diff --git a/defaults/main.yml b/defaults/main.yml
index b8b880ed..edb9eb85 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -481,6 +481,8 @@ security_shadow_utils_fail_delay: 4                          # RHEL-07-010420
 security_shadow_utils_umask: 077                             # RHEL-07-020230
 # Create home directories for new users by default.
 security_shadow_utils_create_home: yes                       # RHEL-07-020630
+# How many old user password to remember to prevent password re-use.
+#security_password_remember_password: 5                       # RHEL-07-010240
 
 ## File permissions (file_perms)
 # Reset file permissions and ownership for files installed via RPM packages.
diff --git a/doc/metadata/rhel7/RHEL-07-010240.rst b/doc/metadata/rhel7/RHEL-07-010240.rst
index 4997061f..41cc9036 100644
--- a/doc/metadata/rhel7/RHEL-07-010240.rst
+++ b/doc/metadata/rhel7/RHEL-07-010240.rst
@@ -1,7 +1,17 @@
 ---
 id: RHEL-07-010240
-status: not implemented
-tag: misc
+status: opt-in
+tag: auth
 ---
 
-This STIG requirement is not yet implemented.
+Although the STIG requires that five passwords are remembered to prevent re-
+use, this can cause issues in production environment if the change is not
+communicated well to users. Therefore, the tasks in the security role do not
+apply this change by default.
+
+Deployers can opt in for the change and specify a number of passwords to
+remember by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_password_remember_password: 5
diff --git a/tasks/rhel7stig/auth.yml b/tasks/rhel7stig/auth.yml
index b9d0a450..57505f0c 100644
--- a/tasks/rhel7stig/auth.yml
+++ b/tasks/rhel7stig/auth.yml
@@ -128,6 +128,20 @@
     - medium
     - RHEL-07-010210
 
+- name: RHEL-07-010240 - Passwords must be prohibited from reuse for a minimum of five generations.
+  lineinfile:
+    dest: "{{ pam_password_file }}"
+    regexp: '^(password\s+[a-z0-9\=\[\] ]+\s+pam_unix\.so.+?)\s+(?:remember=\d+)?$'
+    line: '\1 remember={{ security_password_remember_password }}'
+    backrefs: yes
+    state: present
+  when:
+    - security_password_remember_password is defined
+  tags:
+    - auth
+    - medium
+    - RHEL-07-010240
+
 - name: RHEL-07-010260 - The system must not have accounts configured with blank or null passwords
   lineinfile:
     dest: "{{ pam_auth_file }}"
diff --git a/tests/test.yml b/tests/test.yml
index e5fe6476..ac04ea9a 100644
--- a/tests/test.yml
+++ b/tests/test.yml
@@ -84,3 +84,4 @@
     security_search_for_invalid_owner: yes
     security_search_for_invalid_group_owner: yes
     security_enable_firewalld: yes
+    security_password_remember_password: 5