to be fairly forward thinking[1] on passwords, doing away with expiration requirements and focusing more on their risk based MFA stuff.
[1]https://www.microsoft.com/en-us/research/wp-content/uploads/...