diff --git a/defaults/main.yml b/defaults/main.yml
index 4e52813b..97d726c5 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -519,6 +519,10 @@ security_enable_virus_scanner: no                            # RHEL-07-030810
 security_rhel7_disable_ctrl_alt_delete: yes                  # RHEL-07-020220
 # Install and enable firewalld for iptables management.
 security_enable_firewalld: no                                # RHEL-07-040290
+# Rate limit TCP connections to 25/min and burstable to 100.
+security_enable_firewalld_rate_limit: no                     # RHEL-07-040250
+security_enable_firewalld_rate_limit_per_minute: 25
+security_enable_firewalld_rate_limit_burst: 100
 
 ## Packages (packages)
 # Remove packages from the system as required by the STIG. Set any of these
diff --git a/doc/metadata/rhel7/RHEL-07-040250.rst b/doc/metadata/rhel7/RHEL-07-040250.rst
index 9641e70c..06ee2721 100644
--- a/doc/metadata/rhel7/RHEL-07-040250.rst
+++ b/doc/metadata/rhel7/RHEL-07-040250.rst
@@ -1,7 +1,32 @@
 ---
 id: RHEL-07-040250
-status: not implemented
+status: opt-in
 tag: misc
 ---
 
-This STIG requirement is not yet implemented.
+Although the STIG requires that incoming TCP connections are rate limited with
+``firewalld``, this setting can cause problems with certain applications which
+handle large amounts of TCP connections. Therefore, the tasks in the security
+role do not apply the rate limit by default.
+
+Deployers can opt in for this change by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_enable_firewalld_rate_limit: yes
+
+The STIG recommends a limit of 25 connection per minute and allowing bursts up
+to 100 connections. Both of these options are adjustable with the following
+Ansible variables:
+
+.. code-block:: yaml
+
+    security_enable_firewalld_rate_limit_per_minute: 25
+    security_enable_firewalld_rate_limit_burst: 100
+
+.. warning::
+
+    Deployers should test rate limiting in a non-production environment first
+    before applying it to production systems. Ensure that the application
+    running on the system is receiving a large volume of requests so that the
+    rule can be thoroughly tested.
diff --git a/tasks/rhel7stig/misc.yml b/tasks/rhel7stig/misc.yml
index 8443fec7..187e3577 100644
--- a/tasks/rhel7stig/misc.yml
+++ b/tasks/rhel7stig/misc.yml
@@ -158,3 +158,15 @@
     - medium
     - misc
     - RHEL-07-040290
+
+- name: Limit new TCP connections to 25/minute and allow bursting to 100
+  command: "firewall-cmd --direct --add-rule ipv4 filter IN_public_allow 0 -m tcp -p tcp -m limit --limit {{ security_enable_firewalld_rate_limit_per_minute }}/minute --limit-burst {{ security_enable_firewalld_rate_limit_burst }} -j ACCEPT"
+  register: add_rate_limit_firewalld_rule
+  changed_when: "'ALREADY_ENABLED' not in add_rate_limit_firewalld_rule.stdout"
+  when:
+    - firewalld_status_check.rc != 3
+    - security_enable_firewalld_rate_limit | bool
+  tags:
+    - medium
+    - misc
+    - RHEL-07-040250