Because FBI CJIS requirements, adopted by state law enforcement bodies, require it. I support a Public Safety Answering Point (PSAP, aka a 911 call center) and I push back on as many of the inane requirements as I can with compensating controls.
Example: As of right now I am still required to expire passwords every 90 days. My state is considering the current guidance from NIST but FBI CJIS policy still mandates the expirations.
I don't know what CJIS requirements entail precisely, but at a first glance, they seem reasonable. But it's weird that people then think they can comply by installing a product with a disclaimer against their intended use. It's just a token acknowledgment: "Yeah, we've read it, but we don't really care."
If that's also the interpretation of the courts, then each company would be invidivually liable, at least towards the government.
Holy shit I cannot stand the password expiration requirements. Like you said, NIST literally recommends against it but so many regulations require it. So aggravating.
Example: As of right now I am still required to expire passwords every 90 days. My state is considering the current guidance from NIST but FBI CJIS policy still mandates the expirations.