diff --git a/defaults/main.yml b/defaults/main.yml
index 570b1890..dbb947d0 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -266,6 +266,14 @@ security_ntp_servers:
   - 1.pool.ntp.org
   - 2.pool.ntp.org
   - 3.pool.ntp.org
+# Chrony limits access to clients that are on certain subnets.  Adjust the
+# following subnets here to limit client access to chrony servers.
+security_allowed_ntp_subnets:
+  - 10/8
+  - 192.168/16
+  - 172.16/12
+# Listen for NTP requests only on local interfaces.
+security_ntp_bind_local_interfaces_only: yes
 # Restrict mail relaying.
 security_rhel7_restrict_mail_relaying: yes                   # V-72297
 # Deploy a login banner.                                     # V-72225 / V-71863
diff --git a/templates/chrony.conf.j2 b/templates/chrony.conf.j2
index 1870f6ab..968abfb2 100644
--- a/templates/chrony.conf.j2
+++ b/templates/chrony.conf.j2
@@ -98,7 +98,5 @@ rtconutc
 # Listen for NTP requests only on local interfaces.
 port 0
 bindcmdaddress 127.0.0.1
-{% if not security_disable_ipv6 | bool %}
 bindcmdaddress ::1
 {% endif %}
-{% endif %}