I'm less specifically familiar with SarbOx details than HIPAA, but I suspect the former, like the latter, requires sexurity processes that address particular issues and your institution has adopted procedures (possibly from a third-party canned set) to satisfy those that require rotation. A lot of "required by HIPAA" mythology has this origin, and what I understand of SarbOx is that it's generally similar in this regard.

> sexurity

Typo?

Some security processes do feel a bit like bdsm.

Most (virtually all) of these rules "chain-up" to what NIST says is best practice.

So when NIST does a final update, (the above is just a draft of their new standards) EVERYONE(-ish) will follow (eventually).