System-generated requirements for password change frequency are absent. All password-required information you may see here:
#conf ter
(config)#service auth
(config-aut)# show settings
attemptLimit: 0
password-strength
-----------------------------------------------
size: 8-64
digits-min: 0
uppercase-min: 0
lowercase-min: 0
other-min: 0
number-old-passwords: 0
-----------------------------------------------
You may use aaa option on IPS and set password change frequency on RADIUS. So auditor must be satisfied.