diff --git a/defaults/main.yml b/defaults/main.yml
index 178b882a..458eaaf7 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -153,6 +153,9 @@ security_rhel7_audit_modprobe: yes                           # V-72195
 security_rhel7_audit_account_actions: yes                    # V-72197
 
 ## Authentication (auth)
+# Check if sudoers has the NOPASSWD rule enabled
+security_sudoers_nopasswd_check_enable: yes
+
 # Disallow logins from accounts with blank/null passwords via PAM.
 security_disallow_blank_password_login: yes                  # V-71937
 # Apply password quality rules.
diff --git a/doc/metadata/rhel7/V-71947.rst b/doc/metadata/rhel7/V-71947.rst
index bda50cf5..f4a19224 100644
--- a/doc/metadata/rhel7/V-71947.rst
+++ b/doc/metadata/rhel7/V-71947.rst
@@ -10,3 +10,9 @@ cannot perform interactive authentication. Automated edits from Ansible tasks
 might cause authentication disruptions on some hosts, and deployers are urged
 to carefully review each use of the ``NOPASSWD`` directive in their ``sudo``
 configuration files.
+
+Deployers can opt-out of this change by setting an Ansible variable:
+
+.. code-block:: yaml
+
+    security_sudoers_nopasswd_check_enable: no
diff --git a/tasks/rhel7stig/auth.yml b/tasks/rhel7stig/auth.yml
index 4888b9cf..f337d311 100644
--- a/tasks/rhel7stig/auth.yml
+++ b/tasks/rhel7stig/auth.yml
@@ -111,6 +111,8 @@
   shell: 'grep -ir nopasswd /etc/sudoers /etc/sudoers.d/ | egrep -v "^([[:space:]]*)?(#|$)" || echo "not found"'
   register: sudoers_nopasswd_check
   changed_when: False
+  when:
+    - security_sudoers_nopasswd_check_enable | bool
   tags:
     - auth
     - medium