Securing the operation of an out-of-context component can be extremely challenging. This is due to a number of reasons, not least that the context of use for the system component has a huge impact on the exposure of the system to specific risks. Many standards across multiple sectors focus on the role of system integrators and Tier 1 suppliers. But how should that security argument flowdown to Tier 2 suppliers and below? Can Tier 2 suppliers be “intelligent suppliers”, providing security assurances that feed into hierarchical or modular assurance cases? In this paper we approach these questions, illustrating the challenges and proposed solutions using the use case of a safety-assured, automotive operating system. The automotive sector was selected because the cybersecurity standard (ISO 21434) demands that the security argument extend beyond safety related security issues. An operating system is a highly versatile component that can have multiple contexts. The paper concludes that there are activities that lower-tier suppliers can do to support the integrated security/safety argument. These activities are then highlighted as potential requirements for system integrators, Tier 2 suppliers and below.