Cannabis Security in the Reclassification Era: What the Industry Must Build Now

This article was originally published as a LinkedIn long-form post. It is reprinted here for readers who prefer to engage with ICIP content directly on the site. Cannabis security is an area of deep focus for ICIP, and this piece addresses what federal reclassification means and does not mean for security programs right now.

Federal reclassification of cannabis from Schedule I to Schedule III is the most significant regulatory development in the industry's history. It has generated considerable discussion about banking access, tax treatment, and the eventual shape of federal oversight. What it has generated far less of is a clear-eyed conversation about what it means for security programs: what changes, what does not, and what operators should be doing right now.

I want to address that gap directly, because I am seeing it create predictable problems for operators who are either overreacting to reclassification or ignoring it entirely.

What Reclassification Changes for Cannabis Security

The most consequential near-term change is the trajectory of banking access. Normalized banking does not take effect the moment reclassification takes effect, and it will not be uniform across markets. But the direction is clear, and security programs designed entirely around cash-intensive operations need to begin planning for a transition that will substantially reshape the threat environment. The cash-handling infrastructure, vault standards, armored carrier relationships, and staffing models built around cash management will all evolve. Operators who plan that evolution deliberately will manage it far less expensively than those who react to it after the fact.

The second change is the expansion of the federal agency footprint. DEA oversight, FDA regulatory interest, and the federal law enforcement posture are all in motion. Security programs designed exclusively to satisfy state licensing bodies will need to account for a federal compliance dimension that did not previously exist in a meaningful operational sense.

What Reclassification Does Not Change

This is the more important conversation for most operators right now.

State licensing requirements remain fully intact. The camera coverage specifications, the access control mandates, the cash handling procedures, the background screening obligations, and the incident reporting requirements: none of these change because of the Schedule III designation. An operator who interprets reclassification as a signal to relax their state compliance posture is making an expensive mistake.

The threat environment does not change. The cash that attracts armed robbery is still present. The high-value inventory that drives diversion remains. The insider threat that accounts for the majority of product and financial loss in cannabis operations is still present. Reclassification does not reduce any of these threat vectors in the near term.

And the license, the asset on which all enterprise value rests, remains subject to the same state regulatory authority that has always governed it. Security program failures still produce regulatory enforcement. Regulatory enforcement still produces license jeopardy. That equation is unchanged.

The Problem Most Operators Are Not Talking About

Here is the observation I have made consistently across more than a decade of cannabis security work, spanning over twenty license applications in ten states and three years as a VP of Global Security for a publicly traded multi-state cannabis operator: most cannabis operators do not actually have the security program their license application committed to.

The pattern is predictable. Ownership directs the minimum investment required to pass the opening inspection and get the facility operational. The approved security plan, the document that a licensing authority will hold the operator accountable to at every subsequent inspection, is filed and rarely revisited. The gap between what was promised and what was built accumulates quietly until a regulatory inspector arrives and begins comparing the application's commitments to the actual program. At that moment, what looked like a compliance posture becomes a compliance liability.

This pattern exists across every market I have worked in. It is not unique to any particular operator type, license type, or state regulatory environment. It is the cannabis industry's default security posture, and reclassification does nothing to address it.

The Consolidation Accelerant

The industry is undergoing major consolidation right now, and that consolidation is making the compliance gap more expensive than ever.

When a multi-state operator or a well-capitalized acquirer conducts security due diligence on an acquisition target, they are not just evaluating the physical infrastructure. They are evaluating the regulatory compliance posture of every licensed facility in the portfolio. A security program that is a hodgepodge of mismatched systems across multiple sites is immediately identifiable as a capital expense that attaches to the transaction. A security program that is not in compliance with the approved application and has drifted from what was committed to regulators at licensing is a regulatory liability that attaches to the transaction.

These findings do not stay in the due diligence file. They become negotiating leverage for the acquirer and value reduction for the seller. I have seen this dynamic firsthand, and it is accelerating as the industry matures and acquirers become more sophisticated in their security assessment methodology.

The operator who has maintained genuine application compliance across their portfolio and can document that the security program as operated matches the security program as approved, enters a transaction from a position of strength. The operator who has not is funding their acquirer's remediation costs out of the transaction price.

What to Do Right Now

Pull your approved security application. Read it. Compare what it committed to against what your program actually delivers today. The gaps you find are your compliance liability and your transaction risk. Address them before a regulator or an acquirer does it for you.

If you are an MSO preparing for consolidation-era transactions, commission a security program assessment across your portfolio before you enter any process. Understanding your own compliance posture before a counterparty identifies it for you is the difference between managing a known cost and absorbing an unexpected one.

And if you are building or rebuilding a cannabis security program in this environment, build it to the application commitment first, then build beyond it. The regulatory floor is not the ceiling. In an industry entering a period of federal normalization and accelerating consolidation, the operators whose security programs reflect genuine investment and genuine compliance are not just better protected. They are worth more.

Shawn F. Wurtsmith, MBA, PSP, is the Managing Partner of ICIP LLC, a physical security consulting firm. He has contributed to more than twenty cannabis license applications across ten states, served as Vice President of Global Security for a publicly traded multi-state cannabis operator, and is currently developing Cannabis Security: The Definitive Guide for Operators, Professionals, and Policymakers, a comprehensive professional reference book for cannabis security practitioners, operators, and policymakers.