Due Diligence and Ongoing Monitoring

I know NIST requirements for passwords. However, when it comes to ongoing monitoring/password requirements, what does your organization look for? Do you expect the password requirements to be NIST requirements for end users/your employees or do you want these requirements to be for the third parties' access? Or both?

When reviewing a vendor's password practices for not only their own access but for their customers and potentially consumer access as well, I would recommend setting the same requirement across the board for non-administrative accounts. Where the accounts are administrative or if the service enables access to PII or sensitive business information, additional authentication requirements would be recommended to assess against, such as multi-factor authentication.

Always interested in hearing how others are handling this ongoing transition from historical password practices.