I've heard that using encryption outside military use has been illegal for a long time in the USA.
However, I've also heard that when the regulation was updated, limits were put on encryption strength (such as key size by common algorithms such as AES).
Is this last statement true?
Roughly speaking, no, the last statement is not true.
See this site for extended information about laws on cryptography in the USA (the same site contains a lot of information for crypto laws in other countries as well).
AES accepts three sizes of keys: 128, 192 and 256 bits. The smallest of the three is already way beyond that which can be broken through brute force (see this answer) so if the USA are "putting limits on encryption strength" then they are not making a good job of it. In fact, AES has three different key sizes mostly for compliance with inflexible (and old) US military regulations which call for three different "security levels". That kind of regulations made sense in the pre-computer era, when you had to choose between security and efficiency (there was no known cryptographic algorithm at that time, which would be both secure and sufficiently practical for generalized field usage). Since none of these regulations states that the "low level" has to actually be weak, NIST went for three key sizes, the smaller being already large enough to defeat Earth-based attackers.
Generally speaking, US laws are mostly about export, not domestic usage. There used to be a ban on large key lengths (and that one enforced key lengths small enough to be practically broken). Things have changed, though; the current state of US laws is that they don't depend much on key length. This relates to the growing realization from the US lawmakers that trying to enforce a ban on strong crypto is unlikely to work; having a system which keeps track of existing products is a better idea, and making all these products "legal" can only help.
