You should check out the new CMMC requirements -- basically a new set of basic cyber security requirements for all DoD suppliers, starting next year.

It's heavily based on the NIST guidelines, so strong on 2FA, and discourages arbitrary password rotation.