As the White House pushes to intensify internal leak investigations, Immigration and Customs Enforcement is quietly renewing a cybersecurity contract that governs how employee activity on agency systems is monitored, recorded, and preserved for investigation.

The operation, known as Cyber Defense and Intelligence Support Services, is presented as a routine security effort focused on network monitoring, incident response, and basic security hygiene. But new contract records reviewed by WIRED spell out how ICE is working to expand and enhance the collection of digital logs and device data for internal investigations and law enforcement use.

Records show ICE is moving ahead with a recompete—the process of reissuing and renewing a major federal contract—as Department of Homeland Security leadership expands leak investigations and steps up monitoring of how employees use agency systems. Contract documents outline methods for maintaining comprehensive records of digital activity and using automated tools to flag patterns and anomalies while more closely linking cybersecurity operations with ICE investigative offices to speed the use of that data in internal casework.

Beyond insider monitoring, the contract describes a broad cybersecurity operation, covering constant surveillance of ICE networks, automated alerts for suspicious behavior, and routine analysis of logs pulled from servers, workstations, and mobile devices. A core requirement is that this data be stored and organized so incidents can later be reconstructed step by step, whether for security reviews or formal investigations.

The work is managed by ICE’s Office of the Chief Information Officer, which runs the agency’s security operations center, but the contract is designed to move information across offices. Cyber findings are meant to be shared with investigative and oversight units, including Homeland Security Investigations and ICE’s Office of Professional Responsibility, which handles employee misconduct. The structure allows digital activity data collected for cybersecurity purposes to be quickly routed into internal inquiries when investigators request it.

ICE did not respond to a request for comment.

The expansion of internal monitoring comes as the Trump administration has framed dissent inside federal agencies as a threat, moving to aggressively identify and remove career officials viewed as ideologically misaligned with the administration, particularly in national security and law enforcement roles.

Since returning to office, the Trump White House has portrayed internal dissent in explicitly loyalty-based terms—as opposed to misconduct, malfeasance, or efforts to deliberately undermine the government—framing political disagreement with the president’s goals as grounds for firing.

In response, officials have moved to centralize control over the civil service, loosen job protections, and press agencies to identify officials viewed as resistant to its political message. Trump has openly stated that federal agencies are out to fire people perceived as having “loyalties to someone else,” while Russell Vought, head of the Office of Management and Budget, has argued that bureaucracy has been weaponized, casting the civil service itself as an adversarial force.

Public watch lists circulated by conservative groups, mass reclassification of civil service roles, and large-scale firings of probationary employees have reinforced the message that dissent—or even perceived disloyalty—carries career risk.

At DHS, that posture has coincided with efforts to weaken traditional oversight channels. President Donald Trump removed or sidelined a large number of inspectors general early in his term, leaving watchdog offices understaffed or led by acting officials. Whistleblower advocates and former oversight officials say the result has been a chilling effect, with fewer internal investigations and less protection for employees who raise concerns about policy or misconduct.

Several watchdog groups have warned that expanded monitoring systems, when paired with weakened oversight, can blur the line between cybersecurity and retaliation. Tools built to detect breaches or misuse, they say, can just as easily be repurposed to track internal critics, especially when privacy safeguards and independent review are thin.

In such an environment, routine cybersecurity infrastructure doubles as a mechanism for enforcing internal conformity.

The expansion comes against a backdrop of repeated oversight warnings. Inspector General audits have found ICE failed to consistently disable accounts for departing employees, closely track privileged access, or secure agency-issued mobile devices—especially those used overseas.

Other DHS reviews have cautioned that insider-threat monitoring has grown faster than the policies and privacy safeguards meant to govern it, raising concerns about how employee data is monitored, retained, and ultimately used.