Which choice below is the BEST description of a Protection Profile (PP),
as defined by the Common Criteria (CC)?

A.
A reusable definition of product security requirements

B.
An intermediate combination of security requirement components

C.
A statement of security claims for a particular IT security product

D.
The IT product or system to be evaluated

Explanation:
The Common Criteria (CC) is used in two ways:
As a standardized way to describe security requirements for IT
products and systems
As a sound technical basis for evaluating the security features of
these products and systems
The CC defines three useful constructs for building IT security
requirements: the Protection Profile (PP), the Security Target (ST),
and the PackagE. The PP is an implementation-independent statement
of security needs for a set of IT security products. The PP contains
a set of security requirements and is intended to be a reusable
definition of product security requirements that are known to be useful
and effectivE. APP gives consumers a means of referring to a specific
set of security needs and communicating them to manufacturers
and helps future product evaluation against those needs.
Answer a defines the Security Target (ST). The ST is a statement
of security claims for a particular IT security product or system. The
ST parallels the structure of the PP, though it has additional
elements that include product-specific detailed information. An ST
is the basis for agreement among all parties as to what security the
product or system offers, and therefore the basis for its security

evaluation.
*Answer “An intermediate combination of security requirement components” describes the
PackagE. The Package is an intermediate
combination of security requirements components. The package permits
the expression of a set of either functional or assurance requirements
that meet some particular need, expressed as a set of security objectives.
*Answer “The IT product or system to be evaluated” describes the Target of Evaluation (TOE).
The TOE is an IT product or system to be evaluated, the security characteristics of
which are described in specific terms by a corresponding ST, or in
more general terms by a PP. This evaluation consists of rigorous
analysis and testing performed by an accredited, independent
laboratory. The scope of a TOE evaluation is set by the Evaluation
Assurance Level (EAL) and other requirements specified in the ST.
Part of this process is an evaluation of the ST itself, to ensure that it
is correct, complete, and internally consistent and can be used as the
baseline for the TOE evaluation.
Source: Common Criteria Project.