diff --git a/doc/metadata/rhel7/RHEL-07-010020.rst b/doc/metadata/rhel7/RHEL-07-010020.rst
index d1b6233d..7ab5cce1 100644
--- a/doc/metadata/rhel7/RHEL-07-010020.rst
+++ b/doc/metadata/rhel7/RHEL-07-010020.rst
@@ -1,7 +1,17 @@
 ---
 id: RHEL-07-010020
-status: not implemented
-tag: misc
+status: implemented
+tag: packages
 ---
 
-This STIG requirement is not yet implemented.
+Ansible tasks will check the ``rpm -Va`` output (on CentOS and RHEL) or the
+output of ``debsums`` (on Ubuntu) to see if any files installed from packages
+have been altered.  The tasks will print a list of files that have changed
+since their package was installed.
+
+Deployers should be most concerned with any checksum failures for binaries and
+their libraries. These are most often a sign of system compromise or poor
+system administration practices.
+
+Configuration files may appear in the list as well, but these are often less
+concerning since some of these files are adjusted by the security role itself.
diff --git a/tasks/rhel7stig/apt.yml b/tasks/rhel7stig/apt.yml
new file mode 100644
index 00000000..e4acfb13
--- /dev/null
+++ b/tasks/rhel7stig/apt.yml
@@ -0,0 +1,62 @@
+---
+# Copyright 2016, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Ensure debsums is installed
+  apt:
+    name: debsums
+    state: installed
+
+- name: Gather debsums report
+  shell: "debsums > {{ temp_dir }}/debsums.txt"
+  changed_when: False
+  failed_when: False
+  when:
+    - not check_mode | bool
+
+- name: RHEL-07-010020 - Get files with invalid checksums (apt)
+  shell: "grep -v OK$ {{ temp_dir }}/debsums.txt | awk '{ print $1 }'"
+  register: rhel_07_010020_files
+  changed_when: False
+  when:
+    - not check_mode | bool
+    - ansible_os_family | lower == 'debian'
+  tags:
+    - high
+    - RHEL-07-010020
+
+- name: RHEL-07-010020 - Create comma-separated list
+  set_fact:
+    rhel_07_010020_violations: "{{ rhel_07_010020_files.stdout_lines | default([]) | join(', ') }}"
+  when:
+    - rhel_07_010020_files is defined
+    - rhel_07_010020_files.stdout_lines | length > 0
+  tags:
+    - high
+    - RHEL-07-010020
+
+- name: RHEL-07-010020 - The cryptographic hash of system files and commands must match vendor values (apt)
+  debug:
+    msg: >
+      The following files have checksums that differ from the checksum provided
+      with their package. Each of these should be verified manually to ensure
+      they have not been modified by an unauthorized user:
+      {{ rhel_07_010020_violations }}
+  when:
+    - ansible_os_family | lower == 'debian'
+    - rhel_07_010020_files is defined
+    - rhel_07_010020_files.stdout_lines | length > 0
+  tags:
+    - high
+    - RHEL-07-010020
diff --git a/tasks/rhel7stig/main.yml b/tasks/rhel7stig/main.yml
index db9b55b4..44da204e 100644
--- a/tasks/rhel7stig/main.yml
+++ b/tasks/rhel7stig/main.yml
@@ -42,10 +42,22 @@
     - always
     - skip_ansible_lint
 
+- include: apt.yml
+  when:
+    - ansible_os_family | lower == 'debian'
+  tags:
+    - apt
+
 - include: file_perms.yml
   tags:
     - file_perms
 
+- include: rpm.yml
+  when:
+    - ansible_os_family | lower == 'redhat'
+  tags:
+    - rpm
+
 - name: Remove the temporary directory
   file:
     path: "{{ temp_dir }}"
diff --git a/tasks/rhel7stig/rpm.yml b/tasks/rhel7stig/rpm.yml
new file mode 100644
index 00000000..9f554bf1
--- /dev/null
+++ b/tasks/rhel7stig/rpm.yml
@@ -0,0 +1,44 @@
+---
+# Copyright 2016, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: RHEL-07-010020 - Get files with invalid checksums (rpm)
+  shell: "grep '^..5' {{ temp_dir }}/rpmverify.txt | awk '{ print $NF }'"
+  register: rhel_07_010020_files
+  changed_when: False
+  when:
+    - not check_mode | bool
+    - ansible_os_family | lower == 'redhat'
+  tags:
+    - high
+    - RHEL-07-010020
+
+- name: RHEL-07-010020 - The cryptographic hash of system files and commands must match vendor values (rpm)
+  debug:
+    msg: |
+      The following files have checksums that differ from the checksum provided
+      with their package. Each of these should be verified manually to ensure
+      they have not been modified by an unauthorized user.
+
+      {% for filename in rhel_07_010020_files.stdout_lines %}
+        {{ filename }}
+      {% endfor %}
+  when:
+    - not check_mode | bool
+    - ansible_os_family | lower == 'redhat'
+    - rhel_07_010020_files is defined
+    - rhel_07_010020_files.stdout_lines | length > 0
+  tags:
+    - high
+    - RHEL-07-010020