I work in an environment requiring CFR 21 Part 11 and similar. I have not yet gotten our apps fully compliant, but I have gone through a number of trial and errors so helpfully I can get you started in a few places.

1) I would also suggest Django reversion; however, you will require a little more than what it offers to achieves a variable level audit trail with the action that was taken (in addition to by whom and when). For this I used one of the reversion signals to turn the comment field into a dict that could be evaluated and then called for any variable in the row and the action that was taken on it etc. This is below:

https://github.com/etianen/django-reversion

@receiver(reversion.pre_revision_commit)
    def it_worked(sender, **kwargs):
    currentVersion = kwargs.pop('versions')[0].field_dict
    fieldList = currentVersion.keys()
    fieldList.remove('id')
    commentDict = {}
    try:
        pastVersion = reversion.get_for_object(kwargs.pop('instances')[0])[0].field_dict
    except IndexError:
        for field in fieldList:
            commentDict[field] = "Created"
    except TypeError:
        for field in fieldList:
            commentDict[field] = "Deleted"
    else:
        for field in fieldList:
            try:
                pastTest = pastVersion[field]
            except KeyError:
                commentDict[field] = "Created"
            else:       
                if currentVersion[field] != pastTest:
                    commentDict[field] = "Changed"
                else:
                    commentDict[field] = "Unchanged"
    comment = commentDict
    revision = kwargs.pop('revision')
    revision.comment = comment
    revision.save()
    kwargs['revision'] = revision
    sender.save_revision

2/3) You are going to need to use an object-level permission system for this. I have implemented django-guardian. Pretty much the only limit on the complexity you can implement is how many things you can keep straight yourself. The base set of permissions you will need to implement are view, edit, delete, and some sort of data controller/manager role; however, you will probably want to go more complicated. I would highly suggest using class-based-views and mixins for permission checking, but function based can work as well. This can also be used to prompt for password for certain actions because you can control what happens to a field in any way you like.

https://github.com/lukaszb/django-guardian

4) Expiring passwords can be implemented with even just the Django auth system if you want or any user account management app. You will just need to add an extra field to record whatever datetime you want to begin your expiry countdown. Then on login just check for time from countdown and see if they have gone beyond the window, and if so require them to create a new password by directing them through the built-in view for password change or which mechanism is appropriate to your app.

I will tell you the most difficult part of implementing CFR 21 Part 11 will be getting the appropriate people to tell you exactly what your project should do to meet requirements, and getting inspected for compliance can be time consuming and costly.

Hope this helps you get started.