Why is there a need to do this when previously the Center For Internet Security have done this with the Oracle Security Benchmark. This benchmark, or the first version at least was closely based on my book "Oracle Security Step-by-Step (Version 2.0)". I was not involved with the CIS Oracle benchmark but I understood from people who were that Oracle people were on the team.
I think I would agree with Mary Ann that there needs to be a standard for securing Oracle that everyone can work to. I also feel Oracle should be involved but not control its contents. As with anything like this it would be fluid and moving due to the nature of security risks and issues being found day to day. But for core issues i agree it could be fixed. I have some great ideas of what should be included.
If NIST want to involve me then please feel free to contact me. If others think we should have an open standard or community effort not organised by NIST then I would be happy to be involved in such a team / effort or even organise the effort here. I have started a thread on my Oracle security forum to discuss creating an open standard for securing Oracle. I have also installed MediaWiki in anticipation that others might like to join in and create a community standard for securing Oracle. If anyone has any thoughts / interest about this then please voice them initially on the thread above.