diff --git a/defaults/main.yml b/defaults/main.yml
index 4b8d13b3..71d6d626 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -445,6 +445,8 @@ security_rhel7_remove_telnet_server: yes                     # RHEL-07-021910
 security_rhel7_remove_tftp_server: yes                       # RHEL-07-040500
 security_rhel7_remove_xorg: yes                              # RHEL-07-040560
 security_rhel7_remove_ypserv: yes                            # RHEL-07-020010
+# Automatically remove dependencies when removing packages.
+security_package_clean_on_remove: no                         # RHEL-07-020200
 
 ## RPM (rpm)
 # Enable GPG checks for remotely and locally installed packages. This includes
diff --git a/doc/metadata/rhel7/RHEL-07-020200.rst b/doc/metadata/rhel7/RHEL-07-020200.rst
index 1a27d8fd..eb6cbc0f 100644
--- a/doc/metadata/rhel7/RHEL-07-020200.rst
+++ b/doc/metadata/rhel7/RHEL-07-020200.rst
@@ -1,7 +1,17 @@
 ---
 id: RHEL-07-020200
-status: not implemented
-tag: misc
+status: opt-in
+tag: packages
 ---
 
-This STIG requirement is not yet implemented.
+Although the STIG requires that dependent packages are removed automatically
+when a package is removed, this can cause problems with certain packages,
+especially kernels. Deployers must opt in to meet the requirements of this STIG
+control.
+
+Deployers should set the following variable to enable automatic dependent
+package removal:
+
+.. code-block:: yaml
+
+    security_package_clean_on_remove: yes
diff --git a/tasks/rhel7stig/packages.yml b/tasks/rhel7stig/packages.yml
index 43815f42..71beb51d 100644
--- a/tasks/rhel7stig/packages.yml
+++ b/tasks/rhel7stig/packages.yml
@@ -36,3 +36,32 @@
     - RHEL-07-040260
     - RHEL-07-040500
     - RHEL-07-040560
+
+- name: RHEL-07-020200 - Clean requirements/dependencies when removing packages (rpm)
+  lineinfile:
+    dest: /etc/yum.conf
+    regexp: "^(#)?clean_requirements_on_remove"
+    line: "clean_requirements_on_remove=1"
+    state: present
+  when:
+    - security_package_clean_on_remove | bool
+    - ansible_os_family | lower == 'redhat'
+  tags:
+    - low
+    - packages
+    - RHEL-07-020200
+
+- name: RHEL-07-020200 - Clean requirements/dependencies when removing packages (dpkg)
+  lineinfile:
+    dest: /etc/apt/apt.conf.d/security-autoremove
+    regexp: "^(#)?APT::Get::AutomaticRemove"
+    line: "APT{{ '::' }}Get{{ '::' }}AutomaticRemove \"0\";"
+    state: present
+    create: yes
+  when:
+    - security_package_clean_on_remove | bool
+    - ansible_os_family | lower == 'debian'
+  tags:
+    - low
+    - packages
+    - RHEL-07-020200
diff --git a/tests/test.yml b/tests/test.yml
index deee0af3..b279f005 100644
--- a/tests/test.yml
+++ b/tests/test.yml
@@ -70,5 +70,6 @@
   roles:
     - role: "openstack-ansible-security"
   vars:
+    security_package_clean_on_remove: yes
     security_unattended_upgrades_enabled: true
     security_unattended_upgrades_notifications: true