Cannabis Surveillance Compliance Checklist
Cannabis compliance audits happen on a schedule (annual renewals, random inspections) and unscheduled (investigation-triggered, deficiency-followup). The facilities that pass both have one thing in common: they run the compliance checklist regularly, not just the week before an audit. This checklist covers the 26 items we walk through when helping a cannabis operator prepare for an inspection or audit response.
Bottom Line
Cannabis surveillance compliance is not a one-time deployment question — it is an ongoing discipline. Run this checklist at least quarterly. Any item answered no triggers corrective action. Facilities that run the checklist consistently rarely fail audits; facilities that only check before an audit often do.
Our team works with licensed cannabis operators on surveillance compliance. The 26 items below come from real inspection findings and audit-response engagements.
Best For
- Cannabis security directors preparing for scheduled or random audits
- Licensed operators responding to a compliance deficiency finding
- Multi-state operators standardizing compliance across jurisdictions
- New-license operators setting up initial surveillance compliance
Not For
- Unlicensed or informal cannabis operations
- Non-cannabis commercial deployments
In This Guide
Compliance Priorities
Coverage with no blind spots. Every operational room, every entry and exit, every transit path has camera coverage. Walk the facility with the floor plan in hand and verify every room visible from at least one camera.
Continuous 24/7 recording. Every operational camera records continuously, not motion-triggered. No idle periods, no dropped frames.
Retention at or beyond state minimum. Typical state minimums: 30 to 90 days US; 1 year Canada. Operators typically retain 50 to 100 percent longer as buffer.
Access controls with individual accounts. Every person with VMS access has a named account. No shared accounts. Every login, playback, and export logged.
Audit-export workflow that works. Documented SOP for producing exports on request. Multiple staff trained; not dependent on one person. Integrity metadata on exports.
Time synchronization with validated NTP. All cameras and NVR synchronized to a known time source. Seed-to-sale record timestamps should match camera timestamps.
Findings That Trigger License Review
Missing retention. Footage from the legally required window unavailable during an audit. This is the highest-severity finding and can trigger immediate license-review proceedings.
Blind spots in coverage. An inspector walks an area that is not visible on camera. Depending on severity (one room partially covered vs entire rooms uncovered), this can be a corrective action or a serious finding.
Shared or generic accounts. Surveillance accessed through a shared "manager" account rather than individual user accounts. Trails to individual actions are impossible; significant finding.
Tampering evidence. Any sign that footage was deleted, overwritten outside normal retention cycle, or modified. Can trigger license revocation.
Time mismatch between camera and seed-to-sale. Camera timestamps do not match the state tracking system (Metrc, BioTrack). Investigation-triggering.
Failed cameras not replaced promptly. A camera offline for days with no documented replacement plan. Facility is considered non-compliant during the offline period.
No audit export workflow. Inability to produce requested footage in a reasonable timeframe (hours, not days).
Recommended Compliance-Ready Products
Four picks that satisfy common cannabis compliance requirements out of the box.
Hanwha
Hanwha PRN-3200B2 32CH 8K 400Mbps H.265 AI NVR
PRN-3200B2
Hanwha 32-channel 8K AI NVR with audit-ready exports, RAID 6, and role-based access. Default for medium cultivation or processing.
Hanwha
Hanwha XRN-1620B2 16-Channel 4K NVR
XRN-1620B2
16-channel 4K NVR for retail dispensary with compliant VMS and audit-export workflow.
Hanwha
Hanwha QND-7082R 4MP Indoor IR Dome Camera
QND-7082R
Reliable 24/7 performance for grow rooms, processing, dispensary floor.
Hanwha
Hanwha PND-A9081RF 4K Indoor AI IR Dome IP Camera
PND-A9081RF
4K AI for register and vault positions where detailed capture matters.
The 26-Item Cannabis Compliance Checklist
Run this quarterly at minimum. Before any scheduled audit, run it twice and fix any no-answers.
Does every operational room have camera coverage?
Grow, processing, trim, packaging, vault, dispensary floor.
Is every entry and exit to the facility covered?
Interior and exterior side of every door.
Are all transit paths for product and plants covered?
Hallways, corridors, dock-to-vault paths.
Are there any blind spots visible on a walk-through?
Walk the facility with floor plan; verify every square foot is visible.
Are all cameras recording continuously 24/7?
Not motion-triggered; not scheduled; continuous.
Is retention at or beyond the state minimum?
Check the earliest retrievable footage.
Is the NVR storage right-sized with headroom?
150 percent of minimum retention is a safety margin.
Is RAID 5 or better configured on the NVR storage?
Single-drive failures should not cost footage.
Are there off-site or cloud backups for incident footage?
Optional but strongly recommended.
Do all cameras and NVR synchronize to a validated NTP time source?
Seed-to-sale record timestamps must match camera timestamps.
Do camera timestamps match seed-to-sale (Metrc, BioTrack) timestamps?
Verify during a spot-check inspection.
Does every person with VMS access have an individual named account?
No shared manager or staff accounts.
Is every login, playback, and export event logged?
Audit trail required in most state programs.
Is there a documented audit-export SOP?
Who receives requests, how identity is verified, how exports are produced and delivered.
Are multiple staff trained on the audit-export workflow?
Not dependent on one person; include cross-training.
Do exports include integrity metadata (hash, exporter, timestamp)?
Chain of custody requirement.
Is there a spare-camera plan for failures?
5-10 percent spares on-site; fast swap when a camera fails.
Is camera health monitored continuously?
Offline cameras should generate alerts, not be discovered at audit time.
Are vault and safe rooms covered by at least 2 cameras?
Different angles; retention may be longer than general.
Does the POS position have 4K or AI coverage?
Highest-value investigation position in a dispensary.
Are owner and manager remote access roles defined?
Role-based access with logging.
Is there a posted surveillance notice at public entries?
Often required by state program; always good practice.
Is the cybersecurity baseline configured (non-default passwords, TLS, firmware)?
Factory defaults are compliance failures in most state programs.
Is there a quarterly or more frequent internal compliance audit?
Self-audit finds gaps before regulators do.
Is there a compliance incident-response plan?
What happens when a camera fails, when an export is requested, when a deficiency is found.
Is the state license posted and accessible?
Basic operational requirement.
Frequently Asked Questions
How often should we run this compliance checklist?
Quarterly at minimum. Before every scheduled audit or inspection, run it twice. After any camera replacement or facility renovation, run it immediately.
What happens if an inspector finds a blind spot during a walkthrough?
Depends on the state and the severity. Minor blind spots (one room partially covered) typically result in a corrective-action requirement with a 30-60 day remediation window. Major blind spots (entire rooms uncovered) can trigger serious findings and potential license-review proceedings.
Do we need off-site backup for cannabis surveillance?
Not required in most state programs, but strongly recommended. On-premise theft of the NVR during a break-in is a real risk. Cloud-backed archival of incident footage is cheap insurance.
Can we use VMS cloud storage for compliance retention?
Varies by state. Some states require on-premise storage as primary; others accept cloud. Check your specific state program before using cloud as primary retention.
How do we handle a camera failure?
Immediate replacement from on-site spares; document the offline window; notify your compliance officer if the failure exceeds state-specific thresholds. Monitor camera health continuously so failures are caught fast, not at audit time.
Do we need to record audio?
Most state programs do not require audio. Audio recording creates significant privacy-law complexity and is typically disabled at commissioning. Two-party-consent states require all-party consent if audio is enabled.
No Bots, Just Experts
No bots, just experts. Free pre-sales support for every customer — product questions, BOM quotes, compatibility checks, price confirmation — typically answered within one business day. Paid services available like full system design, remote installation, and more. Got a BOM ready? Free project-pricing quote with volume discount on qualifying orders. Need the BOM designed first? Engineering time is $175/hour — we scope the hours with you before purchase, then deliver the designed BOM. Hardware buyers get up to one hour ($175) credited back against their order as a thank-you.