diff --git a/doc/metadata/rhel7/RHEL-07-040040.rst b/doc/metadata/rhel7/RHEL-07-040040.rst
index 014dd850..f50c0ab9 100644
--- a/doc/metadata/rhel7/RHEL-07-040040.rst
+++ b/doc/metadata/rhel7/RHEL-07-040040.rst
@@ -1,7 +1,12 @@
 ---
 id: RHEL-07-040040
-status: not implemented
-tag: misc
+status: verification only
+tag: auth
 ---
 
-This STIG requirement is not yet implemented.
+The tasks in the security role check for ``cackey`` or ``coolkey`` as
+acceptable values for ``use_pkcs11_module`` in
+``/etc/pam_pkcs11/pam_pkcs11.conf``. If neither are found, a message is printed
+in the Ansible output.
+
+This change only applies to systems that use PKI-based authentication.
diff --git a/tasks/rhel7stig/auth.yml b/tasks/rhel7stig/auth.yml
index cc56832c..411b35f0 100644
--- a/tasks/rhel7stig/auth.yml
+++ b/tasks/rhel7stig/auth.yml
@@ -420,3 +420,27 @@
     - medium
     - auth
     - RHEL-07-040030
+
+- name: Check for cackey or coolkey in the PAM PKCS11 auth configuration
+  shell: 'egrep "use_pkcs11_module = (cackey|coolkey)" /etc/pam_pkcs11/pam_pkcs11.conf'
+  register: pkcs11_key_check
+  changed_when: False
+  failed_when: False
+  check_mode: no
+  when:
+    - pkcs11_conf_check.stat.exists
+  tags:
+    - always
+
+- name: RHEL-07-040040 - Must use cackey/cookey for PKCS 11 auth
+  debug:
+    msg: >
+      PKI-based authentication attempts must use cackey or coolkey.
+      Review the documentation for RHEL-07-040040.
+  when:
+    - pkcs11_conf_check.stat.exists
+    - pkcs11_key_check.stdout.rc != 0
+  tags:
+    - medium
+    - auth
+    - RHEL-07-040040