Despite all the jokes about it, I've found the DISA gold disk decent for identifying potential problems in a windows pc, (it's not perfect but better than just about everything else. They really need to get rid of all the manual checks and automate it much better though). The scan only version is free to anyone, (the version that can automatically make changes is only available from a .mil address, but the automatic changes can be dangerous to impliment).
Nessus is another free tool for scanning potential vulnerabilities.
Nmap - couldn't live without this
I think the most important part about the firewall/router is that you have a sysadmin that can manage them. You can have the most secure firewall in the world but if there is a "permit ip any any" rule at the top it won't do much good. Also having someone be able to effectivly go through logs is priceless, (not only for security, but for troubleshooting as well).
Actually, on that point you might want to think of adding a syslog server to your setup.
I generally try to avoid the certification & accredidation side of things like the plague, but you can probably find a lot of good info and best practices in those documents as well.
Then there is wireless and VPNs if you want to support those. You could also talk about using a tool like Norton Ghost so you can have a sandardized base image when you have to rebuild a machine or get a new one. VMWare is also nice for servers as backups are fairly easy.
I'm not a big fan of IDS's, but a program that parses netflow data could also be useful for sysadmins who want to get a snapshot of their network.
Warning, I'm not a security pro by any means. I hope this helps though.