News of 300 models of Cisco Catalyst switches being vulnerable to a simple Telnet attack, Cisco issues critical warning after CIA WikiLeaks dump bares IOS security weakness by Michael Cooney, for example, has piqued interest in installed Cisco routers.
You already know that Nmap can uncover and identify routers.
What you may not know is government hemorrhaging of IT information may be a useful supplement to Nmap.
Consider GovernmentBids.com for example.
You can search by federal government bid types and/or one or more of the fifty states. Up to 999 prior to the current date, for bids, which includes the bids as well as the winning vendor.
If you are routinely searching for IT vulnerability information, I would not begrudge them the $131/month fee for full information on bids.
From a topic map perspective, pairing IT bid information with vulnerability reports, would be creative and valuable intelligence.
How much IT information is your office/department hemorrhaging?