Question 1

What is a written ISP and why does my state care?

Accepted Answer

A written Information Security Program (ISP) documents your security controls, policies, and procedures. Several states now reference them explicitly in cannabis licensing rules, and others use them as evidence of due care in breach investigations. Without one, you're exposed at renewal and in litigation.

Question 2

Which states have cyber requirements for cannabis operators?

Accepted Answer

Illinois is the strictest — mandating MFA and encryption by rule. Connecticut, New York, Massachusetts, and California all have data security statutes that apply to cannabis operators via their data handling. We audit against your specific state(s).

Question 3

How long does LP-2 take?

Accepted Answer

Three weeks for a single state. Up to four and a half weeks for three states. You receive a written findings report, a gap remediation roadmap, and a control evidence binder formatted for your regulator.

Question 4

What's included in the Schedule III Readiness Assessment (LP-3)?

Accepted Answer

A two-week engagement mapping your current controls against DEA Schedule III security requirements (21 CFR 1301.71–1301.76), HIPAA Security Rule safeguards, and DSCSA track-and-trace parallels. Output: written gap report + prioritized roadmap.

Your license is your business. Don't let a cyber gap cost you it.

The gap shows up before the incident.

SKU-based work with clear output.

GRC Foundations Retainer

State Cannabis Cyber Compliance Audit

Schedule III Readiness Assessment

Assess → Deliver → Document

Assess

Deliver

Document

Built for cannabis operators.

Questions operators ask first.

Find out what's exposed in 90 seconds.