Rather than tasking one or several government entities with the security of critical infrastructure, why not simply create one that does nothing but pentest critical infrastructure, without giving them operational authority over the networks they're testing? There would need to be an efficient means of communicating vulnerabilities, and depending on the severity, the NSA/DISA/AF might be allowed to intervene provisionally to patch or mitigate a new vulnerability. But I suspect that's already the case.
You'd still need the voluntary agreement of the owners of the non-government infrastructure. But yea, a central pen-tester or advice giving entity would be nice. You are right that NSA and DISA already do this (see above links), but not in any comprehensive manner. The NSA often technical review on erm... critical software. There's no official and public guidelines, but it's always done with the owner's permission. Granted, I would think any software manufacturer would be deliriously happy to get a software review by someone as technically advanced, well staffed and generally knowledgable as the NSA. To get it at no cost would be the icing on the cake.
One example is _NSAKEY built into all versions of Windows. Microsoft generated a digital signature to sign cryptographic modules. That's good. On the other hand, during the tech review, NSA mentioned it was unwise to have a single source for the key (which they did on the first key). The theory is that whoever generated the initial key knows the entire key, thus can be forced to give it up. If you're making a key for something that you really don't want anyone to ever break, you don't want anyone really knowing the entire key. If no one knows the key, there is no physical way for that key to get compromised by a single source. The trick is using secret splitting, which splits the inputs for generating the digital signature into several pieces with no single person or group knowing the entire key. So they included a second sig into a part of Windows, this time a split key generated sig.
Naturally people assigned all amounts of tin foil hattery to that episode, but it was pretty straightforward tech review.
DISA is good, but their job description and expertise isn't applicable here. NSA, too, is valuable but ancillary.
I'd agree if you were saying that DISA isn't good for this task because they're used to owning the hardware and not advising from the sidelines. I still think they'd be good at advising very large enterprises, because that's what they do. On a tech level, there's very little difference between a government or private enterprise network. Both use mostly the same products. Oh sure, config and policies are different, but the underlying tech isn't.