There is no requirement that you engage a third party to perform a validation, but the expectation is that the validation be independent. If your internal audit department has adequate expertise to perform an independent validation, you can perform it in house.
Your vendor may be able to assist you in calibrating parameters so they are appropriately risk-based for your institution, but your vendor is not independent since its the vendor's system.
All the prudential regulators have adopted guidance on model risk management.
https://www.occ.gov/news-issuances/bulletins/2011/bulletin-2011-12a.pdf"Validation involves a degree of independence from model development and use.
Generally, validation should be done by people who are not responsible for development
or use and do not have a stake in whether a model is determined to be valid.
Independence is not an end in itself but rather helps ensure that incentives are aligned
with the goals of model validation. While independence may be supported by separation
of reporting lines, it should be judged by actions and outcomes, since there may be
additional ways to ensure objectivity and prevent bias. As a practical matter, some
validation work may be most effectively done by model developers and users; it is
essential, however, that such validation work be subject to critical review by an
independent party, who should conduct additional activities to ensure proper validation.
Overall, the quality of the process is judged by the manner in which models are subject to
critical review. This could be determined by evaluating the extent and clarity of
documentation, the issues identified by objective parties, and the actions taken by
management to address model issues."