The Complete Security Hardening Manual for Cannabis Seed-to-Sale Tracking Systems
Your compliance tracking system is a direct line to state regulators—and a prime target for attackers. This guide shows you exactly how to lock it down.
WHY THIS GUIDE MATTERS
Your seed-to-sale tracking system isn’t just compliance software. It’s a direct connection to state regulators containing:
- Your complete inventory records
- Every transaction your business has ever conducted
- Employee information and access credentials
- API keys that could be exploited
- Business intelligence competitors would pay for
When attackers compromise your Metrc or BioTrack credentials, they can:
- Manipulate your inventory records
- Create compliance violations that trigger audits
- Steal competitive business intelligence
- Lock you out during critical sales periods
- Cause regulatory penalties up to license revocation
Real-world incidents:
- 2023: California dispensary lost Metrc access for 72 hours during 4/20 weekend after credential theft
- 2024: Colorado cultivator faced $15,000 fine after API credentials were compromised and inventory records altered
- 2024: Michigan multi-location operator discovered ex-employee retained Metrc access for 8 months post-termination
This guide covers:
- Account security hardening
- API credential management
- User access controls
- Monitoring and alerting
- State-specific configurations for all 24 Metrc states
- BioTrack security for all BioTrack states
- Integration security best practices
- Incident response for tracking system compromises
cannabisrisk.diySECTION 1: UNDERSTANDING YOUR TRACKING SYSTEM ATTACK SURFACE
1.1 What Attackers Target
Target Why It’s Valuable Risk Level
Admin credentials Full system control, can add users, change settings CRITICAL
User credentials Transaction access, inventory manipulation HIGH
API keys Automated access, often over-permissioned CRITICAL
Integration accounts Bridge between POS and tracking system HIGH
Session tokens Hijack active sessions MEDIUM
Backup credentials Often forgotten, never rotated HIGH
1.2 Common Attack Vectors
Credential Theft
- Phishing emails targeting compliance staff
- Credential stuffing (reused passwords from other breaches)
- Keyloggers on shared workstations
- Shoulder surfing in open office environments
API Exploitation
- Hardcoded credentials in POS integrations
- Exposed API keys in code repositories
- Over-permissioned API accounts
- Lack of API key rotation
Insider Threats
- Terminated employees with active access
- Over-privileged users
- Shared accounts hiding individual actions
- Contractors with persistent access
Session Hijacking
- Public WiFi usage
- Shared computers without logout
- Browser session theft
- Man-in-the-middle attacks
1.3 Compliance Tracking System Architecture
┌─────────────────────────────────────────────────────────────────┐
│ STATE REGULATORY SYSTEM │
│ (Metrc / BioTrack Server) │
└─────────────────────────────────────────────────────────────────┘
▲
│ HTTPS/API
│
┌─────────────────────┼─────────────────────┐
│ │ │
▼ ▼ ▼
┌───────────────┐ ┌───────────────┐ ┌───────────────┐
│ Web Browser │ │ POS System │ │ Third-Party │
│ (Manual) │ │ (API) │ │ Integrations │
└───────────────┘ └───────────────┘ └───────────────┘
│ │ │
▼ ▼ ▼
┌───────────────┐ ┌───────────────┐ ┌───────────────┐
│ Employee │ │ API Keys │ │ Vendor │
│ Credentials │ │ Credentials │ │ Credentials │
└───────────────┘ └───────────────┘ └───────────────┘
SECURITY POINTS:
★ Each connection point is an attack surface
★ Each credential type requires different protection
★ Each integration multiplies risk
Every arrow in this diagram is a potential attack path.
SECTION 2: METRC SECURITY CONFIGURATION
2.1 Metrc System Overview
Metrc (Marijuana Enforcement Tracking Reporting Compliance) is the most widely used cannabis tracking system, operating in 24 states plus US Virgin Islands.
Current Metrc States (as of December 2025):
State Launch Date Sync Requirement Unique Considerations
Alaska 2018 24 hours Remote access challenges
California 2018 Real-time (2025) Largest market, strictest enforcement
Colorado 2014 15 minutes Original Metrc state, mature rules
Louisiana 2022 24 hours Medical only, limited licenses
Maine 2020 24 hours Adult-use + medical
Maryland 2017 24 hours Transitioning to adult-use
Massachusetts 2018 24 hours Strict compliance culture
Michigan 2019 24 hours Large market, active enforcement
Minnesota 2025 24 hours New adult-use market
Mississippi 2024 24 hours Medical only
Missouri 2023 24 hours Fast-growing market
Montana 2022 24 hours Rural access challenges
Nevada 2017 24 hours Tourism-driven market
New Jersey 2022 24 hours High compliance focus
Ohio 2024 24 hours New adult-use market
Oklahoma 2019 24 hours Highest license count nationally
Oregon 2016 24 hours Mature market
South Dakota 2024 24 hours Medical program
US Virgin Islands 2023 24 hours Unique territorial rules
Virginia 2024 24 hours Limited medical program
Washington DC 2022 24 hours Medical only, unique jurisdiction
West Virginia 2021 24 hours Medical program
Note: California transitioned to real-time sync requirements as of January 1, 2025—the strictest in the nation.
2.2 Metrc Account Security Hardening
2.2.1 Password Requirements
Metrc Minimum Requirements:
- 8+ characters
- Upper and lowercase letters
- At least one number
- At least one special character
CannaSecure Recommended Requirements:
- 16+ characters minimum
- Use passphrase format (e.g., “Correct-Horse-Battery-Staple-2025!”)
- Unique password not used anywhere else
- Stored in enterprise password manager only
- Changed every 90 days or immediately if suspected compromise
Password Configuration Checklist:
User Password Length Unique? In Password Manager? Last Changed
☐ 16+ chars ☐ Yes ☐ Yes
☐ 16+ chars ☐ Yes ☐ Yes
☐ 16+ chars ☐ Yes ☐ Yes
☐ 16+ chars ☐ Yes ☐ Yes
2.2.2 Multi-Factor Authentication (MFA)
Metrc MFA Status by State:
State MFA Available MFA Required MFA Type
California ✅ Yes ✅ Required (2025) TOTP Authenticator
Colorado ✅ Yes ⚠️ Recommended TOTP Authenticator
Michigan ✅ Yes ⚠️ Recommended TOTP Authenticator
Nevada ✅ Yes ⚠️ Recommended TOTP Authenticator
Massachusetts ✅ Yes ⚠️ Recommended TOTP Authenticator
[All others] ✅ Yes ⚠️ Recommended TOTP Authenticator
MFA Setup Instructions:
-
Log into Metrc → Click username (top right) → My Account
-
Navigate to Security Settings → Two-Factor Authentication
-
Click Enable 2FA Use authenticator app to scan QR code:
-
Recommended: 1Password, Authy, Microsoft Authenticator
-
Acceptable: Google Authenticator
-
NOT recommended: SMS (SIM swap vulnerable)
-
Enter verification code to confirm setup Save backup codes securely:
-
Store in password manager
-
Print physical copy for safe
-
Do NOT store in email or cloud documents
MFA Implementation Checklist:
User MFA Enabled? Method Backup Codes Secured?
☐ Yes
☐ Yes
☐ Yes
☐ Yes
☐ Yes
☐ Yes
2.2.3 Account Lockout Settings
Metrc Default Settings:
- Lockout after 5 failed attempts
- 30-minute lockout period
- Account unlock by admin or timeout
Recommended Monitoring:
- Alert on 3+ failed login attempts
- Investigate any lockout immediately
- Document lockout incidents
Lockout Response Procedure:
- Do NOT immediately unlock—investigate first
- Contact user via phone (not email) to verify
- Check for other suspicious activity
- If legitimate, reset password AND unlock
- If suspicious, investigate before unlocking
- Document incident in security log
2.2.4 Session Security
Metrc Session Timeout:
- Default: 15-30 minutes of inactivity (varies by state)
- Session terminates on browser close
Best Practices:
Practice Implementation
Always log out when finished Click “Logout” explicitly
Never use “Remember Me” Disable if available
Clear browser data after session Use incognito/private browsing
Don’t access on shared computers Use dedicated workstations
Never access on public WiFi Use VPN if remote access needed
2.3 Metrc User Management
2.3.1 User Roles and Permissions
Metrc Standard Roles:
Role Permissions Who Should Have It
Admin Full access, user management, settings Owner, Compliance Manager only
Manager Most functions, no user management General Manager, Operations Lead
Data Entry Create/edit packages, record sales Budtenders, Inventory Staff
View Only Read-only access to reports Accountants, Consultants
Principle of Least Privilege: Every user should have the minimum access required to do their job.
User Access Review Checklist:
User Role Access Justified? Last Review Action Needed
☐ Yes ☐ No
☐ Yes ☐ No
☐ Yes ☐ No
2.3.2 User Provisioning Process
New User Setup Procedure:
Authorization Required
- Written request from department manager
- Approved by Compliance Officer
- Documented in HR file
Background Verification
- Confirm state background check completed
- Verify employee badge issued
- Confirm employment start date
Account Creation
- Use business email only (no personal)
- Assign appropriate role (least privilege)
- Set temporary password
Initial Setup (with employee)
- Employee creates permanent password (16+ chars)
- Employee enables MFA on their device
- Employee saves backup codes securely
- Employee signs Metrc acceptable use policy
Documentation
- Record account creation date
- Record role assigned
- File signed policy acknowledgment
New User Checklist:
☐ Authorization documented ☐ Background check verified ☐ Account created with correct role ☐ Password requirements met ☐ MFA enabled and verified ☐ Backup codes secured ☐ Acceptable use policy signed ☐ Access documented in user log
2.3.3 User Deprovisioning Process
⚠️ CRITICAL: Deactivate Metrc access IMMEDIATELY upon termination
Same-Day Termination Procedure:
Time Action Responsible
T+0 (Termination) Disable Metrc account Compliance Officer
T+0 Change any shared passwords user knew IT Lead
T+0 Revoke API keys user had access to IT Lead
T+1 hour Verify account disabled Manager
T+24 hours Audit recent account activity Compliance Officer
Metrc Account Deactivation Steps:
- Log in as Admin
- Navigate to Admin → Employees
- Find employee record
- Click “Deactivate”
- Confirm deactivation
- Screenshot confirmation for documentation
Deprovisioning Checklist:
☐ Metrc account deactivated ☐ Deactivation screenshot saved ☐ Shared passwords changed ☐ API keys rotated (if applicable) ☐ Recent activity audited ☐ Deprovisioning documented
Quarterly Access Review:
User Still Employed? Role Still Appropriate? Action
☐ Yes ☐ No ☐ Yes ☐ No
☐ Yes ☐ No ☐ Yes ☐ No
☐ Yes ☐ No ☐ Yes ☐ No
2.4 Metrc API Security
2.4.1 Understanding Metrc API Keys
What is an API Key? An API (Application Programming Interface) key is a credential that allows your POS system or other software to communicate directly with Metrc without human login.
API Key Components:
- User Key: Identifies your Metrc user account
- Software Key: Identifies the integrated software (POS)
- Vendor Key: Identifies the software vendor
Why API Keys Are Critical:
- They have automated access to your data
- They often run 24/7 without supervision
- Compromised keys can operate undetected
- They may have broader permissions than needed
2.4.2 API Key Security Best Practices
Storage Requirements:
✅ Acceptable ❌ Never Acceptable
Enterprise password manager (1Password, LastPass Business) Plaintext in code files
Encrypted secrets vault (AWS Secrets Manager, HashiCorp Vault) Email or chat messages
Hardware security module (HSM) Spreadsheets or documents
Encrypted environment variables Sticky notes or paper
Shared drives or cloud storage
Code repositories (GitHub, GitLab)
API Key Management Checklist:
Key Name Purpose Stored Securely? Last Rotated Rotation Due
☐ Yes
☐ Yes
☐ Yes
2.4.3 API Key Rotation Procedure
Rotation Frequency:
- Minimum: Every 90 days
- Recommended: Every 30 days
- Immediately: After any suspected compromise
- Immediately: After any employee termination with API access
Rotation Steps:
Generate new API key in Metrc
- Admin → API Keys → Generate New
Update POS/integration systems with new key
- Follow POS vendor documentation
- Test in staging environment if available
Verify new key is working
- Confirm sync is successful
- Monitor for errors
Revoke old API key
- Admin → API Keys → Revoke
- Do this only AFTER new key is confirmed working
Document rotation
- Record date, reason, who performed
API Key Rotation Log:
Date Key Name Reason Performed By Old Key Revoked?
Scheduled rotation
☐ Yes
☐ Yes
☐ Yes
2.4.4 API Activity Monitoring
What to Monitor:
Activity Alert Threshold Response
Failed API calls 10+ in 1 hour Investigate immediately
API calls outside business hours Any Review next business day
Unusual data volume 2x normal Investigate immediately
API calls from new IP Any Verify source
Bulk data exports Any Verify authorization
Setting Up Monitoring:
Most POS systems provide API logging. Work with your vendor to:
- Enable detailed API logging
- Set up alerts for anomalies
- Review logs weekly
- Retain logs for 1+ year
Weekly API Review Checklist:
☐ Review API error logs ☐ Check for unusual access patterns ☐ Verify all API calls are from known sources ☐ Confirm sync is current ☐ Document any anomalies
2.5 State-Specific Metrc Security Configurations
2.5.1 California
Regulatory Body: Department of Cannabis Control (DCC) Metrc URL: https://ca.metrc.com
California-Specific Requirements (2025):
Requirement Deadline Penalty for Non-Compliance
Real-time sync January 1, 2025 $5,000 - $52,500 per violation
MFA required January 1, 2025 Compliance warning, potential fine
Track & Trace training Before access granted Access denied
California Security Configuration:
☐ MFA enabled for ALL users (required)
☐ Real-time sync configured (no delay acceptable)
☐ API monitoring enabled with alerts
☐ Daily reconciliation process documented
☐ User access reviewed monthly
☐ Training certificates on file for all users
California Sync Failure Protocol:
Time Since Last Sync Action Required
0-1 hour Monitor, investigate cause
1-4 hours Escalate to IT, notify manager
4-8 hours Manual Metrc entry, notify DCC
8+ hours Emergency notification to DCC, document everything
2.5.2 Colorado
Regulatory Body: Marijuana Enforcement Division (MED) Metrc URL: https://co.metrc.com
Colorado-Specific Requirements:
Requirement Standard Penalty Range
Sync frequency 15 minutes maximum $2,500 - $25,000
User training Before access granted Access denied
Inventory variance ±2% or 6 units Investigation triggered
Colorado Security Configuration:
☐ MFA enabled for all users (strongly recommended)
☐ 15-minute sync tolerance configured
☐ Separate medical/retail tracking (if applicable)
☐ RFID tag security (yellow=medical, blue=retail)
☐ Daily reconciliation documented
☐ User access reviewed quarterly
Colorado Tag Security:
Tag Type Color Use Case Security Note
Medical Plant Yellow Medical cultivation Store separately
Retail Plant Blue Retail cultivation Store separately
Medical Package Yellow Medical products Track by license type
Retail Package Blue Retail products Never mix with medical
2.5.3 Michigan
Regulatory Body: Cannabis Regulatory Agency (CRA) Metrc URL: https://mi.metrc.com
Michigan-Specific Requirements:
Requirement Standard Notes
Sync frequency 24 hours End of business day
Package tracking All products Including internal transfers
Waste documentation Video + Metrc entry Required for all waste
Michigan Security Configuration:
☐ MFA enabled for all users
☐ Daily sync schedule established
☐ Internal transfer tracking configured
☐ Waste documentation process documented
☐ Employee badge cross-referenced with Metrc access
☐ Quarterly access audits performed
2.5.4 Nevada
Regulatory Body: Cannabis Compliance Board (CCB) Metrc URL: https://nv.metrc.com
Nevada-Specific Requirements:
Requirement Standard Notes
Sync frequency 24 hours Before next business day
Tourism considerations High-volume Scale infrastructure accordingly
Transport tracking Real-time All vehicle transfers
Nevada Security Configuration:
☐ MFA enabled for all users
☐ High-volume capacity verified (tourism spikes)
☐ Transport manifest security configured
☐ API rate limiting appropriate for volume
☐ Multiple user accounts for busy periods
☐ Failover procedures documented
2.5.5 Massachusetts
Regulatory Body: Cannabis Control Commission (CCC) Metrc URL: https://ma.metrc.com
Massachusetts-Specific Requirements:
Requirement Standard Notes
Sync frequency 24 hours Strict enforcement
Host Community Agreements Tracked Impact reporting
Social equity tracking Required Separate reporting
Massachusetts Security Configuration:
☐ MFA enabled for all users
☐ Social equity reporting access configured
☐ Host community data secured
☐ Delivery tracking configured (if applicable)
☐ Agent card cross-referenced with Metrc access
☐ Monthly access reviews
2.5.6 Other Metrc States Quick Reference
State Key Security Consideration
Alaska Remote access security critical
Louisiana Limited license, high-value target
Maine Dual-use tracking (med + rec)
Maryland Transitioning market, changing rules
Minnesota New market, establishing procedures
Mississippi Medical only, limited access
Missouri Fast-growing, scale considerations
Montana Rural connectivity challenges
New Jersey High compliance scrutiny
Ohio New market, establishing baselines
Oklahoma Highest license count, varied security
Oregon Mature market, sophisticated threats
South Dakota Medical program, limited
USVI Unique territorial considerations
Virginia Limited medical, high regulation
Washington DC Federal jurisdiction overlap
West Virginia Medical program, limited
SECTION 3: BIOTRACK SECURITY CONFIGURATION
3.1 BioTrack System Overview
BioTrack (BioTrackTHC) is the second-largest cannabis tracking system, now owned by Dutchie.
Current BioTrack States:
State Status Notes
Delaware Active Medical program
Hawaii Active Medical program
Illinois Active Large adult-use market
New Hampshire Active Medical program
New Mexico Active Adult-use market
New York Active Growing adult-use market
North Dakota Active Medical program
Puerto Rico Active Medical program
Washington Active Mature market (original state)
3.2 BioTrack Account Security Hardening
3.2.1 Password Configuration
BioTrack Password Requirements:
- Minimum 8 characters
- Complexity requirements vary by state
CannaSecure Recommended:
- 16+ characters
- Passphrase format
- Unique to BioTrack only
- Enterprise password manager storage
- 90-day rotation minimum
Password Checklist:
User Length Unique? Password Manager? Last Changed
☐ 16+ ☐ Yes ☐ Yes
☐ 16+ ☐ Yes ☐ Yes
3.2.2 Multi-Factor Authentication
BioTrack MFA Availability:
State MFA Available MFA Required
Illinois ✅ Yes ⚠️ Recommended
Washington ✅ Yes ⚠️ Recommended
New York ✅ Yes ⚠️ Recommended
New Mexico ✅ Yes ⚠️ Recommended
[Others] ✅ Yes ⚠️ Recommended
MFA Setup Process:
- Log into BioTrack → Account Settings
- Security → Two-Factor Authentication
- Enable → Select authenticator app
- Scan QR code with authenticator
- Verify with test code
- Save backup codes securely
3.2.3 Session Management
BioTrack Session Settings:
Setting Default Recommended
Session timeout 30 minutes Keep default or shorter
Concurrent sessions Allowed Monitor for abuse
Remember me Available Disable
Session Security Checklist:
☐ Timeout set appropriately ☐ “Remember me” disabled ☐ Concurrent session monitoring enabled ☐ Logout procedure trained
3.3 BioTrack User Management
3.3.1 User Roles
BioTrack Standard Roles:
Role Access Level Appropriate For
Administrator Full access Owner, Compliance Manager
Manager Most functions GM, Operations
Clerk Transaction entry Budtenders
Viewer Read-only Accountants
Role Assignment Checklist:
User Current Role Appropriate? Action
☐ Yes ☐ No
☐ Yes ☐ No
3.3.2 User Lifecycle Management
New User Process:
- Obtain written authorization
- Verify state agent card/license
- Create account with appropriate role
- Set temporary password
- User completes setup (password + MFA)
- User signs acceptable use policy
- Document in user log
Termination Process:
- Immediately deactivate BioTrack account
- Rotate any shared passwords
- Revoke API access if applicable
- Audit recent activity
- Document deactivation
3.4 BioTrack API Security
3.4.1 API Key Management
BioTrack API Structure:
- API credentials issued by BioTrack/Dutchie
- Tied to software vendor
- Used for POS integration
Security Requirements:
Requirement Implementation
Storage Encrypted secrets vault only
Access Need-to-know basis
Rotation Every 90 days minimum
Monitoring Log all API calls
Revocation Immediate upon compromise
API Key Inventory:
Key Purpose Vendor Last Rotated Stored Securely?
☐ Yes
☐ Yes
3.4.2 API Monitoring
What to Monitor:
Activity Alert Threshold
Failed authentications 5+ in 1 hour
Bulk data requests Any unusual volume
Off-hours access Any
New integration source Any
3.5 State-Specific BioTrack Configurations
3.5.1 Illinois
Regulatory Body: Illinois Department of Financial and Professional Regulation (IDFPR)
Illinois-Specific Requirements:
Requirement Standard
Sync frequency Daily minimum
Social equity tracking Required
Agent card verification Cross-reference with BioTrack access
Illinois Security Configuration:
☐ MFA enabled for all users
☐ Agent card numbers verified in BioTrack
☐ Social equity reporting access restricted
☐ Daily sync schedule documented
☐ IDFPR notification procedures in place
☐ Quarterly access audits
3.5.2 Washington
Regulatory Body: Liquor and Cannabis Board (LCB)
Washington-Specific Requirements:
Requirement Standard
Sync frequency Daily minimum
Traceability Seed-to-sale complete
Manifest tracking All transfers
Washington Security Configuration:
☐ MFA enabled for all users
☐ Manifest security configured
☐ Transport tracking enabled
☐ Daily reconciliation documented
☐ LCB notification procedures in place
☐ Monthly access reviews
3.5.3 New York
Regulatory Body: Office of Cannabis Management (OCM)
New York-Specific Requirements:
Requirement Standard
Social equity priority Tracking required
Conditional licensing Phase compliance
Adult-use transition Evolving requirements
New York Security Configuration:
☐ MFA enabled for all users
☐ Social equity tracking configured
☐ Conditional license milestones tracked
☐ OCM notification procedures documented
☐ Evolving regulation monitoring
☐ Monthly access reviews
3.5.4 Other BioTrack States Quick Reference
State Key Security Consideration
Delaware Medical program, limited licenses
Hawaii Island logistics, network reliability
New Hampshire Medical only, high compliance
New Mexico Growing adult-use market
North Dakota Medical program, limited
Puerto Rico Territorial rules, network challenges
SECTION 4: POS INTEGRATION SECURITY
4.1 Understanding POS-Tracking System Integration
┌─────────────────────────────────────────────────────────────┐
│ POS SYSTEM │
│ (Flowhub, Dutchie, Treez, Jane, etc.) │
└─────────────────────────────────────────────────────────────┘
│
│ API Credentials
│ Encrypted Connection
▼
┌─────────────────────────────────────────────────────────────┐
│ TRACKING SYSTEM │
│ (Metrc or BioTrack) │
└─────────────────────────────────────────────────────────────┘
SECURITY POINTS:
★ API credentials stored in POS
★ Connection must be encrypted (HTTPS)
★ Sync frequency must meet state requirements
★ Errors must be monitored and alerted
4.2 POS Integration Security Checklist
Initial Configuration:
☐ API credentials stored encrypted in POS ☐ HTTPS connection verified ☐ TLS 1.2+ confirmed ☐ Sync frequency configured per state requirement ☐ Error alerting configured ☐ Failover procedures documented
Ongoing Maintenance:
☐ API credentials rotated every 90 days ☐ Sync errors reviewed daily ☐ POS security updates applied promptly ☐ Integration tested after POS updates ☐ Vendor security reviewed annually
4.3 POS Vendor Integration Security
Questions to Ask Your POS Vendor:
Question Acceptable Answer
How are Metrc/BioTrack API credentials stored? Encrypted at rest, AES-256 minimum
Who at your company can access our credentials? Limited, audited, need-to-know
How do you handle credential rotation? Automated or documented process
What happens if your systems are breached? Documented IR plan, notification commitment
Do you have SOC 2 certification? Yes, Type II preferred
4.4 Common POS Systems Security Configuration
4.4.1 Flowhub
Metrc Integration Security:
- API credentials: Encrypted in Flowhub vault
- Sync monitoring: Dashboard available
- Error alerts: Configurable
Security Configuration:
☐ Admin accounts use MFA
☐ User roles properly assigned
☐ API credential rotation scheduled
☐ Sync monitoring dashboard reviewed daily
☐ Error alerts configured
4.4.2 Dutchie POS
BioTrack/Metrc Integration Security:
- Native BioTrack integration (same company)
- Metrc integration available
- Centralized credential management
Security Configuration:
☐ Admin accounts use MFA
☐ User permissions minimized
☐ Integration status monitored
☐ Dutchie security updates applied
☐ Compliance dashboard reviewed
4.4.3 Treez
Metrc Integration Security:
- API credentials: Stored encrypted
- Real-time sync: Available for California
- Error monitoring: Built-in
Security Configuration:
☐ Admin accounts use MFA
☐ Role-based access configured
☐ Metrc sync status monitored
☐ API credentials documented (securely)
☐ Treez security updates applied
4.4.4 Jane
Metrc Integration Security:
- Menu and ordering platform
- Integrates with POS for compliance
- Separate security considerations
Security Configuration:
☐ Admin accounts use MFA
☐ POS integration secured
☐ Menu management access restricted
☐ Customer data handling reviewed
☐ Jane security updates applied
SECTION 5: MONITORING AND ALERTING
5.1 What to Monitor
Critical Monitoring Points:
System What to Monitor Alert Threshold
Metrc/BioTrack Login Failed logins 3+ failures
Metrc/BioTrack Login Successful login from new IP Any
Metrc/BioTrack Login Login outside business hours Any
API Failed API calls 10+ per hour
API API calls from new source Any
Sync Sync failure Any
Sync Sync delay exceeding threshold Per state requirement
User New user created Any
User User permissions changed Any
User User deactivated Any
Data Bulk data export Any
Data Inventory adjustment Review daily
5.2 Building a Monitoring Dashboard
Daily Review Checklist:
Check Status Notes
Sync status current ☐ OK ☐ Issue
Failed logins reviewed ☐ OK ☐ Issue
API errors reviewed ☐ OK ☐ Issue
Inventory discrepancies ☐ OK ☐ Issue
User activity normal ☐ OK ☐ Issue
Weekly Review Checklist:
Check Status Notes
All user access appropriate ☐ OK ☐ Issue
API credentials rotation due ☐ No ☐ Yes
Security updates available ☐ No ☐ Yes
Unusual patterns identified ☐ No ☐ Yes
5.3 Alert Response Procedures
Failed Login Alert:
Step Action
1 Identify affected user account
2 Contact user via phone to verify
3 If legitimate: Reset password, document
4 If suspicious: Lock account, investigate
5 Review for related suspicious activity
Sync Failure Alert:
Step Action
1 Check Metrc/BioTrack status page
2 If system-wide outage: Document, monitor
3 If our side: Check API credentials, connectivity
4 If persists 1+ hour: Escalate to IT/vendor
5 If persists 4+ hours: Notify state regulator
6 Begin manual tracking if necessary
New User Alert:
Step Action
1 Verify authorization exists
2 Confirm HR/management approved
3 If unauthorized: Deactivate immediately, investigate
4 Document verification
5.4 Log Retention Requirements
Log Type Minimum Retention Recommended
Login logs 1 year 3 years
API logs 1 year 3 years
Transaction logs Per state requirement 5 years
User management logs 3 years 7 years
Security incident logs 7 years Indefinite
SECTION 6: INCIDENT RESPONSE FOR TRACKING SYSTEMS
6.1 Tracking System Compromise Indicators
Signs Your Tracking System May Be Compromised:
Indicator Severity Immediate Action
Unexpected password reset HIGH Lock account, investigate
Login from unknown IP/location HIGH Verify with user, investigate
Inventory records changed unexpectedly CRITICAL Lock accounts, audit all changes
API errors with authentication MEDIUM Check credentials, rotate if needed
User created without authorization CRITICAL Deactivate user, investigate
Bulk data export CRITICAL Lock accounts, investigate source
MFA disabled on account HIGH Re-enable, verify authorization
6.2 Immediate Response Procedure
If You Suspect Tracking System Compromise:
FIRST 15 MINUTES:
☐ Do NOT make hasty changes (preserve evidence)
☐ Document what you observed:
- What happened?
- When?
- What accounts/data affected?
☐ Notify Incident Commander
☐ Screenshot all suspicious activity
FIRST HOUR:
☐ Contain the compromise:
Action Completed
Change admin passwords ☐
Rotate API credentials ☐
Enable MFA if not already ☐
Lock suspicious accounts ☐
Review recent user changes ☐
☐ Notify state regulator (if required or recommended)
☐ Begin manual tracking (if system integrity uncertain)
FIRST 24 HOURS:
☐ Full audit of system:
Audit Item Reviewed Findings
All user accounts ☐
All permissions ☐
Recent transactions ☐
Recent inventory changes ☐
API activity logs ☐
Login history ☐
☐ Verify inventory accuracy (physical count may be needed)
☐ Document everything for regulator
6.3 Regulatory Notification
When to Notify State Regulator:
Situation Notification
Confirmed unauthorized access Required - Immediately
Inventory records manipulated Required - Immediately
Extended sync failure (4+ hours) Required - Same day
Suspected compromise, unconfirmed Recommended - Within 24 hours
Credential theft, no system access Recommended - Within 48 hours
Notification Template:
To: [State Regulatory Agency]
From: [License Holder]
License #: [Number]
Date: [Date]
Re: Tracking System Security Incident
We are reporting a security incident affecting our [Metrc/BioTrack]
tracking system.
INCIDENT SUMMARY:
- Date/time discovered: [Date/Time]
- Type of incident: [Description]
- Systems affected: [List]
- Data potentially affected: [Description]
IMMEDIATE ACTIONS TAKEN:
1. [Action]
2. [Action]
3. [Action]
CURRENT STATUS:
- System access: [Secured/Under investigation]
- Inventory integrity: [Verified/Under review]
- Operations: [Normal/Modified procedures]
We will provide updates as our investigation progresses.
Contact: [Name, Phone, Email]
SECTION 7: SECURITY HARDENING CHECKLISTS
7.1 Initial Setup Checklist (New License)
Account Security: ☐ Admin account created with strong password (16+ chars) ☐ MFA enabled on admin account ☐ Backup codes stored securely ☐ Temporary password policy established ☐ Session timeout verified
User Management: ☐ User provisioning process documented ☐ User deprovisioning process documented ☐ Role definitions documented ☐ Least privilege principle applied ☐ Acceptable use policy created
API Security: ☐ API credentials stored in encrypted vault ☐ API rotation schedule established ☐ API monitoring configured ☐ API access limited to need-to-know
Integration Security: ☐ POS integration tested ☐ Sync monitoring enabled ☐ Error alerting configured ☐ Failover procedures documented
Documentation: ☐ All procedures documented ☐ Contact list completed ☐ Incident response plan includes tracking systems ☐ Training materials created
7.2 Ongoing Security Checklist (Daily)
Task Mon Tue Wed Thu Fri Sat Sun
Check sync status ☐ ☐ ☐ ☐ ☐ ☐ ☐
Review failed logins ☐ ☐ ☐ ☐ ☐ ☐ ☐
Review API errors ☐ ☐ ☐ ☐ ☐ ☐ ☐
Check alerts ☐ ☐ ☐ ☐ ☐ ☐ ☐
Verify inventory reconciliation ☐ ☐ ☐ ☐ ☐ ☐ ☐
7.3 Ongoing Security Checklist (Weekly)
Task Week 1 Week 2 Week 3 Week 4
Review all user access ☐ ☐ ☐ ☐
Check for security updates ☐ ☐ ☐ ☐
Review API activity logs ☐ ☐ ☐ ☐
Test backup/recovery ☐
Review terminated employee list ☐ ☐ ☐ ☐
7.4 Ongoing Security Checklist (Monthly)
Task Completed Date Notes
Full user access audit ☐
Review and update contact list ☐
Test incident response procedures ☐
Review state regulatory updates ☐
POS integration health check ☐
API credential rotation check ☐
7.5 Ongoing Security Checklist (Quarterly)
Task Q1 Q2 Q3 Q4
Rotate all API credentials ☐ ☐ ☐ ☐
Full security configuration review ☐ ☐ ☐ ☐
User training refresher ☐ ☐ ☐ ☐
Vendor security assessment ☐ ☐ ☐ ☐
Incident response tabletop exercise ☐ ☐ ☐ ☐
Policy and procedure review ☐ ☐ ☐ ☐
7.6 Annual Security Checklist
Task Completed Date Notes
Full security assessment ☐
Penetration test (if applicable) ☐
Policy comprehensive review ☐
Vendor contract review ☐
Insurance review ☐
Regulatory compliance audit ☐
Training program update ☐
Disaster recovery test ☐
SECTION 8: EMPLOYEE TRAINING MATERIALS
8.1 Tracking System Security Training Outline
Module 1: System Overview (15 minutes)
- What is Metrc/BioTrack?
- Why tracking matters for compliance
- Your role in maintaining security
- Consequences of security failures
Module 2: Account Security (20 minutes)
- Password requirements and best practices
- MFA setup and usage
- Session security (logout, timeouts)
- Recognizing phishing attempts
Module 3: Daily Operations Security (15 minutes)
- Secure login procedures
- Recognizing suspicious activity
- Reporting security concerns
- Manual tracking procedures (backup)
Module 4: What to Do If… (15 minutes)
- You suspect your account is compromised
- You receive a suspicious email about Metrc/BioTrack
- The system isn’t working
- You see something unusual
Assessment: Quiz covering key concepts
8.2 Quick Reference Guide for Employees
╔═══════════════════════════════════════════════════════════╗
║ METRC/BIOTRACK SECURITY QUICK REFERENCE ║
╠═══════════════════════════════════════════════════════════╣
║ ║
║ PASSWORD RULES: ║
║ • 16+ characters minimum ║
║ • Never share with anyone ║
║ • Never write down or save in browser ║
║ • Change every 90 days ║
║ ║
║ MFA (TWO-FACTOR): ║
║ • Always use it - no exceptions ║
║ • Keep authenticator app on YOUR phone only ║
║ • Report immediately if phone lost/stolen ║
║ ║
║ DAILY HABITS: ║
║ • Log out when stepping away ║
║ • Never leave logged in unattended ║
║ • Use only authorized devices ║
║ • Report anything suspicious ║
║ ║
║ RED FLAGS TO REPORT: ║
║ ⚠️ Email asking for your password ║
║ ⚠️ Login from location you weren't at ║
║ ⚠️ Records you didn't change ║
║ ⚠️ Sync errors or system not working ║
║ ⚠️ Anyone asking to use your account ║
║ ║
║ IF SOMETHING SEEMS WRONG: ║
║ 1. Stop what you're doing ║
║ 2. Don't try to fix it yourself ║
║ 3. Report to: _________________________ ║
║ 4. Document what you saw ║
║ ║
╚═══════════════════════════════════════════════════════════╝
8.3 Training Acknowledgment Form
TRACKING SYSTEM SECURITY TRAINING ACKNOWLEDGMENT
Employee Name: _________________________________
Position: _________________________________
Training Date: _________________________________
I acknowledge that I have received and understand the following:
☐ Metrc/BioTrack Security Training (Modules 1-4)
☐ Tracking System Acceptable Use Policy
☐ Password and MFA Requirements
☐ Incident Reporting Procedures
I understand that:
• I am responsible for the security of my tracking system account
• I must never share my credentials with anyone
• I must report any security concerns immediately
• Violations may result in disciplinary action up to termination
• I may be held personally liable for intentional misuse
Employee Signature: _________________________________
Date: _________________________________
Manager Signature: _________________________________
Date: _________________________________
[Retain in employee file]
SECTION 9: DOWNLOADABLE TEMPLATES
Members can download:
- Metrc Security Configuration Checklist (Excel) - State-by-state configurations
- BioTrack Security Configuration Checklist (Excel) - State-by-state configurations
- User Access Management Template (Excel) - Track all users and permissions
- API Credential Rotation Log (Excel) - Track credential lifecycle
- Daily/Weekly/Monthly Security Checklist (PDF) - Printable checklists
- Employee Training Slides (PowerPoint) - Customizable training deck
- Training Acknowledgment Form (Word) - Ready-to-use form
- Quick Reference Card (PDF) - Print for each workstation
- Incident Response Procedures (Word) - Tracking system specific
- Regulatory Notification Template (Word) - Ready-to-customize
[DOWNLOAD ALL TEMPLATES - ZIP]
SECTION 10: FREQUENTLY ASKED QUESTIONS
General Questions
Q: Do I really need MFA if Metrc/BioTrack doesn’t require it?
A: Yes. MFA is your single most effective protection against credential theft. Even if your state doesn’t require it, enable it anyway. The 30 seconds per login is worth avoiding a breach.
Q: How often should I rotate API credentials?
A: Every 90 days minimum, or immediately after:
- Any employee termination (if they had API access)
- Any suspected compromise
- Any vendor security incident
Q: Can I use the same password for Metrc and BioTrack?
A: No. Never reuse passwords between systems. If one is compromised, all accounts with that password are at risk.
Q: What if I forget my MFA device?
A: This is why backup codes are critical. Use a backup code to access your account, then immediately set up MFA on a new device. If you’ve lost your backup codes too, contact your admin for account recovery.
Technical Questions
Q: My POS vendor says they handle all the Metrc security. Do I still need to do anything?
A: Yes. Your vendor handles their side, but you’re still responsible for:
- Your user accounts and passwords
- Your employees’ access
- Monitoring and verifying sync status
- Responding to issues
- Regulatory compliance
Q: How do I know if my API credentials have been compromised?
A: Warning signs include:
- API calls you didn’t initiate
- Sync errors that resolve mysteriously
- Data changes you didn’t make
- Unusual API activity in logs
- Vendor notification of suspicious activity
Q: Can former employees access Metrc after termination?
A: Not if you follow proper deprovisioning. The moment an employee is terminated:
- Deactivate their Metrc/BioTrack account
- Change any shared passwords they knew
- Rotate API credentials they had access to
The most common breach vector is forgotten accounts of former employees.
Compliance Questions
Q: How long should I keep Metrc/BioTrack access logs?
A: Keep logs for at least 3 years, preferably 7 years. State regulations vary, but longer retention protects you in disputes and investigations.
Q: Do I need to report a Metrc sync failure to my state?
A: It depends on duration:
- < 4 hours: Document internally, resolve
- 4-8 hours: Consider notification, document thoroughly
- 8+ hours: Notify regulator, document everything
Check your state’s specific requirements.
Q: What if I discover my inventory doesn’t match Metrc?
A: Don’t panic. Follow this process:
- Verify with physical count
- Investigate the discrepancy source
- Document your findings
- Make corrections in Metrc with proper reason codes
- If significant (>2% or 6 units), notify regulator proactively
CONCLUSION
Your seed-to-sale tracking system is a critical compliance tool and a significant security risk.
Attackers target tracking systems because:
- They contain valuable business intelligence
- Compromise creates regulatory chaos
- Many operators don’t secure them properly
- API credentials are often poorly protected
This guide gives you:
- Step-by-step hardening procedures
- State-specific configurations
- User management best practices
- API security controls
- Monitoring and alerting guidance
- Incident response procedures
- Employee training materials
- Downloadable templates
Take action today:
- Complete the initial setup checklist
- Enable MFA on all accounts
- Audit current user access
- Implement monitoring
- Train your team
- Schedule quarterly reviews
Your compliance depends on it. Your license depends on it.
Related Resources:
