Generally the government has a pretty good idea of what they want, and each product in use has specific methods they'll outline for properly securing it, which they'll outline in configuration documents and often security templates you can apply.
Of course, you may not have access to those until you've secured a contract, and those are usually only rules for systems on their networks...
Best you can probably do is prevent unauthorized users from accessing the "secure" server, both physically and via permissions. That and the standard security measures everyone should be taking (OS patches, antivirus updates) should be enough for systems that won't be interacting with sensitive networks.
