diff --git a/tasks/configure_crypto_policy.yml b/tasks/configure_crypto_policy.yml
new file mode 100644
index 0000000000000000000000000000000000000000..2e96bf6667a47378bf0a08d53c6716f7a442e2e0
--- /dev/null
+++ b/tasks/configure_crypto_policy.yml
@@ -0,0 +1,15 @@
+---
+- name: Get crypto policy.
+  ansible.builtin.command:
+    cmd: "/usr/bin/update-crypto-policies --show"
+  register: crypto_policy
+  changed_when: false
+
+- name: Set crypto policy.
+  ansible.builtin.command:
+    cmd: "/usr/bin/update-crypto-policies --set FUTURE"
+  when: "'FUTURE' in crypto_policy.stdout"
+  notify:
+    - "restart sshd"
+    # The best soluion would be to reboot the server, but we won't do that for availability.
+  changed_when: false
diff --git a/tasks/main.yml b/tasks/main.yml
index 7afeceb1a5b4f5588928d68e330bf3d2fc50c247..6267bec4d51a5652b5a80953b9addb6cb14c3077 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -28,6 +28,11 @@
   ansible.builtin.import_tasks: "configure_ssh_hardening.yml"
   tags: [ssh]
 
+- name: Configure crypto policy. Settings in /etc/ssh/sshd_config keep getting overwritten if the crypto policy remains at Default.
+  ansible.builtin.import_tasks: "configure_crypto_policy.yml"
+  when: ansible_os_family == "RedHat"   # Debian doesn't use crypto-policy
+  tags: [ssh, cryptopolicy, crypto-policy, crypto_policy, cipher, kex]
+
 - name: configure fail2ban
   ansible.builtin.import_tasks: "configure_fail2ban.yml"
   tags: [fail2ban, ssh]