The first one is stored in the dreaded ByHosts preferences. The path to this is unique per device and user. Since that one is harder, I will skip it and talk about the second one first.
To validate the "require password after..." setting, use the following command:
sysadminctl -screenLock status
If the setting is at Immediate, the result will be something like:
<a bunch of junk> screenLock delay is immediate
Build in a parser to validate "immediate" and you are set.
Ok, back to the first one. The file is located in /Users/<the_user>/Library/Preferences/ByHosts and is called com.apple.screensaver.<GUID>.plist. The GUID is unique to each Mac. If you want to get the value to derive the path the hard way, use something like:
system_profiler SPHardwareDataType | awk '/UUID/ { print $NF }'
However, the easiest way to read this is:
defaults -currentHost read com.apple.screensaver idleTime
This will return the time in seconds. And this assumes you are running this locally from the user's account. Note, the idleTime can be set per user. If your Macs have multiple users, then each has a unique setting and you must then validate each user's ByHost file. Yuck.
So, this is where I strongly encourage you to enforce these settings using an MDM. If you are manually setting and then checking these values, you are doing way, way too much work. Use an MDM to enforce the values, and then use a compliance tool like Jamf Protect or others to constantly validate the enforcement.
Hope this is helpful.
