I think it's new as of the 2019 revision, though it wouldn't surprise me if it's been ignored for a while. I don't think CMMC requirements specifically call out expiration periods, so hopefully a good sign.

Microsoft seems to be fairly forward thinking[1] on passwords, doing away with expiration requirements and focusing more on their risk based MFA stuff.

[1]https://www.microsoft.com/en-us/research/wp-content/uploads/...

PCI/DSS hasn't yet, so that's holding up a lot of them.

You are allowed to use the NIST Guidance as a reason to change that to a longer timeframe. I have a couple of clients that are using 365days as of 2019.