diff --git a/defaults/main.yml b/defaults/main.yml
index f5adb49f..27d663b3 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -501,6 +501,8 @@ security_enable_graphical_login_message_text: >
     authorized user of this system.
 
 ## Miscellaneous (misc)
+# Disable the autofs service.
+security_rhel7_disable_autofs: yes                           # RHEL-07-020161
 # Enable virus scanning with clamav
 security_enable_virus_scanner: no                            # RHEL-07-030810
 
diff --git a/doc/metadata/rhel7/RHEL-07-020161.rst b/doc/metadata/rhel7/RHEL-07-020161.rst
index f461020b..79a1f8a9 100644
--- a/doc/metadata/rhel7/RHEL-07-020161.rst
+++ b/doc/metadata/rhel7/RHEL-07-020161.rst
@@ -1,7 +1,12 @@
 ---
 id: RHEL-07-020161
-status: not implemented
+status: implemented
 tag: misc
 ---
 
-This STIG requirement is not yet implemented.
+The ``autofs`` service is stopped and disabled if it is found on the system.
+Deployers can opt out of this change by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_rhel7_disable_autofs: no
diff --git a/tasks/rhel7stig/misc.yml b/tasks/rhel7stig/misc.yml
index 4a2e09e6..6d405928 100644
--- a/tasks/rhel7stig/misc.yml
+++ b/tasks/rhel7stig/misc.yml
@@ -13,6 +13,28 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+- name: Check autofs service
+  command: systemctl status autofs
+  register: autofs_check
+  failed_when: autofs_check.rc not in [0,3]
+  changed_when: False
+  check_mode: no
+  tags:
+    - always
+
+- name: RHEL-07-020161 - File system automounter must be disabled unless required.
+  service:
+    name: autofs
+    state: stopped
+    enabled: no
+  when:
+    - "'not-found' not in autofs_check.stdout"
+    - security_rhel7_disable_autofs | bool
+  tags:
+    - medium
+    - misc
+    - RHEL-07-020161
+
 - name: Check if ClamAV is installed
   stat:
     path: /usr/bin/clamdscan