diff --git a/defaults/main.yml b/defaults/main.yml
index 2e7d097f..a85d50e1 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -214,6 +214,7 @@ security_disable_module_sctp: yes                 # V-38515
 security_disable_module_tipc: yes                 # V-38517
 security_disable_module_usb_storage: no           # V-38490
 security_disable_icmpv4_redirects: no             # V-38524
+security_disable_icmpv4_redirects_secure: no      # V-38526
 #
 # ** DANGER **
 # It's strongly recommended to fully understand the effects of changing the
diff --git a/doc/source/stig-notes/V-38526_developer.rst b/doc/source/stig-notes/V-38526_developer.rst
index 3c57bba8..4e62ad76 100644
--- a/doc/source/stig-notes/V-38526_developer.rst
+++ b/doc/source/stig-notes/V-38526_developer.rst
@@ -1,13 +1,12 @@
-**Exception**
+**Opt-in required**
 
-The STIG makes several requirements for IPv4 network restrictions, but these
-restrictions can impact certain network interfaces and cause service
-disruptions. Some security configurations make sense for certain types of
-network interfaces, like bridges, but other restrictions cause the network
-interface to stop passing valid traffic between hosts, containers, or virtual
-machines.
+The STIG requires that secure ICMP redirects are disabled, but this can cause
+issues in some virtualized or containerized environments. The Ansible tasks
+in the security role will not disable these redirects by default.
 
-The default network scripts and LXC userspace tools already configure various
-network devices to their most secure setting. Since some hosts will act as
-routers, enabling security configurations that restrict network traffic can
-cause service disruptions for OpenStack environments.
+Deployers who want to enable the task (and disable ICMP redirects), should set
+the following Ansible variable:
+
+.. code-block:: yaml
+
+   security_disable_icmpv4_redirects_secure: yes
diff --git a/releasenotes/notes/adding-v38526-381a407caa566b14.yaml b/releasenotes/notes/adding-v38526-381a407caa566b14.yaml
new file mode 100644
index 00000000..e495fac7
--- /dev/null
+++ b/releasenotes/notes/adding-v38526-381a407caa566b14.yaml
@@ -0,0 +1,8 @@
+---
+features:
+  - |
+    A task was added to disable secure ICMP redirects per the requirements in
+    V-38526. This change can cause problems in some environments, so it is
+    disabled by default. Deployers can enable the task (which disables secure
+    ICMP redirects) by setting ``security_disable_icmpv4_redirects_secure`` to
+    ``yes``.
diff --git a/tasks/kernel.yml b/tasks/kernel.yml
index 4b0653f5..46d6e761 100644
--- a/tasks/kernel.yml
+++ b/tasks/kernel.yml
@@ -196,3 +196,15 @@
     - kernel
     - cat3
     - CVE-2016-5696
+
+- name: V-38526 - The system must not accept ICMPv4 secure redirect packets on any interface
+  sysctl:
+    name: net.ipv4.conf.all.secure_redirects
+    value: 0
+    state: present
+    sysctl_set: yes
+  when: security_disable_icmpv4_redirects_secure | bool
+  tags:
+    - kernel
+    - cat2
+    - V-38526