The Department of Cannabis Control Inspection Checklist Your Installer Never Gave You.

You just got the notification. The California Department of Cannabis Control (DCC) is scheduling your security inspection, or worse, they already showed up, and you've got 14 days to fix what they found. Knowing how to pass a DCC security inspection comes down to getting a handful of technical details right. Most of them are the ones your installer never told you about.

The fines aren't hypothetical. DCC can hit you with $5,000 to $30,000 per violation. Repeat violations can trigger license suspension or revocation. The Unified Cannabis Enforcement Task Force seized $222 million in illegal cannabis between July and September 2025 alone. Enforcement isn't slowing down.

Most of what inspectors check is predictable. The specific requirements catch operators who assumed their camera system or alarm setup was "close enough."

What DCC Security Inspectors Actually Check

DCC inspections cover four security areas, each governed by specific sections of the California Code of Regulations Title 4.

Surveillance under § 15044 covers camera specs, coverage areas, recording rules, storage, and footage access. Access control under § 15042 covers employee badges, restricted area rules, and visitor protocols. Alarm systems under § 15047 cover monitored alarms, licensed installers, and written procedures. Records under § 15037 cover how long you keep documents, incident reports, and footage.

Inspectors can arrive scheduled or unscheduled. They can request footage on the spot. If your system can't produce it through remote access, that's a violation before they even check camera resolution. Any employee can be asked to show their badge on demand. Your alarm monitoring contract and maintenance records are fair game too.

The inspection isn't a conversation. It's a checklist. And every item below is on it.

The Camera Requirements Most Operators Get Wrong

This is where most failures happen. Six specific requirements trip people up more than anything else.

Continuous Recording, Not Motion-Triggered

This catches most operators. If your cameras are set to motion-only recording to save storage, you're non-compliant. DCC requires continuous 24/7 recording during all hours of operation and non-operation. Every second, every angle, no gaps. Inspectors can verify this on the spot by pulling up your recording logs.

A Sylmar cultivation facility in our monitoring network got approached at 5:02 AM on a Thursday in March. The Intervention Specialist was watching because the system was running continuous monitoring, not waiting for movement to trigger. Without continuous recording, that approach goes undocumented. That same gap creates a compliance problem when an inspector asks to see logs from the previous night.

Resolution and Frame Rate

Minimum spec is 1280x720 at 15 frames per second. Not 10 FPS. Not 720x480. If your system went in five years ago and nobody has checked the settings since, there's a decent chance it's recording below spec. An inspector can pull up a live feed and check on the spot.

NIST-Synchronized Timestamps

Your camera system's clock has to sync to the NIST atomic clock. Not your building's internet time. Not a manual setting. If the timestamps on your footage don't match NIST, the entire recording can be called into question during a DCC review. This is a quick fix if you know about it and a nasty surprise if you don't.

Camera in the NVR Room

The room housing your network video recorder needs its own camera. DCC wants to verify nobody is tampering with recorded footage. This one gets missed constantly because installers focus on coverage areas and forget the recording hardware itself.

POS Camera Clarity

Cameras covering point-of-sale stations must capture facial features with "sufficient clarity to determine identity." That's the actual regulatory language. A wide-angle overview of the sales floor doesn't meet it. You need a dedicated POS camera at an angle that captures faces, not the tops of heads.

Remote Footage Access

DCC can request footage right now, not tomorrow, not when your tech gets back from lunch. If your system needs someone to come pull files from a local hard drive, you're out of compliance. Remote access via TCP/Internet is required so clips can be handed over the moment an inspector asks.

This is one of the easiest ways to pass a DCC security inspection and one of the most common ways to fail it. The camera system might be perfect, but if nobody can view it remotely, the inspector treats it like the footage doesn't exist.

Alarm, Access Control, and Records

The Alarm Rule That Stops DIY Systems

DCC requires a professionally monitored alarm installed and maintained by a licensed integrator under § 15047. A Ring doorbell, a SimpliSafe kit, or any consumer system the owner installed doesn't qualify. California mandates that cannabis alarms be installed and monitored by an integrator holding a valid BSIS alarm company operator license, with a written monitoring contract on file.

You also need written alarm steps: who gets called, in what order, what the chain looks like, and how the system gets tested. Those steps need to be on paper and on hand. "The manager knows the drill" isn't enough.

Coverage must include all entry and exit points, any room containing cannabis or cannabis products, and any room with safes or vaults. Front door and back door only won't cut it if there's a side entrance or a ground-level window.

DCC requires a professionally monitored alarm. But the operators who learned that lesson the hard way didn't fail an inspection. They watched their own robbery footage the next morning. See why LA dispensaries keep getting robbed and what actually stops it.

Badges and Access Control

Every employee needs a badge. DCC specs: a 1" x 1.5" minimum photo, plastic-coated or laminated, worn visibly at all times on the licensed site. Expired badges, missing photos, or badges tucked in a pocket are all citable.

Restricted areas, including vault rooms, product storage, and processing rooms, must use badge, keycard, PIN, or biometric access. A locked door with a physical key doesn't meet the bar. DCC wants a digital log of who went into which area and when. That log has to be kept up and ready for review on demand.

Visitors count too. Non-employees must be logged, given visitor badges, and walked through restricted areas. An inspector who spots an unbadged delivery driver in the vault room alone is writing that up.

Records Retention: The 7-Year Rule

This one catches operators years after install. DCC requires security records to be kept for 7 years. That covers alarm contracts, service logs, incident reports, access records, and testing notes.

Video has a shorter window: 90 days minimum, though best practice is 120 to 180 days. After 90 days, footage can be overwritten. But if DCC asks for specific clips within those 90 days, you have to hand them over immediately. The 7-year rule means your first year's alarm contract needs to be on hand in year seven. Get confirmation in writing from your alarm company about what they retain and for how long.

The Pre-Audit Checklist: Five Steps Before the Inspector Shows Up

Run this as a self-audit before DCC does it for you.

Step 1: Audit your cameras against § 15044. Check continuous 24/7 recording, resolution, frame rate, NIST timestamps, NVR room camera, POS camera angle, and remote access. Don't assume your installer set everything to DCC spec. Pull up the settings and verify.

Step 2: Verify your alarm documentation. Make sure the monitoring contract is current and on file. Check that alarm operating procedures are written, dated, and accessible. Verify every entry point, product room, and vault has coverage. Confirm your installer's BSIS license is valid and on record.

Step 3: Check every badge. Walk the floor. Are all badges current with recognizable photos? Are they displayed visibly? One expired badge on inspection day is a citable violation.

Step 4: Test access control logs. Pull up yesterday's records. Can you show who entered the vault at 2:15 PM and match that entry to camera footage? If the log has gaps or the timestamps don't align, fix it before the inspector finds it.

Step 5: Confirm records are accessible. Can you produce your alarm contract from the date of installation? Your most recent maintenance record? Your last incident report? All within minutes, not days? Run this checklist quarterly.

What Happens When You Don't Pass

"Off the Charts" in San Francisco failed a DCC inspection in February 2025. The violations: batch tracking stickers missing from product, outdated employee badges, and gaps in their documentation. They got a 14-day window to fix it.

Fourteen days sounds manageable until you think about what "fix" means for a camera system. Ordering new gear, getting an installer on site, running cable, setting up NIST sync, testing remote access: that's a two-week job at minimum with a responsive integrator, assuming parts are on the shelf.

Operators who can't fix things in time face escalating fines: $5,000 for the first issue, scaling up to $30,000 per finding after that. Repeat patterns trigger license suspension.

Beyond the fines, insurance turns into a headache. DCC requires proof of coverage at license renewal: $1M per event, $2M total general liability, plus product liability. AB 2568 opened the carrier market, but insurers want to see compliant, monitored security. An active violation on record makes renewal harder and premiums steeper.

A Sylmar cannabis facility in our monitoring network had a trespasser approach at 12:41 AM on a November Sunday. The Intervention Specialist issued audio warnings, and the subject was deterred. The incident created a timestamped report that covers the monitoring log requirement DCC asks about during inspections. Compliant systems don't just pass inspections. They document themselves as they operate.

Outdoor cultivation sites and remote grow operations carry their own DCC monitoring requirements beyond what applies to retail dispensaries. See remote cannabis grow security for the full coverage breakdown.

Staying Compliant Between Inspections

Passing the first inspection is step one. Most violations DCC finds on follow-up visits happen because systems drift out of compliance over time, not because they were installed incorrectly.

Camera blind spots created by layout changes. New shelving, repositioned displays, or construction during an expansion can pull a camera angle off its intended coverage zone. The system still records. It just records the wrong area.

NVR storage is filling up or failing silently. If your 90-day retention drops to 60 days and you don't notice, you're non-compliant the day DCC walks in, regardless of whether everything else is working correctly.

Firmware and software updates can cause timestamp drift or resolution drops if skipped. Camera manufacturers push security patches regularly. Ignoring updates is one of the fastest ways to go from compliant to citable between visits.

Employee badge turnover. New hires without proper badges and former employees whose access wasn't revoked on termination day are two of the most common badge violations found on re-inspections.

A Chatsworth cannabis operator in our monitoring network had several people approach after midnight on a February night. The Intervention Specialist issued audio warnings, and they left. The monitoring logs from that interaction demonstrated active, timestamped coverage for that time period. That's the documentation that holds up during compliance reviews.

An annual security audit from a licensed integrator catches these issues before the inspector does. Your alarm integrator should review camera coverage, test alarm communication paths, verify access control logs, and confirm NVR health at least once per year. If you're still in the build-out phase, installing it right the first time is always cheaper than retrofitting later. See how to set up security for a new cannabis dispensary in California.

Frequently Asked Questions

What are the most common reasons dispensaries fail DCC security inspections?

The most common failures are camera-related: motion-triggered recording instead of continuous 24/7, resolution below 1280x720, missing NIST timestamp sync, no camera in the NVR room, and POS cameras that capture the top of a customer's head rather than identifiable facial features. The second most common category is documentation gaps: no written alarm procedures, expired badge photos, missing maintenance logs, or an alarm monitoring contract from an unlicensed provider.

What does "NIST-synchronized timestamps" mean, and why does it matter?

NIST stands for the National Institute of Standards and Technology, which maintains the official U.S. atomic clock. Your camera system must sync its time to that source automatically, not to your building's internet time or a manual clock setting. If your timestamps don't match NIST, DCC can challenge the integrity of your recordings during an investigation or audit. Most professional security integrators configure NIST sync during installation. If your system was installed by an unlicensed provider or a general contractor, it's worth checking.

Does DCC require a specific number of cameras?

No. DCC specifies required coverage zones, not camera counts. Every entry and exit point, all rooms containing cannabis or cannabis products, POS stations, vault and safe rooms, the NVR room, and parking areas must be covered. The number of cameras depends on your floor plan and layout. A 1,200-square-foot storefront typically needs 10 to 14 cameras to cover all zones. Your integrator should design the layout against a floor plan before installation, not estimate from memory.

Can I use a consumer alarm system like Ring to satisfy DCC requirements?

No. DCC requires that your alarm system be installed and monitored by an integrator holding a valid BSIS alarm company operator license. Consumer systems like Ring, SimpliSafe, and similar products don't qualify. Beyond the licensing requirement, DCC also requires written alarm operating procedures, documented response chains, and maintenance logs that consumer systems don't generate in a compliant format.

How long does DCC give you to fix violations after a failed inspection?

DCC typically issues a 14-day remediation notice for most technical violations. That window is shorter than most operators expect when they're looking at a camera compliance failure. Ordering equipment, scheduling an integrator, running cable, and testing the system can take two weeks under ideal conditions. Operators who discover compliance gaps during a self-audit have much more flexibility to fix things without the clock running.

Do I need to notify DCC if I change my security system after licensing?

Yes. Significant changes to your security setup require an update to your Security Operating Procedures on file with DCC. Changes that affect your DCC-LIC-018, including switching alarm monitoring companies, adding or removing cameras, or changing access control systems, may require an amended filing. What you submitted at licensing is what inspectors check against. Any divergence from that original documentation is a compliance gap.

Related Articles

• →Cannabis Security Guide for California Operators
• →Cannabis Remote Video Monitoring
• →Remote Cannabis Grow Security
• →Setting Up Security for a New Cannabis Dispensary in California
• →Why LA Dispensaries Keep Getting Robbed and What Actually Stops It
• →Live Video Monitoring Catches on Camera