diff --git a/defaults/main.yml b/defaults/main.yml
index aa60b71..828f388 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -42,3 +42,6 @@ python_dependencies:
   - python-dev
   - tk-dev
   - zlib1g-dev
+
+# Needed to get around restrictive umask on CIS-supplied images. Setting to Ubuntu default of 0022.
+python_pip_umask: '0022'
diff --git a/tasks/main.yml b/tasks/main.yml
index c29937b..c9a418b 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -23,7 +23,7 @@
   when: pip_installed.stat.exists == false
 
 - name: Upgrade pip
-  pip: name=pip state=latest executable="{{python_pip_path}}"
+  pip: name=pip state=latest executable="{{python_pip_path}}" umask="{{python_pip_umask}}"
 
 - name: Add system pip.conf
   template:
@@ -36,9 +36,9 @@
 
 # Install packages
 - name: Install/upgrade virtualenv
-  pip: name=virtualenv state=latest executable="{{python_pip_path}}"
+  pip: name=virtualenv state=latest executable="{{python_pip_path}}" umask="{{python_pip_umask}}"
   when: python_major_version == '2'
 
 - name: Install global packages
-  pip: name="{{item}}" state=present executable="{{python_pip_path}}"
+  pip: name="{{item}}" state=present executable="{{python_pip_path}}" umask="{{python_pip_umask}}"
   with_items: "{{python_global_packages}}"