diff --git a/MANIFEST.in b/MANIFEST.in
index 9596bbc0a..17086b81b 100644
--- a/MANIFEST.in
+++ b/MANIFEST.in
@@ -1,8 +1,8 @@
 include LICENSE
 include README.md
 include changelog.md
-include build-requirements.txt
-include requirements.txt
+include requirements/build-requirements.txt
+include requirements/requirements.txt
 include securedrop-log*
 include securedrop-redis-log
 include securedrop.Log
diff --git a/Makefile b/Makefile
index 185bffb50..3b8e95fcb 100644
--- a/Makefile
+++ b/Makefile
@@ -1,6 +1,12 @@
 DEFAULT_GOAL: help
 SHELL := /bin/bash
 
+.PHONY: venv
+venv:  ## Provision a Python 3 virtualenv for **development**
+	python3 -m venv .venv
+	.venv/bin/pip install --upgrade pip wheel
+	.venv/bin/pip install --require-hashes -r requirements/dev-requirements.txt
+
 # Bandit is a static code analysis tool to detect security vulnerabilities in Python applications
 # https://wiki.openstack.org/wiki/Security/Projects/Bandit
 .PHONY: bandit
@@ -19,13 +25,27 @@ safety: ## Runs `safety check` to check python dependencies for vulnerabilities
 			|| exit 1; \
 		done
 
-.PHONY: update-pip-requirements
-update-pip-requirements: ## Updates all Python requirements files via pip-compile.
-	pip-compile --generate-hashes --output-file requirements.txt requirements.in
+.PHONY: sync-requirements
+sync-requirements:  ## Update dev-requirements.txt to pin to the same versions of prod dependencies
+	rm -r requirements/dev-requirements.txt && cp requirements/requirements.txt requirements/dev-requirements.txt
+	pip-compile --allow-unsafe --generate-hashes --output-file requirements/dev-requirements.txt requirements/requirements.in requirements/dev-requirements.in
+
+.PHONY: requirements
+requirements:  ## Update *requirements.txt files if pinned versions do not comply with the dependency specifications in *requirements.in
+	pip-compile --generate-hashes --output-file requirements/requirements.txt requirements/requirements.in
+	$(MAKE) sync-requirements
+
+.PHONY: update-dependency
+update-dependency:  ## Add or upgrade a package to the latest version that complies with the dependency specifications in requirements.in
+	pip-compile --generate-hashes --upgrade-package $(PACKAGE) --output-file requirements/requirements.txt requirements/requirements.in
+	$(MAKE) sync-requirements
 
-.PHONY: upgrade-pip
-upgrade-pip: ## Upgrade one single package via pip-compile
-	pip-compile --generate-hashes --upgrade-package $(PACKAGE) --output-file requirements.txt requirements.in
+.PHONY: update-dev-only-dependencies
+update-dev-only-dependencies:  ## Update dev-requirements.txt to pin to the latest versions of dev-only dependencies that comply with the dependency specifications in dev-requirements.in
+	$(MAKE) sync-requirements
+	@while read line; do \
+		pip-compile --allow-unsafe --generate-hashes --upgrade-package $file --output-file requirements/dev-requirements.txt requirements/requirements.in requirements/dev-requirements.in; \
+	done < 'requirements/dev-requirements.in'
 
 # Explaination of the below shell command should it ever break.
 # 1. Set the field separator to ": ##" and any make targets that might appear between : and ##
diff --git a/requirements.txt b/requirements.txt
deleted file mode 100644
index 3c896d549..000000000
--- a/requirements.txt
+++ /dev/null
@@ -1,9 +0,0 @@
-#
-# This file is autogenerated by pip-compile
-# To update, run:
-#
-#    pip-compile --generate-hashes --output-file=requirements.txt requirements.in
-#
-redis==3.3.11 \
-    --hash=sha256:3613daad9ce5951e426f460deddd5caf469e08a3af633e9578fc77d362becf62 \
-    --hash=sha256:8d0fc278d3f5e1249967cba2eb4a5632d19e45ce5c09442b8422d15ee2c22cc2
diff --git a/build-requirements.txt b/requirements/build-requirements.txt
similarity index 100%
rename from build-requirements.txt
rename to requirements/build-requirements.txt
diff --git a/requirements/dev-requirements.in b/requirements/dev-requirements.in
new file mode 100644
index 000000000..2c2a9f384
--- /dev/null
+++ b/requirements/dev-requirements.in
@@ -0,0 +1 @@
+pip-tools
diff --git a/requirements/dev-requirements.txt b/requirements/dev-requirements.txt
new file mode 100644
index 000000000..51774d6bc
--- /dev/null
+++ b/requirements/dev-requirements.txt
@@ -0,0 +1,57 @@
+#
+# This file is autogenerated by pip-compile with python 3.7
+# To update, run:
+#
+#    pip-compile --allow-unsafe --generate-hashes --output-file=requirements/dev-requirements.txt requirements/dev-requirements.in requirements/requirements.in
+#
+click==8.0.1 \
+    --hash=sha256:8c04c11192119b1ef78ea049e0a6f0463e4c48ef00a30160c704337586f3ad7a \
+    --hash=sha256:fba402a4a47334742d782209a7c79bc448911afe1149d07bdabdf480b3e2f4b6
+    # via pip-tools
+importlib-metadata==4.6.4 \
+    --hash=sha256:7b30a78db2922d78a6f47fb30683156a14f3c6aa5cc23f77cc8967e9ab2d002f \
+    --hash=sha256:ed5157fef23a4bc4594615a0dd8eba94b2bb36bf2a343fa3d8bb2fa0a62a99d5
+    # via
+    #   click
+    #   pep517
+pep517==0.11.0 \
+    --hash=sha256:3fa6b85b9def7ba4de99fb7f96fe3f02e2d630df8aa2720a5cf3b183f087a738 \
+    --hash=sha256:e1ba5dffa3a131387979a68ff3e391ac7d645be409216b961bc2efe6468ab0b2
+    # via pip-tools
+pip-tools==6.2.0 \
+    --hash=sha256:77727ef7457d1865e61fe34c2b1439f9b971b570cc232616a22ce82ab89d357d \
+    --hash=sha256:9ed38c73da4993e531694ea151f77048b4dbf2ba7b94c4a569daa39568cc6564
+    # via -r requirements/dev-requirements.in
+redis==3.3.11 \
+    --hash=sha256:3613daad9ce5951e426f460deddd5caf469e08a3af633e9578fc77d362becf62 \
+    --hash=sha256:8d0fc278d3f5e1249967cba2eb4a5632d19e45ce5c09442b8422d15ee2c22cc2
+    # via -r requirements/requirements.in
+tomli==1.2.1 \
+    --hash=sha256:8dd0e9524d6f386271a36b41dbf6c57d8e32fd96fd22b6584679dc569d20899f \
+    --hash=sha256:a5b75cb6f3968abb47af1b40c1819dc519ea82bcc065776a866e8d74c5ca9442
+    # via pep517
+typing-extensions==3.10.0.0 \
+    --hash=sha256:0ac0f89795dd19de6b97debb0c6af1c70987fd80a2d62d1958f7e56fcc31b497 \
+    --hash=sha256:50b6f157849174217d0656f99dc82fe932884fb250826c18350e159ec6cdf342 \
+    --hash=sha256:779383f6086d90c99ae41cf0ff39aac8a7937a9283ce0a414e5dd782f4c94a84
+    # via importlib-metadata
+wheel==0.37.0 \
+    --hash=sha256:21014b2bd93c6d0034b6ba5d35e4eb284340e09d63c59aef6fc14b0f346146fd \
+    --hash=sha256:e2ef7239991699e3355d54f8e968a21bb940a1dbf34a4d226741e64462516fad
+    # via pip-tools
+zipp==3.5.0 \
+    --hash=sha256:957cfda87797e389580cb8b9e3870841ca991e2125350677b2ca83a0e99390a3 \
+    --hash=sha256:f5812b1e007e48cff63449a5e9f4e7ebea716b4111f9c4f9a645f91d579bf0c4
+    # via
+    #   importlib-metadata
+    #   pep517
+
+# The following packages are considered to be unsafe in a requirements file:
+pip==21.2.4 \
+    --hash=sha256:0eb8a1516c3d138ae8689c0c1a60fde7143310832f9dc77e11d8a4bc62de193b \
+    --hash=sha256:fa9ebb85d3fd607617c0c44aca302b1b45d87f9c2a1649b46c26167ca4296323
+    # via pip-tools
+setuptools==57.4.0 \
+    --hash=sha256:6bac238ffdf24e8806c61440e755192470352850f3419a52f26ffe0a1a64f465 \
+    --hash=sha256:a49230977aa6cfb9d933614d2f7b79036e9945c4cdd7583163f4e920b83418d6
+    # via pip-tools
diff --git a/requirements.in b/requirements/requirements.in
similarity index 100%
rename from requirements.in
rename to requirements/requirements.in
diff --git a/requirements/requirements.txt b/requirements/requirements.txt
new file mode 100644
index 000000000..5bf812bb7
--- /dev/null
+++ b/requirements/requirements.txt
@@ -0,0 +1,10 @@
+#
+# This file is autogenerated by pip-compile with python 3.7
+# To update, run:
+#
+#    pip-compile --generate-hashes --output-file=requirements/requirements.txt requirements/requirements.in
+#
+redis==3.3.11 \
+    --hash=sha256:3613daad9ce5951e426f460deddd5caf469e08a3af633e9578fc77d362becf62 \
+    --hash=sha256:8d0fc278d3f5e1249967cba2eb4a5632d19e45ce5c09442b8422d15ee2c22cc2
+    # via -r requirements/requirements.in