Eric M Russell (4/10/2014)
The standards would not have to be very technical. Dedicated sysadmin accounts, removal of service accounts from sysadmin role, seperation duties, application accounts with minimal privilege (ie: no ad-hoc sql and access only to required tables), encryption at rest for columns containing sensitive data, encrypted backups, encrypted connections between application and database layer: these basic best practices would apply to any enterprise database platform. If a database platform doesn't provide support, then the organization has simply chosen the wrong platform.
Sounds good in practice, but this is somewhat how PCI and SOX are written. The problems come in when the encryption is poor, i.e. using MD5 for passwords, or someone argues about what minimal privilege is.
I do think the government should lay out some framework and then industries, perhaps with groups like SANS, should give more guidance and detail on what would constitute good security for a platform and version.