We are currently running VMSecure without the Rules Facility.  

What would we need to do to enforce a minimum password length for users? 

Release : 3.2

Component : CA VM:Secure for z/VM

As long as you are using VM:Secure facilities to manage passwords (VMSECURE commands and Menu functions),

then yes the PASSWORD User Exit can be used to enforce PASSWORD format.

In the information on the PASSWORD User exit can be found in the Reference Guide:

https://techdocs.broadcom.com/us/en/ca-mainframe-software/traditional-management/ca-vm-secure-for-z-vm-without-security/3-2/reference/user-exit-reference/password-user-exit.html