CISA's seems pretty good. You can adapt that.
https://www.cisa.gov/secure-our-world/require-strong-passwords
Here's my recommendation:
1. Start with min 8 characters (12 after a year, then 16 after another year)
2. No words, username not in password
3. Mixed case
4. At least one special character
5. Six-digit birthdate not in password
6. Four digit birth year not in password
7. Change every 90 days.
8. Can't reuse last 5 passwords. (Then last 10 after 12 months.)
9. Can't change again within 3 days.
10. Use 2FA - text, biometric, or third party app.
A few that can't be fully enforced by any system:
1. Don't reuse same password across multiple sites.
2. Don't reuse same password for personal accounts.
3. Don't save your password on your browser or phone.
4. Don't write it down anywhere.