Orange Book (Score 1)

Of course aside from auditing your systems and "finding" problems. You'd also have to make sure the vendor that you pick will provide "solutions" (as many have stated above).

One good benchmark to base their work off is Orange Book certification for your systems. If they (auditor) don't know what this is, I'd stay away from them like the plague. Especially if you're trying to get in good graces with government agencies.

If it's good enough for the Pentagon, I'd guess it'd be a good reference for others. Though for a system to be truly "Orange" I think it needs to be unplugged from the network or something. :)