Yep, that’s dumb. SOC2 is built upon NIST guidance, not the other way around.

If you have any voice with your Security department, you can tell them that rotating passwords are counter to NIST SP 800-63B (Section 10.2.1) guidance:

Do not require that memorized secrets be changed arbitrarily (e.g., periodically) unless there is a user request or evidence of authenticator compromise.